Handrails
AI Risk

Are you in control of your AI?

Your AI systems are making decisions. Your people are making decisions with AI. Both create exposure.

Handrails tests how your team actually uses AI on real work and how your company responds when AI goes wrong.

Get startedSee how it works
78%
Of staff use AI you haven't approved
1 in 3
AI outputs reach customers unverified
<30m
From scenario to evidence
0
Consultants needed
Report · AI risk map
Live
Report · AI Risk · System & BehaviorReady
Authority threshold guardrailSet in orchestrator only; didn't propagate
Rollback protocolPO reversed inside 18 min
Policy-to-config driftLast update missed two services
Behavioral escalationAgent owner paged inside SLA
Customer-notification draftNo template for AI-driven errors
Why this matters now

A new risk, but growing exponentially.

01

You're accountable for what your AI does

Customers don't care that AI made the call. They care that your company sent it, said it or signed off on it. Accountability ends with you.

02

Controls only count if they hold under pressure

Boards and partners want escalation paths, override capability and evidence your people behave inside the policy you wrote. Your AI vendor doesn't provide either.

03

Proof, not policy

Boards, investors and customers have stopped accepting "we have a policy" as the answer. Regulators hold deployers as carrying obligations independent of providers. Simulations and behavioral evidence are how the answer gets evidenced.

What gets in the way

Your AI fails. Your people fail. Both end with you.

There are only two ways AI risk shows up. Either your systems do something wrong or your people use AI in a way that creates risk. Almost no one has evidence that either set of controls actually works under pressure.
When your people fail
  • Finance pastes customer data into a public model
  • Legal trusts an AI contract summary because the meeting starts in ten minutes
  • HR can't reconstruct how a shortlist was made
  • The training was completed. The behavior didn't follow.
When your AI fails
  • A copilot issues a refund outside policy
  • A prompt injection slips through human review
  • An agent commits a vendor renewal above its authority
  • The control was in the policy. It was never operationalised.
Clauses covered

The obligations behind your AI policy are growing.

Every Handrails exercise maps to live obligations your regulators, customers and partners already check against. The clauses below are some of the most common.
EU AI Act
Human Oversight
By design; ongoing
EU AI Act · Art. 14 / Art. 26

High-risk AI must be designed and deployed to be effectively overseen by natural persons during use. Deployers carry obligations under Art. 26 independent of providers.

If skipped: Non-conformity finding under Art. 26; enforcement under Art. 99.
ISO/IEC 42001 + NIST AI RMF
AI Management SystemISO + NIST
Continuous improvement
ISO/IEC 42001 + NIST AI RMF 1.0

Establish, implement, maintain and continually improve an AI management system. Effectiveness testing of AI governance programmes, including the human element, is in scope.

If skipped: Certification finding; documented governance gap that customers and investors now ask about.
EU DORA + APRA CPS 230
Operational ResilienceEU + APRA
At least annually
DORA · Art. 24-25 + CPS 230 · §41-45

Where AI vendors or copilots act as material service provider components, severe-but-plausible scenario testing applies. Simulations are the standard format.

If skipped: Supervisory findings; remediation deadlines; FAR consequences for accountable persons.
SOC 2 + ISO 37301
Workforce PolicyAICPA + ISO
At least annually
SOC 2 TSC · CC1.1 + ISO 37301

The entity demonstrates commitment to integrity and ethical values. Standards of conduct around AI use are communicated and adherence is evaluated.

If skipped: Qualified SOC 2 report; delayed enterprise deals; failed vendor reviews.
How an AI Risk simulation runs

Built around your business. Run in three steps.

No consultants to coordinate. No complex rollout. Holly handles the simulation design and facilitation while your team responds through short virtual sessions.
1Context in
Context
AI surface12 tools · 4 agents
FrameworksEU AI Act · ISO 42001
Cohort240 staff · cross-functional
PolicyAI Use v1.4 · Q1 2026
CoverageSales · Ops · Eng · Legal
Last walkthroughQ4 last year
AI surface12 tools · 4 agents
FrameworksEU AI Act · ISO 42001
Cohort240 staff · cross-functional
PolicyAI Use v1.4 · Q1 2026
CoverageSales · Ops · Eng · Legal
Last walkthroughQ4 last year
ScenarioCopilot exceeded authority
Walkthrough5-8 min · voice
SimulationUnder 30 minutes
OutputSystem + behavior map
Board viewQuarterly trend
Re-testOn policy / model change
ScenarioCopilot exceeded authority
Walkthrough5-8 min · voice
SimulationUnder 30 minutes
OutputSystem + behavior map
Board viewQuarterly trend
Re-testOn policy / model change

Map the risk surface.

Share your AI tools, workflows and AI usage policies. Holly builds realistic scenarios tailored to how AI is actually being used across your company.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Priya · CFO, participantPriya · CFO
Marco · AI lead, participantMarco · AI lead
Transcript
Holly

Holly runs the simulations.

Short virtual sessions conducted over video. Holly walks each participant through realistic AI-related situations, probing decisions, escalation paths and judgment under pressure.

3Report out
Report · AI Risk · System & BehaviorReady
Authority threshold guardrailSet in orchestrator only; didn't propagate
Rollback protocolPO reversed inside 18 min
Policy-to-config driftLast update missed two services
Behavioral escalationAgent owner paged inside SLA
Customer-notification draftNo template for AI-driven errors

See where the gaps are.

Every session rolls into a consolidated view of behavioral risk, policy gaps, escalation failures and control weaknesses. Leadership sees exactly where intervention is required.

What you walk away with

One risk map. Four artifacts.

Board-ready summary

One-page narrative for the board or leadership team. What was tested, where the team held, where they didn't, what we're doing about it.

System risk map

Which AI surfaces are exposed, which controls held under pressure and which broke down. Owners and target dates assigned.

Behavior risk map

Which teams are exposed and what the exposure pattern is. Data leakage, hallucination, IP exposure, decision auditability.

Trend line (on roadmap)

Quarter-on-quarter movement on the metrics that matter: scenarios passed, non-approved AI use, data control failures, AI output verification.

Old way vs Handrails

AI changes weekly. Annual training can't keep up.

Traditional AI training is slow, generic and difficult to operationalize. Handrails delivers realistic simulations continuously, built around how AI is actually being used inside your company.
The old way

Consultants + LMS videos

  • Quote and workshop process takes weeks
  • Generic AI risk scenarios delivered from a slide deck
  • Training tracks completion, not real-world decision making
  • Findings and reports produced after the session ends
  • Policies reviewed annually while AI usage changes monthly
With Handrails

Continuous AI readiness testing

  • Run simulations any day, any time
  • Scenarios tailored to your actual AI tools & policies
  • Test how employees respond in realistic situations
  • Behavioral findings and evidence generated automatically
  • Continuous testing that evolves as your AI usage changes

The first real test of your AI governance shouldn't be a live incident.

Stress-test your people, policies and escalation paths before reality does.

Get startedSee how it works