[01]team.dev
Onboard →Menu

Project — Sprint / SKU 01

AI Agent Compliance Audit

Uses PTOI MCP

Know exactly where PHI or PCI moves through your AI agent — and what to do about it.

Fixed fee

$25k

Duration

3 weeks

Engagement

Standalone — no retainer required

Start onboarding →Book a 15-minute fit call← All sprint SKUs

The problem this solves

Why this exists

Most teams ship an AI agent before they map the data. Three months later compliance asks 'where does PHI live?' and the answer is a meeting, not a document.

We close that loop in three weeks: every field, every surface, every flow — classified, mapped, and risk-ranked, with a remediation plan your engineers can sequence and your compliance lead can defend.

Is this for you?

Concrete fit and anti-fit

If we're not a fit, we'd rather you find out here than after a sales call.

Good fit

  • You have an AI agent (chatbot, intake, summarizer, copilot) that touches patient data, payment data, or other regulated data — in production or close to it.
  • You have an upcoming HIPAA, PCI, SOC 2, or BAA review and the agent surface is a known unknown.
  • Your engineering team built the agent and your compliance team has questions they cannot currently answer.
  • You want a defensible map and a remediation roadmap, not a 200-page report nobody reads.

Not a fit

  • ×You want us to build the remediation — that is a separate Sprint or Retainer engagement.
  • ×You don't have an agent in production or near it; we audit what exists, not hypotheticals.
  • ×You want a generic 'AI security review' with no regulatory frame; we anchor every finding to a specific regime (HIPAA, PCI, etc.).
  • ×You expect a legal compliance opinion — that is your counsel's job, not ours.

Schedule

Week by week

What happens, in order, with checkpoints. The SOW dates match this schedule.

  1. Week 1

    1. Map

    • 60-minute kickoff with engineering + compliance.
    • Read access provisioned to repo, IaC, infra, model configs, prompts, and synthetic sample data.
    • Build data-flow diagrams covering agent → LLM → tools → storage → logs.
    • PHI/PCI boundary map — every relevant field classified.
    • End of week: draft data-flow doc shared for review.

  2. Week 2

    2. Score

    • Walk every flow against the chosen regulatory frame (HIPAA, PCI, both).
    • Score each surface green / amber / red with the underlying citation.
    • Draft compound catalog v0 for the agent's data vocabulary, using the PTOI spec.
    • 30-minute mid-sprint check-in.
    • End of week: draft findings report shared for review.

  3. Week 3

    3. Remediate

    • Risk-ranked findings report finalized.
    • Remediation plan with effort estimates (S/M/L) and owner suggestions.
    • 60-minute handoff call with engineering + compliance.
    • Final delivery.

  4. +30 days

    4. Follow-up

    • 45-minute follow-up call to review remediation progress.
    • Async clarifications on findings during the window.
    • No upsell on the call — we will tell you if more work is genuinely needed.

Deliverables

What you have at the end

Each deliverable has a format. We don't ship slide decks instead of code.

01

Data-flow and PHI/PCI boundary map

Every surface where regulated data enters, rests, or transits — field by field, with explicit classifications and least-privilege notes.

FormatMermaid diagrams + Markdown, in a repo we share with you

02

Risk-ranked findings report

Each finding has owner, severity, regulatory citation, and recommended fix. No vague 'consider hardening security' bullet points.

FormatPDF + Notion or Markdown

03

Remediation plan

S/M/L effort estimates, suggested order, and dependencies. Designed for your team to execute without us, or to scope into a follow-on engagement.

FormatMarkdown, sequenced

04

Compound catalog v0

PTOI-spec vocabulary your engineering team can extend — the foundation for SKU 03 if you choose to go further.

FormatYAML in your repo, version-controlled

05

30-day follow-up call

Check on remediation progress, answer questions, no upsell.

Format45 minutes, included

What you provide

Concrete dependencies, not 'share relevant info'

If these aren't in place, the ship date moves. We say so up front.

  • A named decision-maker who can accept deliverables and approve scope changes (~1 hour/week).
  • A named technical contact for access and clarifications (~2 hours/week).
  • Read access to repos, IaC, infra dashboards, agent configs, and prompts — within 2 business days of signing.
  • Synthetic, fake, or documented de-identified sample data only. We do not access live PHI under this SOW. (BAA path exists; that is a different engagement.)
  • Written responses to our questions within 2 business days.
  • Decision on the regulatory frame (HIPAA, PCI, both, other) at kickoff.

Out of scope

What this does NOT include

Read this. If something you assumed is here isn't, raise it on the fit call before we sign.

  • ×Implementation of any remediation findings — that is a separate Sprint or Retainer.
  • ×Legal opinions on whether you are 'compliant with HIPAA' — we deliver a defensible engineering posture; your counsel makes the legal call.
  • ×Penetration testing or red-teaming — hire a specialized security firm.
  • ×Vendor selection or BAA negotiation with third parties.
  • ×Training of your team beyond the 60-minute handoff call.
  • ×Any work not expressly listed in the weekly schedule or deliverables above.

Success looks like

One paragraph, plain English

At the end of week 3, your engineering lead and your compliance lead can sit across a table and answer the question 'where does regulated data live in our agent?' with one document they both trust. By day 60, you have shipped the top three remediation items.

What happens after

Common post-sprint paths

What clients typically do after this sprint ships. None of these are required.

  • Most clients spend 4–8 weeks remediating internally; we are available async during the 30-day follow-up window.
  • About 40% convert remediation work into a follow-on Sprint or Retainer.
  • About 20% take the report directly into a board, due-diligence, or audit conversation.

Pricing and terms

What it costs and when you pay

The same numbers appear in the SOW. No bait-and-switch on the legal.

Fixed fee
$25,000 USD, fixed.
Payment schedule
50% on signing ($12,500), 50% on final delivery ($12,500).
Net terms
Net-15 from invoice date.
Cancellation
Cancel for convenience: you owe work performed plus 25% of the unbilled remaining fixed fee. Cause-based termination follows the MSA.
Founding-client discount
Up to 20% off, first 3 months only, capped to the first 3 clients to sign at any tier. Ask on the call.

FAQ

Specific questions for this SKU

Other sprint SKUs

Could one of these fit better?

SKU 02

$20k

MCP / Agent Integration Sprint

Ship one MCP server or agent integration end-to-end in 2 weeks — with evaluations and a handoff doc your team can maintain.

Read the spec →

SKU 03

$35k

HIPAA/PCI Compound Catalog Build-out

Give your regulated AI system a structured data vocabulary that survives a BAA audit and accelerates every future agent build.

Read the spec →

SKU 04

$15k

Marketing Instrumentation Sprint

Ship a minimal event taxonomy and a reporting view that marketing and sales actually trust.

Read the spec →

SKU 05

$20–40k

Web Build Sprint

A focused marketing or product site, designed and shipped in weeks — code you can extend, no lock-in.

Read the spec →

Ready to scope

Book the 15-minute fit call

Confirm fit, regulatory frame (if any), and start date. Written SOW within 48 hours.

Start onboarding →Book a 15-minute fit call← All sprint SKUsRetainer →