You Cannot Govern AI Usage You Cannot See.
Patchly’s AI Exposure Assessment quantifies how generative AI tools are being accessed across your managed Windows estate – using the Microsoft security stack you already own. A fixed-scope engagement that delivers an evidence-based governance baseline your board, your insurers, and your auditors can act on.
- Microsoft-Native – No Additional Platform Required
- Fixed Scope – 15 Business Days
- Services-Led – Your Data Stays in Your Tenant
The Problem Hiding in Your Estate
Generative AI tools are now used at scale inside most organizations without IT oversight. Employees paste contract language, customer data, source code, and strategic documents into ChatGPT, Gemini, Claude, Grok, Perplexity, DeepSeek, and dozens of smaller services. Many are used through personal accounts or unsanctioned services, outside the enterprise protections the organization would normally require.
Leadership teams typically discover this exposure only after a specific incident, a regulator inquiry, or a customer security questionnaire that asks the question they cannot answer. By that point the conversation is reactive – and the answer needs to be evidenced, not estimated.
The heavy-weight platforms that address the problem in full – Microsoft Purview DSPM for AI, Zscaler, Netskope, AI-specific vendors – all require either a substantial license uplift or a six-figure platform purchase. Most organizations need to know the scale of the problem before making an investment of that size.
AI governance also crosses the IT, legal, HR, and business boundary in most organizations. Nobody owns it cleanly. Each function needs evidence the others can use to make their own decisions – not opinions, not estimates, not a vendor’s marketing-flavored risk score.
What We Do
AI exposure governance is straightforward in principle and messy in practice. Patchly takes ownership of the discovery, the analysis, and the governance baseline – so you go from “we don’t know” to “we have evidence” without standing up the operational capability internally.
Discovery
We deploy audit-mode policies in your existing Microsoft Defender environment to identify which generative AI services are being reached, by which users and devices, and how often. Ninety days of historical matching where supported. Optional firewall log analysis where available. No production blocking, no user-facing disruption.
Governance Readiness
We classify discovered AI services as approved, tolerated, blocked, or needs-review against the Defender for Cloud Apps risk catalog. We produce a sequenced control roadmap mapped to your existing license footprint, and a policy considerations memo that flags the legal, HR, and contractual decisions your organization needs to make.
Telemetry Uplift (optional)
For organizations with richer Microsoft licensing, we can extend the Assessment with MDCA Cloud Discovery, advanced hunting via KQL, or Purview DSPM for AI activation in audit mode. Each capability is subject to a pre-flight validation gate – if your tenant cannot support it, the corresponding fee is rebated and the core Assessment proceeds.
What We Measure – and What We Do Not
Many shadow-AI claims overstate what endpoint and network telemetry can prove. We are precise about what can be evidenced, what cannot, and what would close any gap that matters to you. This is what allows your team to defend the Assessment’s conclusions to the board, your insurers, and your auditors.
Standard Scope Statement
This Assessment measures observable generative-AI service access from managed endpoints using Microsoft-native telemetry available in your environment. It identifies which known AI services were reached, by which users and devices, and how often. It produces a risk-scored inventory, a governance baseline, and a recommended control roadmap.
This Assessment does not inspect prompt content, file uploads, or the contents of SaaS sessions. It also does not reliably detect AI features embedded inside otherwise sanctioned applications, such as AI features within personal Gmail, Google Workspace, Microsoft 365, or other authenticated SaaS platforms. Those gaps require content-level controls, addressed separately through Patchly’s Protection service where technically and contractually available.
What You Receive
Five deliverables, each with a clear audience and a clear purpose.
Executive Briefing Deck
Board, C-suite
Risk and exposure framing for your leadership team.
Technical Evidence Pack
IT and security
The defensible record, with explicit observed / inferred / not-evidenced classification.
AI Tools Register
Governance, IT
Discovered AI services classified as approved, tolerated, blocked, or needs-review.
