Your teams shipped AI agents. Under NIS2, the risk sits with you.
NIS2 makes leadership personally accountable for cyber risk management: fines up to EUR 10 million or 2 percent of global turnover, and the duty cannot be delegated. An independent assessment of your AI agents turns an unknown exposure into a documented, managed risk. Report in 2 to 4 weeks. Fixed price.
Book a free 30-min Idea Call →The expensive risk is not the one you accepted. It is the one nobody assessed.
Somewhere in your organisation, agents are already running: in customer service, in the back office, inside developer tools. They hold credentials and act on their own. NIS2 obliges management to approve and oversee cyber risk measures, in Germany since December 2025, in Austria from 1 October 2026. Regulators, auditors, cyber insurers and enterprise customers are already asking the same question: how do you know your AI agents are secure?
Answering with a vendor's promise is not oversight. An independent assessment gives you the answer in writing: what can go wrong, what it would cost, what is being done about it and in which order.
What you walk away with.
Written for the board first, actionable for engineering second. Both from the same assessment.
Board-Ready Executive Read-out
A live walkthrough of your exposure: where agents touch critical systems, what the realistic worst case is and how the remediation plan closes it. Includes a summary of your liability position under NIS2.
Liability and Compliance Mapping
Every finding tied to the duty it triggers under NIS2 (BSIG in Germany, NISG 2026 in Austria) and the EU AI Act, usable as evidence of due diligence.
Threat Model of Your Agent Architecture
The technical backbone: scenario-driven attack trees built with the OWASP Top 10 for Agentic Applications, MITRE ATLAS and CSA MAESTRO. Rigorous enough for your CISO, readable enough for your board.
Report with Remediation Roadmap
Prioritized measures with owners, effort and impact: a plan you can approve, fund and show to an auditor.
Optional Governance Retainer
Quarterly re-assessment, an updated risk register and a standing answer to the board question. EUR 1,500 to 3,000 per month.
Agentic AI Security Assessment
Priced by the complexity of your agent architecture. Includes discovery, threat modeling, EU AI Act and NIS2 mapping, the written report with remediation roadmap, and the executive read-out. Optional continuous retainer from €1,500 to €3,000 per month.
Book a free Idea Call to scope itFrom open question to signed-off answer in three stages.
A focused engagement, typically 2 to 4 weeks from kick-off to the decision meeting.
Exposure Mapping
We locate every agent in your organisation, what it can reach and which regulatory duties attach to it.
Threat and Impact Analysis
Attack paths are modeled and translated into business impact: downtime, data loss, reporting duties, liability.
Decision Read-out
You get a prioritized plan with costs and owners, presented so leadership can approve it in one meeting.
I build multi-agent systems. And I take them apart.
The assessment comes from the builder's side, not from an audit checklist. This is work I show on stage and run in production.
Your Agent Is Your New Layer 8
Why autonomous agents behave like a new human layer in your organisation: with all the security consequences that brings.
Securing Agent Identity
How agents get their own identities, scoped permissions and auditable access instead of shared API keys.
A multi-agent crew, built on stage
A multi-agent film crew shown live: specialised agents planning, producing and reviewing against real constraints.
Multi-agent deep dives
Technical deep dives on hybrid multi-agent architecture and platform engineering for enterprise teams, plus hands-on Amazon Bedrock AgentCore workshops.
Up to 100% AWS funded.
As an AWS Community Hero, I navigate the funding process with you, from application to approval. Eligibility is assessed in the first 30 minutes, not added as an afterthought at the end.
PoC Funding
Covers prototype development. Deliverables engineered to meet funding requirements.
Migration Funding
For larger cloud transformation projects. Multi-phase plan structuring and end-to-end application support.
Answers, in writing.
Who is liable when an AI agent causes damage?
The organisation operating it, and under NIS2 its management personally for the oversight of cyber risk measures. The duty to approve and monitor those measures cannot be delegated to IT or to a vendor.
What does management have to prove under NIS2?
That cyber risks, including those from AI systems, are identified, assessed, treated and monitored, and that leadership approved the measures. A dated, independent assessment with a remediation roadmap is exactly that evidence.
Does NIS2 apply to us at all?
NIS2 covers essential and important entities in 18 sectors, generally from 50 employees or EUR 10 million turnover: roughly 29,500 companies in Germany and about 5,000 in Austria once NISG 2026 takes effect on 1 October 2026. The Idea Call includes a quick scope check.
We have a CISO. Why an external assessment?
Your CISO is the first reader of the report, not the replacement for it. Independence is the point: the assessment carries weight with auditors, insurers and customers precisely because I have no stake in the outcome and no tool to sell.
What does it cost?
EUR 12,000 to 18,000 fixed, depending on the complexity of the architecture. The governance retainer runs EUR 1,500 to 3,000 per month. A known, budgetable number against an exposure of up to EUR 10 million.

Linda Mohamed
An independent practice for organisations that want their AI agents assessed by the person who builds them. AWS Community Hero, speaker at AWS Community Days in Istanbul and Athens 2026, and builder of production multi-agent systems on Amazon Bedrock, CrewAI and LangGraph. Based in Vienna, Austria. Remote or on-site, English or German.
Book a free 30-min Idea Call →Begin with a 30-minute Idea Call.
Before the assessment, we have a short conversation to confirm fit. No commitment. No slides. The same opening conversation that precedes every paid engagement.
- Confirm the scope of your agent architecture
- Check where the EU AI Act and NIS2 apply to you
- Decide whether the one-time assessment or the retainer fits best
- Get the intake brief and a calendar slot
Typically respond within one business day. Vienna, Austria · serving clients across the EU · [email protected]