DemosAI Audit & Assessment
Sample Report AI Audit & Assessment

AI Audit & Assessment Report
— Forge Marketing Group

Prepared by Purely Works · June 2026 · Confidential

2.0 / 5.0
Overall Score
Reactive
Maturity Stage
17 Tools
AI Inventory

This is a sample report for a fictional company. All data is illustrative.

Executive Summary

Forge Marketing Group is in a reactive AI posture — a state where AI tools are actively being used across the business without any formal strategy, governance, or oversight. Our assessment found 17 distinct AI tools in active use across content creation, client communication, design work, and internal operations. Of these, only 5 have been formally reviewed and sanctioned by leadership.

The most urgent finding is the presence of 4 HIGH-risk exposures involving client confidential data. Multiple team members routinely share client briefs, campaign budgets, competitive strategies, and financial projections with consumer-tier AI products that have no data processing agreements and may use conversation data for model training. This is a direct violation of most client NDAs and creates significant legal liability.

Beyond immediate risk, we identified three significant opportunities where structured AI adoption would deliver measurable value: a formalized content production system, an internal knowledge base with AI assistance, and a complete client data protection protocol. Together, these initiatives represent $847,000 in 24-month projected value against a total investment of approximately $37,400 — a payback period of under 4 months.

The good news: Forge is not behind. Most B2B agencies at this stage of growth have the same shadow-AI problem. The difference between companies that thrive with AI and those that face regulatory or reputational damage is almost always a matter of governance — not tool selection. This roadmap gives Forge a clear path from reactive to strategic.

Top 3 Opportunities
  1. Immediate risk elimination — A free, 6-week data protection protocol stops the HIGH-risk exposures before they become incidents. No budget required.
  2. Content production at scale — A structured AI content workflow saves 340 hours per year ($34K value) and creates a repeatable, quality-controlled system across all client accounts.
  3. Knowledge base + AI assistant — Cuts onboarding time from 90 to 30 days and recovers ~$180K/yr in productivity, with a payback period of 1.3 months.
4
High Risk
Immediate action required
5
Medium Risk
Address within 90 days
8
Low Risk
Monitor & document

Deliverable 1 AI Tool Inventory

We identified 17 AI tools in active use across Forge Marketing Group — spanning content creation, client communication, design, and operations. Of these, only 5 are formally sanctioned by leadership. The remaining 12 are in use without policy review, vendor agreements, or data handling controls.

Tool Use Case Risk Level Sanctioned Notes
ChatGPT Content writing High No Client briefs, campaign strategies, and budget data routinely shared without data retention controls
ChatGPT Ad copy generation High No Same consumer-tier exposure; client competitive data at risk
ChatGPT Email sequences High No Client contact data and messaging strategy exposed to consumer product
Midjourney Brand imagery Medium No IP ownership of generated images unclear; public by default on free tier
DALL-E Social media assets Medium No Used for client deliverables without IP rights review
Jasper Content at scale Medium No No enterprise agreement; client brand data entered without controls
Grammarly Proofreading Low ✓ Yes Business plan with DPA in place
Notion AI Internal docs Low ✓ Yes Used for internal knowledge only; low client data exposure
Otter.ai Client call transcription Medium No Recording clients without documented consent; consent laws vary by jurisdiction
Adobe Firefly Design work Low ✓ Yes Commercially safe; IP indemnification in Adobe Enterprise agreement
Canva AI Social graphics Low ✓ Yes Canva for Teams plan; acceptable use for client deliverables
GitHub Copilot Automation scripts Low No Used by 1 team member; low client data exposure but unlicensed
Perplexity Research Low No Used for market research; inputs reviewed, low sensitivity
Claude.ai Financial / strategic analysis High No Financial projections and client acquisition strategies entered into consumer tier with no DPA
HubSpot AI CRM insights Low ✓ Yes Covered under existing HubSpot agreement; data stays within CRM
Loom AI Video summaries Low No Used for internal async communication; upgrade to Business for DPA
Zoom AI Companion Meeting transcripts Medium No Transcripts stored; data region unverified; client calls included
4 High 5 Medium 8 Low 12 of 17 tools are unsanctioned

Deliverable 2 AI Maturity Assessment

Forge Marketing Group scores 2.0 out of 5.0, placing the organization in the "Reactive" stage. AI adoption is happening informally without strategy or oversight. The radar below compares Forge's scores against the B2B agency benchmark across all 7 pillars.

