The Discovery.

How the Sovereign AI Discovery works

Before anything gets built, I spend two to three weeks understanding what your team is actually doing with AI today, where the real exposure sits, and what would be worth building first. You get a written report and a debrief call. Fixed price, no commitment to go further.

This page is about the part most consultancies skip over: how I find out what's really going on with AI inside your organisation, even though your staff are unlikely to tell you the whole truth.

The problem with just asking

Most "AI audits" start with a survey. Send a form round the team. Ask what tools they're using. Tally the answers.

The answers are useless.

Your staff know that pasting a client email into ChatGPT is probably against policy. Maybe it's in the staff handbook. Maybe a partner mentioned it in a team meeting. Either way, nobody is going to tick a box that says "yes, I've been pasting privileged correspondence into a US chatbot for six months." Even an anonymous survey gets pushed back. People don't trust anonymous.

So the survey comes back clean. The organisation files it. And the actual AI use carries on, unchanged, in everyone's browser.

You can't fix what you can't see, and asking nicely doesn't make it visible.

How I find shadow AI use anyway

I work the other end of the problem. Instead of asking your team what they're doing, I look at what they're producing. There are four signals I use, and almost every organisation I look at shows at least two of them.

1. Productivity signals

If a team is consistently delivering more work than its headcount and working hours suggest is possible, that gap is being closed by something. Sometimes it's a new hire I didn't know about. Sometimes it's a process change. Often, it's AI.

The kinds of things I look for:

  • Document triage that used to take a week and now lands by Tuesday afternoon.
  • Recruitment shortlists from 300 applicants produced overnight by a team of two.
  • Junior staff whose first draft work has suddenly jumped to a level of structure and clarity that doesn't match their previous output.
  • Teams that look fully booked on paper but somehow have capacity for new work.

None of these prove AI use on its own. Together, they're a strong signal that the team has found a way to work faster, and the most common way of doing that in 2026 is a public AI tool.

2. The shape of what your team is producing

AI leaves a footprint in the documents your organisation produces. Not in any single piece (that would be unfair to call out), but in the aggregate.

Internal reports that used to read like the person writing them now read like a template. Executive summaries appearing on documents that never used to have them. A sudden, organisation wide shift to neat bullet points and structured headers in places where the previous style was looser prose. Drafts that are conceptually right but unusually clean of the typos and idiosyncrasies that humans produce under time pressure.

I read a sample of recent work product (with your permission and on your premises) and look for these shifts. They're not proof, and I don't treat them as such. They're a signal that's worth following up.

3. Manager conversations

I sit down with department heads and team managers for thirty to forty five minutes each. I don't ask them whether their staff are using AI. I ask them about workload, output, and where the bottlenecks have moved.

The questions sound like:

  • Which tasks used to take your team all week and now seem to clear up by Wednesday?
  • Where in your workflow does the team genuinely have to wade through volume of text? Contracts, CVs, supplier proposals, transcripts.
  • If the internet went down today, which parts of your team's daily drafting work would grind to a halt that wouldn't have done a year ago?

Managers usually know. They might not have framed it as "shadow AI" in their head, but they can tell you, with some prompting, which parts of their team's output have changed shape recently.

4. An amnesty across the organisation

The piece that brings the rest into focus is asking your staff directly, but only after the organisation has formally taken punishment off the table. I draft a short email for your managing partner or chief executive to send round. It says, in plain terms: we know AI is in use, we're not looking to discipline anyone, we want to build a private version that's actually safe, and we need to know what people are using it for so we can build the right thing.

Framed that way, the responses come in. Not all of them, but enough to triangulate against the productivity signals and the manager conversations.

The amnesty email I'll draft for you

It's a template, tailored to your organisation during the Discovery. Roughly this shape:

The wording changes per organisation. The structure (acknowledgement, technical reason, plan, amnesty, ask) stays roughly the same.

What lands on your desk at the end

A written report, usually around twenty to thirty pages. Three sections.

