Question 1

What is Shadow AI and why is it a risk?

Accepted Answer

Shadow AI refers to AI tools and applications that employees use without formal IT or procurement approval — such as ChatGPT, Midjourney, or Grammarly used for work tasks. Shadow AI is a risk because it may process confidential data, violate GDPR or DORA data-handling rules, introduce unvetted AI sub-processors, and create undisclosed third-party dependencies that regulators now require firms to disclose and manage.

Question 2

How does RiskImmune discover Shadow AI tools?

Accepted Answer

RiskImmune connects read-only to Google Workspace or Microsoft 365 via OAuth and scans OAuth-approved app permissions, installed browser extensions, SSO logins, and SaaS subscription spend. It identifies every AI tool in use across the organisation in under 60 seconds — no agents, no IT project required.

Question 3

How does RiskImmune help with DORA compliance?

Accepted Answer

RiskImmune automates DORA Article 28 compliance by maintaining a live ICT Third-Party Register of all AI vendors and technology providers, scoring concentration risk, flagging critical ICT providers, and generating the register in the exact format regulators require. It also produces DORA incident reporting templates and continuous ICT risk monitoring evidence.

Question 4

What is the difference between TPRM and GRC?

Accepted Answer

GRC (Governance, Risk and Compliance) is the broad discipline covering an organisation's entire risk posture — policies, internal controls, regulatory compliance (ISO 27001, NIS2, DORA, SOC 2), and board reporting. TPRM (Third-Party Risk Management) is a subset that focuses specifically on risks introduced by vendors, suppliers, and technology partners. RiskImmune covers both: its GRC module manages internal compliance frameworks while its TPRM module automates vendor risk scoring using 200+ OSINT signals.

Question 5

How quickly can I see results with RiskImmune?

Accepted Answer

The Free Shadow AI Scan delivers a full AI exposure report within 60 seconds of connecting your Google Workspace or Microsoft 365 account. Vendor risk assessments using the AI auto-grader produce scored results in minutes rather than the weeks typically required for manual questionnaire-based assessments. Compliance gap reports against DORA, NIS2, and ISO 27001 are generated immediately upon onboarding.

Question 6

Is RiskImmune suitable for small businesses or only enterprises?

Accepted Answer

RiskImmune offers a free Starter tier with self-serve Shadow AI scanning that suits small and mid-size businesses with no upfront cost. The Pro plan at €149/month covers growing teams needing continuous compliance monitoring. Enterprise plans from €15,000/year serve large regulated organisations, financial institutions, and critical infrastructure operators with full DORA, NIS2, and MAS TRM requirements.

Question 7

Which compliance frameworks does RiskImmune support?

Accepted Answer

RiskImmune supports DORA (Digital Operational Resilience Act) including Articles 28–30, NIS2 Directive Article 21, ISO 27001:2022 Annex A controls, GDPR Article 28 data processor obligations, SOC 2 Trust Service Criteria, MAS TRM (Monetary Authority of Singapore Technology Risk Management), and the EU AI Act governance requirements. Controls are pre-mapped so compliance evidence is generated automatically.

Question 8

How does RiskImmune score vendor risk?

Accepted Answer

RiskImmune scores vendor risk using over 200 OSINT signals gathered automatically — including security posture data from external scanners, breach history, regulatory enforcement actions, data privacy policies, sub-processor disclosures, and financial stability indicators. Scores are mapped to Critical, High, Medium, and Low risk levels and updated continuously so risk teams always have a current view without manual questionnaire chasing.