AI Critical Exposure Assessment — Adesanya AI Advisory

Question 01 / 03

When a user revokes GDPR consent, how quickly do your AI systems stop processing their data?

This is the runtime consent check — the gap most enterprises cannot answer precisely.

Within the same session — we have real-time consent enforcement

Live consent token validation at the point of AI execution

Within hours — we sync consent status periodically

Batch or scheduled updates, not real-time enforcement

We're not certain — consent revocations aren't tracked at the AI layer

Policy exists but isn't enforced technically at runtime

Question 02 / 03

Can your DPO produce a verifiable audit trail of every AI decision made in the last 6 months?

EU AI Act Article 26(6) requires deployers to retain logs for a minimum of 6 months. The burden of proof sits with you.

Yes — tamper-evident, timestamped logs ready for regulatory submission

Cryptographically signed records, retained and accessible

Partially — we have some logs but they're incomplete or not structured for audit

Logs exist but wouldn't satisfy a DPC or AI Office inspection

No — AI decisions are not systematically logged at this level

No structured audit trail currently in place

Question 03 / 03

If an employee sends personal data to a third-party AI API at 3am, could you detect and block it?

The Runtime Execution Gap — the moment data leaves your network perimeter, the breach has already occurred.

Yes — a runtime enforcement layer intercepts and validates before data leaves

Active technical controls, not just policy

We would detect it after the fact — but not prevent it in real time

Monitoring exists, but enforcement is retrospective

No — we rely on employee policy and training, not technical enforcement

Passive controls only — the breach would occur before detection

Your AI Critical Exposure
Assessment