1. What's happening today

The findings from the signals work, the manager conversations, and the amnesty responses. Department by department. Where AI is in use, what it's being used for, and where the real exposure sits under UK GDPR, the Data (Use and Access) Act 2025, your client contracts, and any sector specific rules (SRA, FCA, ICO) that apply.

This section is what you'd hand to a DPO or a board. It's the answer to "what's actually going on with AI in our organisation" in plain English, with no jargon and no slideware.

2. The recommendation

One of three outcomes, sometimes a combination:

  • A policy change. Sometimes the right answer is a tighter AI use policy, a sanctioned enterprise tool, and some staff training. No build needed. I'll say so plainly if that's the case.
  • A first Sovereign AI build. A specific use case worth building first, with a rough scope and a price range. Usually one that maps to one of the Sovereign AI capabilities already documented on this site: a staff policy assistant, CV shortlisting, contract review, regulator Q&A, tender qualification.
  • Data work first, build second. If your document archive isn't in a state AI can read, the honest answer is to do that first. The build comes later, on a foundation that actually works. In practice that might mean extracting text from years of PDFs, getting messy systems into a state AI can actually read, or building a clean retrieval layer over your document archive.

3. The architecture sketch

If the recommendation is a build, you also get an architecture sketch: where it would run (typically AWS London), which open source model it would use (typically Llama or Mistral), how data would flow through it, and what it would cost to run on an ongoing basis. Not a full design document. Enough that a CTO, a CFO, or a procurement lead can sanity check the numbers and the approach before you commit.

When the Discovery is the end

Some Discoveries don't lead to a build, and that's a perfectly clean outcome. I'd rather tell you you don't need a Sovereign AI system than build you one that isn't justified.

The kinds of cases where the report says "don't build, do this instead":

  • Your AI exposure turns out to be small enough that a policy update and a sanctioned enterprise tool covers it.
  • Your data isn't in a state where a Sovereign AI build would actually help yet. The right next step is six months of data work, not a build.
  • The use case your team most wants isn't a good fit for AI at all, and a different kind of automation (a script, a workflow change, a different SaaS tool) would do the job better.

If you commission the Discovery and it ends with one of those recommendations, you've still got something valuable: a written, defensible answer to the question of what's happening with AI inside your organisation, and what to do about it. That stands on its own.

Time and price

Two to three weeks from kick off to debrief. Most of that is me working through the signals, talking to managers, reading work product, and writing the report. Your team's time commitment is small: a couple of conversations with department heads, the amnesty email going out, and a final debrief call.

Fixed price, set during the scoping call once I know the size of the organisation and the scope of the work. You see the number before you commit. There are no day rates, no scope creep, and no surprise invoices.

A thirty minute scoping call is free. After that, if you want to go ahead, I send a one page proposal with the fixed price and the start date.

"Pete has been amazing to work with. He explains things to us in a way that makes sense in English, not developer-speak. We feel like Pete is an extended part of our team."

Katie Angotti, Programme Lead, Danone

If this sounds like the conversation you want to have

Email me at peter@peterbrady.co.uk with a short note about your organisation, roughly how many people are in it, and the sector you're in. I'll come back with a time for a thirty minute scoping call.

If you're not sure whether you need this yet, the other thing worth reading is The Shadow AI Risk, which covers the most common shadow AI use cases I see inside UK organisations and the kinds of issues they tend to raise.

Get in touch

Tell me who you are and what your organisation does. If any of this sounds like your situation, that's a good place to start. I'll let you know honestly whether I can help. Even a 30 to 45 minute call often leaves people with a clearer picture of the path forward, whether or not we end up working together.

For context: I work best with programme managers, partners, operations directors, and IT leads in UK law firms, financial services, manufacturing, charities, and non profits. Respectfully, I don't work with recruitment or development agencies.

Email: peter@peterbrady.co.uk

Sovereign AI Architect, Peter Brady

PNB Technologies Limited
55 Yew Tree Road, Ormskirk
Lancashire, L39 1NT, United Kingdom

Company Reg: 07166600
VAT Reg: GB986726850

© 2026 Peter Brady. All rights reserved.

Links

Reference