Maturity Stage Guide
1.0 Unaware — No AI usage or awareness
2.0 Reactive ← Forge is here
3.0 Intentional — Governed, deliberate use
4.0 Strategic — AI embedded in ops and planning
5.0 Leading — AI-native competitive advantage
Pillar-by-Pillar Breakdown
Business Strategy Alignment 2 / 5
AI is not mentioned in the 2024 strategic plan. No budget allocated for AI tools, training, or governance. Leadership awareness is emerging but not translated into action.
AI Literacy & Culture 1 / 5
Most team members are self-taught on AI tools with no formal training. Significant knowledge gaps exist between the 3–4 power users and the rest of the team. No internal AI champions program exists.
Data & Privacy Governance 3 / 5
Forge has a general data handling policy, but it was written before the AI era and doesn't address AI-specific risks. Some awareness exists at the manager level but it hasn't translated to consistent team behavior.
Process Integration 2 / 5
AI usage is highly individual and ad-hoc. No standard workflows have been documented. The same task (e.g., writing a client brief) is done differently by each team member, with wildly inconsistent use of AI.
Risk & Compliance 3 / 5
No AI governance framework exists. No client contracts have been updated to address AI usage. However, no known data incidents have occurred, and there's genuine risk awareness at the leadership level.
Vendor & Tool Management 2 / 5
No formal vendor evaluation process for AI tools. Tools are adopted informally when individual team members find them useful. No consolidated view of what tools the team is using.
Measurement & ROI 1 / 5
Zero formal measurement of AI impact. Some team members estimate time savings anecdotally, but no data is tracked. No KPIs, no baseline, no reporting.

Deliverable 3 Risk & Compliance Assessment

Our risk assessment identified 4 HIGH-severity findings that require immediate action. Each represents an active, ongoing exposure — not a theoretical risk. These are happening today.

Finding #1 — Client Confidential Data in ChatGPT High
Risk Category

Data Breach / Client Trust / NDA Violation

Finding

Multiple team members routinely paste client briefs, campaign budgets, and competitive strategies into ChatGPT (consumer tier). OpenAI's consumer products use conversation data for model training unless users manually opt out — a step that has not been taken by any team member. Client NDAs at Forge prohibit third-party disclosure of proprietary information. This practice is in ongoing, daily violation of those agreements.

Remediation

Immediately prohibit consumer-tier ChatGPT for all client data. Migrate to ChatGPT Team or Enterprise with a Data Processing Agreement executed prior to any client data input. Provide all-hands training on what constitutes "client data" for this policy.

Finding #2 — Financial Data in Claude.ai High
Risk Category

Data Breach / Regulatory / Fiduciary

Finding

The Director of Strategy uses Claude.ai (consumer tier) to analyze client financial projections, pricing models, and acquisition strategies. Anthropic's consumer product privacy policy does not meet enterprise data handling standards and includes no data processing agreement. Financial data shared in this manner may constitute a breach of confidentiality obligations under client service agreements.

Remediation

Upgrade to Claude Pro with Team plan and execute DPA before any further use with client financial data, or restrict financial data processing to on-premise or zero-data-retention solutions. Document the policy change in writing and obtain employee acknowledgment.

Finding #3 — Client Call Transcription Without Consent High
Risk Category

Legal / Client Trust / Privacy Law

Finding

Otter.ai is used to record and transcribe client discovery calls, strategy sessions, and review meetings without disclosing this to clients. In California, Illinois, Florida, and most EU jurisdictions, all-party consent is required for recording. At least 6 active clients are headquartered in states with strict recording consent laws. No client onboarding materials reference recording or transcription. Otter.ai is on the consumer plan with no DPA.

Remediation

Update client onboarding documentation to include explicit recording and transcription disclosure. Verbally announce at the start of every call. Upgrade to Otter.ai Business for enterprise data compliance. Consider obtaining written consent as part of the engagement agreement.

Finding #4 — No AI Usage Disclosure to Clients High
Risk Category

Client Trust / Contractual Breach / IP Liability

Finding

AI-generated content — including copywriting, imagery, strategic frameworks, and analysis — is being delivered to clients as agency work product without any disclosure that AI tools were used in the creation process. A review of 4 active client contracts found that 2 explicitly prohibit undisclosed use of AI tools in deliverables. This creates active breach-of-contract exposure. The remaining contracts are silent on AI, which creates future renegotiation risk as clients become more AI-aware.

Remediation

Audit all active client contracts for AI-related clauses. Draft an AI disclosure addendum for clients with explicit prohibitions. Update all new client contract templates to include a clear, balanced AI usage policy. Create an internal content quality checklist that documents what was AI-assisted vs. human-authored in each deliverable.