Control Recommendations
IT and security
A phased plan – audit, warn, block – mapped to your existing license footprint.
Policy Considerations Memo
Legal, HR, governance
The decisions your legal and HR functions need to make. Not a drafted policy.
Fifteen Business Days. Four Phases.
A clear, fixed schedule from kickoff to executive briefing. Predictable cadence, predictable outcome.
-
Phase 1
Days 1–2
Kickoff and Validation
Workshop with your sponsor and technical lead. Validation of prerequisites, scope, and access. Confirmation of currently sanctioned, tolerated, and prohibited AI tools.
-
Phase 2
Days 3–8
Signal Collection
Activation of the discovery stack in your tenant. Audit-mode policies for URL indicators and Web Content Filtering, with 90-day historical matching where supported.
-
Phase 3
Days 9–10
Analysis
Tool inventory consolidation, risk scoring, per-user and per-department breakdown, evidence and inference classification.
-
Phase 4
Days 11–15
Reporting and Briefing
Draft deliverables reviewed with your sponsor. Final deliverables issued. Executive briefing delivered to your leadership team.
Who This Assessment Is For
Designed for Microsoft-centric mid-market organizations that already have the foundational stack in place.
Strong Fit
- 250 to 2,500 Windows endpoints
- Microsoft Entra ID for identity
- Microsoft 365 Business Premium, E3, or E5
- Defender for Endpoint or Defender for Business onboarded
- Microsoft Intune managing the estate
We Can Also Serve – at Adjusted Scope and Pricing
- Organizations under 250 endpoints (Starter band)
- Multi-tenant or multi-region environments (Custom)
- Mac estates exceeding 10 percent of Windows endpoint count
- Organizations with mixed identity platforms
Part of a Bigger Picture
The Assessment is a one-off engagement. For organizations that want to maintain visibility or move into operational controls, Patchly can scope follow-on services in two areas.
Ongoing Visibility
AI Usage Monitoring
Monthly subscription. Continuous discovery using the same Microsoft-native sources as the Assessment. Monthly reporting on new tools, usage trends, and risk-score changes. Quarterly catalog refresh. For organizations that want continuous awareness without building the operational capability internally.
Operational Controls
AI Protection
Patchly designs, deploys, tunes, and refreshes Microsoft Purview AI policies on your existing licenses. You retain alert response; we handle the policy engineering. Requires Microsoft 365 E5 or Compliance E5, licensed directly from Microsoft. We do not resell or build content-inspection technology.
Both follow-on services are optional. The Assessment is commercially viable as a standalone engagement and produces a complete deliverable set regardless of whether you choose to continue.
Get the Service Description
The full ten-page service description – scope, deliverables, prerequisites, pricing bands, and the validation gates that govern the optional telemetry uplift. We will email you a link.
On its way.
Check your inbox for the link to the service description. Reply directly if you would like to scope an engagement.
Something went wrong.
Please try again, or email us directly at hello@patchly.ai.
Diagnostic
AI Exposure Readiness Check
Eleven questions, three to four minutes. See whether your environment is ready for the Assessment, and what the likely findings will be. Email is optional.
AI Exposure Readiness Check
A short diagnostic to see where your environment stands.
Eleven questions across four sections – environment, what is prompting this, your AI landscape, and where Copilot fits. Three to four minutes.
At the end you will see a personalized readiness profile and a clear next step. Email is optional, and you can skip it and still see your results.
Almost there
Get a copy of your readiness report
We will summarize your readiness profile and what it means for your next step, and email it to you. Or skip ahead – you can still see your results on screen.
Please enter your name, work email, and company.
We use your details to email your report and follow up if helpful. Marketing emails only if you opt in. See our privacy policy.
Scoring your readiness profile…
Something went wrong while scoring your answers.
Please try again, or email us directly at hello@patchly.ai.
Find Out What Your Estate Is Doing With AI.
Book a thirty-minute scoping call. We will confirm fit, walk through your specific environment, and outline an engagement that matches your timing and budget.