AI Governance · NIS2 · Management Accountability

Your teams shipped AI agents. Under NIS2, the risk sits with you.

NIS2 makes leadership personally accountable for cyber risk management: fines up to EUR 10 million or 2 percent of global turnover, and the duty cannot be delegated. An independent assessment of your AI agents turns an unknown exposure into a documented, managed risk. Report in 2 to 4 weeks. Fixed price.

Book a free 30-min Idea Call →
The Question Your Board Will Ask

The expensive risk is not the one you accepted. It is the one nobody assessed.

Somewhere in your organisation, agents are already running: in customer service, in the back office, inside developer tools. They hold credentials and act on their own. NIS2 obliges management to approve and oversee cyber risk measures, in Germany since December 2025, in Austria from 1 October 2026. Regulators, auditors, cyber insurers and enterprise customers are already asking the same question: how do you know your AI agents are secure?

Answering with a vendor's promise is not oversight. An independent assessment gives you the answer in writing: what can go wrong, what it would cost, what is being done about it and in which order.

A documented assessment is the difference between a managed risk and negligence. NIS2 knows the difference too.
Concrete Deliverables

What you walk away with.

Written for the board first, actionable for engineering second. Both from the same assessment.

Board-Ready Executive Read-out

A live walkthrough of your exposure: where agents touch critical systems, what the realistic worst case is and how the remediation plan closes it. Includes a summary of your liability position under NIS2.

Liability and Compliance Mapping

Every finding tied to the duty it triggers under NIS2 (BSIG in Germany, NISG 2026 in Austria) and the EU AI Act, usable as evidence of due diligence.

Threat Model of Your Agent Architecture

The technical backbone: scenario-driven attack trees built with the OWASP Top 10 for Agentic Applications, MITRE ATLAS and CSA MAESTRO. Rigorous enough for your CISO, readable enough for your board.

Report with Remediation Roadmap

Prioritized measures with owners, effort and impact: a plan you can approve, fund and show to an auditor.

Optional Governance Retainer

Quarterly re-assessment, an updated risk register and a standing answer to the board question. EUR 1,500 to 3,000 per month.

Core Assessment

Agentic AI Security Assessment

€12,000 to €18,000 · 2 to 4 weeks · remote or on-site

Priced by the complexity of your agent architecture. Includes discovery, threat modeling, EU AI Act and NIS2 mapping, the written report with remediation roadmap, and the executive read-out. Optional continuous retainer from €1,500 to €3,000 per month.

Book a free Idea Call to scope it
How It Runs

From open question to signed-off answer in three stages.

A focused engagement, typically 2 to 4 weeks from kick-off to the decision meeting.

Stage 1

Exposure Mapping

We locate every agent in your organisation, what it can reach and which regulatory duties attach to it.

Stage 2

Threat and Impact Analysis

Attack paths are modeled and translated into business impact: downtime, data loss, reporting duties, liability.

Stage 3

Decision Read-out

You get a prioritized plan with costs and owners, presented so leadership can approve it in one meeting.

Track Record

I build multi-agent systems. And I take them apart.

The assessment comes from the builder's side, not from an audit checklist. This is work I show on stage and run in production.

Talk · AWS Community Day Istanbul 2026

Your Agent Is Your New Layer 8

Why autonomous agents behave like a new human layer in your organisation: with all the security consequences that brings.

Session · AWS Community Day Istanbul 2026

Securing Agent Identity

How agents get their own identities, scoped permissions and auditable access instead of shared API keys.

Live build · AWS Community Day Athens 2026

A multi-agent crew, built on stage

A multi-agent film crew shown live: specialised agents planning, producing and reviewing against real constraints.

Enterprise work

Multi-agent deep dives

Technical deep dives on hybrid multi-agent architecture and platform engineering for enterprise teams, plus hands-on Amazon Bedrock AgentCore workshops.

The Green Light

Up to 100% AWS funded.

As an AWS Community Hero, I navigate the funding process with you, from application to approval. Eligibility is assessed in the first 30 minutes, not added as an afterthought at the end.

PoC Funding

Up to €10,000

Covers prototype development. Deliverables engineered to meet funding requirements.

Migration Funding

Up to €400,000

For larger cloud transformation projects. Multi-phase plan structuring and end-to-end application support.

Questions Buyers Ask

Answers, in writing.

Who is liable when an AI agent causes damage?

The organisation operating it, and under NIS2 its management personally for the oversight of cyber risk measures. The duty to approve and monitor those measures cannot be delegated to IT or to a vendor.

What does management have to prove under NIS2?

That cyber risks, including those from AI systems, are identified, assessed, treated and monitored, and that leadership approved the measures. A dated, independent assessment with a remediation roadmap is exactly that evidence.

Does NIS2 apply to us at all?

NIS2 covers essential and important entities in 18 sectors, generally from 50 employees or EUR 10 million turnover: roughly 29,500 companies in Germany and about 5,000 in Austria once NISG 2026 takes effect on 1 October 2026. The Idea Call includes a quick scope check.

We have a CISO. Why an external assessment?

Your CISO is the first reader of the report, not the replacement for it. Independence is the point: the assessment carries weight with auditors, insurers and customers precisely because I have no stake in the outcome and no tool to sell.

What does it cost?

EUR 12,000 to 18,000 fixed, depending on the complexity of the architecture. The governance retainer runs EUR 1,500 to 3,000 per month. A known, budgetable number against an exposure of up to EUR 10 million.

Linda Mohamed
Your consultant

Linda Mohamed

AWS Community HeroIndependent ConsultantBedrock · CrewAI · LangGraphEN & DE delivery

An independent practice for organisations that want their AI agents assessed by the person who builds them. AWS Community Hero, speaker at AWS Community Days in Istanbul and Athens 2026, and builder of production multi-agent systems on Amazon Bedrock, CrewAI and LangGraph. Based in Vienna, Austria. Remote or on-site, English or German.

Book a free 30-min Idea Call →
Start Here

Begin with a 30-minute Idea Call.

Before the assessment, we have a short conversation to confirm fit. No commitment. No slides. The same opening conversation that precedes every paid engagement.

  • Confirm the scope of your agent architecture
  • Check where the EU AI Act and NIS2 apply to you
  • Decide whether the one-time assessment or the retainer fits best
  • Get the intake brief and a calendar slot
Book the Idea Call

Typically respond within one business day. Vienna, Austria · serving clients across the EU · [email protected]