Medium Risk Findings (Summary)
Midjourney / DALL-E Image IP Rights Medium

Images generated by Midjourney (consumer plan) are not owned by Forge Marketing Group under Midjourney's terms of service. Delivering these images to clients as agency work product may violate copyright provisions in client agreements. DALL-E images via API have clearer ownership terms, but are not currently used under an enterprise account with IP indemnification.

Zoom AI Companion — Data Region Compliance Medium

Zoom AI Companion is enabled on the team account and generates meeting transcripts and summaries. The data storage region for AI-generated content has not been verified. For Forge's EU-based clients (2 active accounts), this creates potential GDPR transfer compliance risk. No data processing addendum has been executed with Zoom for the AI features specifically.

Policy Gap Analysis
AI Acceptable Use Policy Missing
Data Classification Guide (AI-Specific) Missing
Approved AI Vendor Register Missing
AI Disclosure Policy (Client-Facing) Missing
AI Governance Framework Missing
AI Risk Review Process for New Tools Missing

Deliverable 4 Strategic Roadmap

The roadmap is structured in three overlapping phases. Phase 1 starts immediately and is free. Phases 2 and 3 can be initiated in sequence or in parallel, depending on Forge's bandwidth and priorities.

1
Client Data Protection Protocol
Weeks 1–6
Governance, policies, and risk elimination. Zero cost.
2
AI Content Production System
Months 2–5
Structured workflows for content at scale.
3
Knowledge Base + AI Assistant
Months 4–10
Internal intelligence layer; onboarding transformation.

Initiative 1 — Client Data Protection Protocol

💰 $0 cost 📅 Weeks 1–6 🎯 Eliminates 4 HIGH-risk exposures

Objective: Eliminate the 4 HIGH-risk exposures identified in the risk assessment through policy creation, tool controls, and team training — with zero software spend.

Key Deliverables:

  • Approved AI tool register (what tools are cleared for client data vs. internal use)
  • Prohibited tool list with specific scenarios (e.g., "no consumer ChatGPT with client data")
  • Data classification guide: Public / Internal / Confidential tiers
  • AI Acceptable Use Policy v1.0 with legal review
  • All-hands training session + employee acknowledgment sign-off
  • Client contract AI disclosure addendum template
  • Updated client onboarding materials (recording consent)
Projected Impact: 4 HIGH risks eliminated · $0 investment · Immediate payback

Initiative 2 — AI Content Production System

💰 ~$8K build + ~$400/mo 📅 Months 2–5 ⏱ Saves 340 hrs/yr

Objective: Build a structured, quality-controlled AI content workflow that standardizes how the team creates client content — eliminating inconsistency and dramatically increasing throughput.

Key Deliverables:

  • Templated prompt library for the 12 most common content types (blog, email, ad copy, social, etc.)
  • Brand voice and tone guide formatted for AI ingestion per client account
  • Quality review checklist: human verification steps before client delivery
  • AI disclosure framework: what to communicate to clients and when
  • Approved toolchain: ChatGPT Team (with DPA) as primary, Jasper Business as secondary
  • Team training on prompt engineering best practices
Projected Impact: $34,000/yr value · 340 hrs/yr recovered · 6.2 month payback

Initiative 3 — Internal Knowledge Base + AI Assistant

💰 ~$15K build + ~$200/mo 📅 Months 4–10 📈 90→30 day onboarding

Objective: Build an AI-powered internal knowledge base that captures Forge's institutional knowledge — client histories, process documentation, brand guidelines, templates — and makes it instantly accessible to every team member.

Key Deliverables:

  • Structured knowledge architecture across all active client accounts
  • AI chat interface for querying internal docs, past work, and client context
  • Onboarding module: new hire can reach 30-day productivity in 30 days (vs. 90 today)
  • Process documentation for all recurring workflows
  • Integration with HubSpot CRM for client history context
  • Quarterly knowledge base review and maintenance protocol
Projected Impact: $180,000/yr value · 1.3 month payback · Onboarding 3× faster

Deliverable 5 Financial Impact Model

24-Month Projected Value
$847,000
Total value across all 3 initiatives over 24 months
Initiative Investment Annual Value Payback 24-Month Net
Client Data Protection Protocol $0 Risk elimination (incalculable) Immediate $0 + risk mitigation
AI Content Production System $8K + $400/mo
(~$17.6K total)		 $34,000 6.2 months ~$50,400
Internal Knowledge Base + AI Assistant $15K + $200/mo
(~$19.8K total)		 $180,000 1.3 months ~$340,200
Total (Initiatives 2 + 3) ~$37.4K $214,000+/yr < 4 months $847,000
Annual Hours Recovered
340
hrs/yr — Content Production
280
hrs/yr — Knowledge Base & Onboarding
620
hrs/yr — Total Recovered
Important note on Initiative 1: Risk mitigation value is not quantified in the table above. A single data breach incident involving client confidential data can result in legal fees of $50K–$500K+, client contract termination, and reputational damage that is difficult to quantify. A single client NDA violation dispute — even one that settles — would exceed the total investment in all three initiatives. The true ROI of Initiative 1 is risk-adjusted and far exceeds the $0 cost.

