Secruna connects to your cloud accounts, finds every AI system your team uses, and prepares the paperwork your auditors expect. Built for the rules your business actually answers to — across the UK, the EU and beyond.
Each rulebook asks for different paperwork, but the underlying question is always the same: which AI systems do you run, what risk do they carry, and can you show it? Secruna answers that question once and prints the artefact each regulator expects.
€35M / 7% of global annual turnover under Article 99.
See EU AI Act detail →Standards & Regulation review and suspension of regulated services for non-compliant firms.
See RICS detail →Procurement gate for defence tenders — suppliers without evidence are screened out at bid stage.
See UK Defence detail →Mandatory cyber assurance level for any organisation holding an MoD contract.
See Def Stan 05-138 detail →Spend-control gate for digital programmes across UK central government and arm’s-length bodies.
See Secure by Design detail →Gateway cyber assurance framework consumed by the GovAssure scheme. Not-Achieved IGPs surface as audit findings.
See NCSC CAF detail →Up to EUR 10M or 2% of annual worldwide turnover for essential entities. Management bodies personally liable under Article 20.
See NIS2 detail →Directly applicable across the EU since 17 January 2025. Art. 28 register reuses your AI inventory; Art. 19 sets a 4h / 72h / 1-month incident reporting clock.
See DORA detail →Required for many UK government supplier contracts and referenced widely in private-sector RFPs. The Plus tier adds an independent IASME-registered assessor visit at annual renewal.
See Cyber Essentials Plus detail →Statutory under DPA 2018 ss. 121-129. Non-compliance is admissible evidence in ICO enforcement action and in court. The ICO is actively enforcing against ADM today.
See ICO AI + ADM Code detail →Every compliance programme has the same five stages. Start at step one — the rest only make sense once you know what you have.
Find every AI system across cloud, SaaS and shadow IT — not just the ones already in your CMDB.
Map every system to the categories each regulation cares about — Annex III, RICS rule areas, defence risk tiers.
Build the technical documentation each regulator expects so the file is ready before an auditor or buyer arrives.
Operate the risk register and human-oversight controls as continuous duties, not one-off paperwork.
File serious-incident notifications inside the window each regulator sets — without scrambling for evidence.
Compliance, engineering, legal and the senior partner each get the artefact they need — without becoming experts in each other’s job.
Anonymised pilot scenarios from internal fixture-tenant runs. Numbers are real; identifying details are not.
A retail bank in CEE connected its Microsoft 365 tenant. Secruna found 312 Copilot seats across three business units in 18 minutes — including 47 the central compliance team had never been told about.
A Polish payments fintech connected Azure and AWS. Secruna discovered 14 AI systems in 22 minutes — three were Annex III high-risk (credit-decisioning model, KYC liveness check, anti-fraud score).
A mid-market HR-tech vendor classified its CV-screening model as Annex III §4 high-risk and discovered two downstream deployers in scope — turning a customer-facing risk into a procurement asset.
You’ll leave the call with three concrete numbers — how many AI systems live in your estate today, which rulebooks apply to your business, and how much documentation work is still ahead. No slides, just answers.