Deliverable 6 Implementation Playbook

The playbook below covers Initiative 1 — Client Data Protection Protocol in full week-by-week detail. This initiative requires zero budget and can begin immediately. It is the most urgent priority given the 4 active HIGH-risk exposures identified in the assessment.

Week 1 — Align Leadership
Week 2 — Write Data Classification Guide
Week 3 — Draft & Review AI Acceptable Use Policy
Week 4 — Roll Out Policy & Migrate Tools
Week 5 — Client Contract Audit
Week 6 — Review & Compliance Check
Quick Reference — Approved Tools by Data Tier

Approved for Client Data (Confidential Tier)

  • ChatGPT Team or Enterprise (DPA executed)
  • Claude Pro Team (DPA executed)
  • HubSpot AI (covered under HubSpot agreement)
  • Adobe Firefly (covered under Adobe Enterprise)
  • Grammarly Business (DPA in place)

Internal Use Only (Not for Client Data)

  • Notion AI (internal docs only)
  • Canva AI (internal assets; client use with review)
  • Perplexity (research; no client data input)
  • Loom AI (internal async only)
  • GitHub Copilot (ops/automation only)

Deliverable 7 Executive Briefing & Presentation

Included in Every Engagement
A live presentation for your leadership team — included with every AI Audit & Assessment engagement.

This deliverable is a 60-minute in-person (or virtual) executive briefing delivered by Purely Works to your leadership team. It is designed to translate the technical findings of this report into clear, decision-ready language — and to generate the organizational alignment needed to actually execute the roadmap.

What the Briefing Includes
60-Minute Executive Presentation Live slides and facilitated discussion with your senior leadership team
Non-Technical Narrative What we found, what it means for the business, and what to do — in plain language
Priority Matrix 2×2 impact vs. effort mapping of all findings — visual, discussion-ready
Decision-Ready Roadmap Go / No-Go recommendation on each initiative with rationale
Live Q&A Session Direct access to Purely Works' principal consultant for follow-up questions
Executive Leave-Behind One-page summary document for circulation to stakeholders not present
Briefing Agenda (60 min)
  1. 1
    Where You Are Today — 15 min
    Maturity score walkthrough across all 7 pillars. Key findings presented in plain language. Benchmark comparison — how Forge compares to peer agencies. No jargon, no judgment — just data.
  2. 2
    What's at Risk — 15 min
    Concrete risk scenarios: what happens if a HIGH-risk finding becomes an incident. Cost of inaction — legal, reputational, and operational. The 4 HIGH risks presented as business scenarios, not technical findings.
  3. 3
    Where You Could Be — 15 min
    Full roadmap walkthrough — all 3 initiatives with timelines and investment. Financial model review — $847K value, $37K investment, <4 month payback. What "Intentional" maturity looks like for a 23-person B2B agency.
  4. 4
    Recommended Next Steps — 15 min
    Priority initiative recommendation with explicit rationale. Decision framework: what needs to be decided today vs. in 30 days. Q&A. Leave-behind document review. Proposed next engagement if applicable.
Why the executive briefing matters: In our experience, the most common failure mode for AI strategy work is not a bad plan — it's organizational inertia. The executive briefing is designed to do one thing: create the internal buy-in and urgency that turns a well-written report into actual execution. Without leadership alignment, even a perfect roadmap sits in a drawer.
Ready for the real thing?

Get your AI audit.

Get the same depth of analysis for your company — all 7 deliverables, plus the executive briefing for your leadership team. Engagements typically complete in 3–4 weeks.

Book a strategy call → Learn more about the audit
SAMPLE REPORT

See inside a real AI audit

Enter your work email to unlock the complete Forge Marketing Group AI Audit Report — all 7 deliverables, unredacted.

✓ Tool inventory ✓ Maturity scores ✓ Risk findings ✓ Roadmap ✓ Financial model

No spam. You'll get access instantly.