290 pages of AI governance
intelligence at your fingertips
— for $99 a month.
By Lindsay Hiebert · Founder · CISSP
Most SaaS hides the work. SanctumShield publishes its — because the work is the product. This page is the full ledger: volume, scope, source list, refresh cadence, and the comparison to what the same body of work costs from a Big 4 retainer.
Open public reference library plus customized per-subscriber artifacts add up to ~290 pages of CISO-grade material.
Every visitor to sanctumshield.com — no login, no email gate, no contact data shared with anyone — has open access to the full public reference library. Every paying subscriber additionally receives a customized artifact package per Customer Organization.
~74,000 words ≈ 245 pages of original, primary-source-anchored, mid-market-clear governance content
| Component | Words | Pages |
|---|---|---|
| Glossary — 110+ definitions, regulatory analysis, Authoritative References table, threat-actor evidence band, Mythos / Frontier AI / Due Care + Due Diligence callouts | ~26,000 | ~85 |
| /why-now — regulatory cliff narrative, 7 reg framework deep-dives, CrowdStrike threat-actor evidence, primary-source citations | ~4,000 | ~14 |
| Site content — home, calculator, /trust, /terms, /partners, /agent-governance, /beyond-sig, /vs-wiz, /google-agent-platform, /insurers, /how-it-works, /explainer, /faq, /about/lindsay-hiebert, /whats-new | ~27,000 | ~90 |
| /sample-outputs — three full Acme Health artifacts (Executive Risk Report + AUP + Board Memo) publicly visible for evaluation | ~11,000 | ~36 |
| AI tool + endpoint catalogs — 72 AI API endpoints + 40+ direct AI tools + 40+ embedded SaaS AI catalog with risk ratings | ~6,000 | ~20 |
| Public total | ~74,000 | ~245 |
About one full business book of CISO-grade material — free, no friction, no sales lure.
~12,000 words ≈ 40 pages of customized governance documentation per Customer Organization
Every $99/month subscriber additionally generates, on demand, three audit-grade artifacts customized to their organization’s industry, jurisdictions, AI tools in use, and selected compliance frameworks.
| Customized artifact | Words | Pages |
|---|---|---|
| Executive Risk Report — board-ready, severity-ranked findings across 4 Shadow AI risk layers, 90-day action plan, regulatory exposure narrative, tool-by-tool risk recommendation table | ~7,500 | ~25 |
| AI Acceptable Use Policy — 13 sections + 3 appendices, customized to industry / jurisdiction / frameworks, downloadable in HTML / Markdown / Text / Word | ~4,000 | ~13 |
| Board Memo — 1-page CEO-voice strategic summary the board can read in under five minutes before signing off on the report | ~500 | ~2 |
| Per-subscription total | ~12,000 | ~40 |
~86,000 words ≈ 285–290 pages of AI governance intelligence
A full business book of CISO-grade material, plus 40 pages of organization-specific artifacts, refreshed monthly so the library never goes stale.
290 pages of finished content is built on continuous synthesis of approximately 1,000+ pages of dense primary-source material.
Every claim, every clause citation, every finding, every regulatory recommendation in a SanctumShield artifact maps to one of these primary sources. All linked in the glossary’s Authoritative References table. No vendor-published interpretations.
| Primary source | Approximate length |
|---|---|
| EU AI Act (Regulation 2024/1689) including Annexes | ~144 pages |
| HIPAA — 45 CFR Subchapter C (Privacy + Security + Breach rules) | ~200 pages |
| NIST AI Risk Management Framework — AI 100-1 + Generative AI Profile (AI 600-1) | ~150 pages |
| SOC 2 Trust Services Criteria | ~100 pages |
| ISO/IEC 27001 + ISO/IEC 42001 | ~100 pages |
| GDPR (Regulation 2016/679) | ~70 pages |
| DORA (Regulation 2022/2554) | ~75 pages |
| CrowdStrike 2026 Global Threat Report | 58 pages |
| OWASP LLM Top 10 + Agentic Security Initiative | ~50 pages |
| Colorado AI Act (SB 24-205) | ~50 pages |
| NIST SP 800-207 — Zero Trust Architecture | ~50 pages |
| MITRE ATT&CK + MITRE ATLAS | catalog-scale |
| Anthropic Mythos / Glasswing announcements + UK AISI evaluation | ~30 pages |
| CrowdStrike Five Steps for Frontier AI Security Readiness | 19 pages |
| NAIC AI Model Bulletin | 15 pages |
| CCPA / CPRA materials | ~50 pages |
| Total source material | 1,000+ pages |
1,000+ pages of dense regulatory text, standards, and threat research, distilled into 290 pages of mid-market-clear, board-readable, regulator-defensible governance content.
A static governance library would be stale within 30–60 days. SanctumShield’s library is built to stay current.
New AI providers ship monthly. New SaaS features add embedded AI quarterly. New regulatory clauses land continuously. The artifact a customer downloads tomorrow reflects the AI surface and regulatory landscape as they actually are — not as they were when a Big 4 engagement closed six months ago.
New providers (OpenRouter, Fireworks, Deep Infra, MiniMax, Moonshot, and any newcomers) added; deprecated endpoints retired. Current registry: 72 endpoints, refreshed each month.
New state laws, EU AI Act guidance, NAIC adoptions, Colorado AI Act amendments (SB-189 progression), HIPAA updates — all tracked and reflected in customer artifacts on the next generation.
Per-finding feedback ratings from active subscribers feed into prompt and scoring-rubric refinements every quarter. Accuracy and clarity improve with use.
Top-level methodology and structure reviewed and re-anchored against the year’s most significant frameworks, threat reports, and regulatory developments.
Customers receive the artifacts. The engine that produces them stays proprietary.
Designated as trade secrets under the Defend Trade Secrets Act of 2016 in Section 5.2 of the Terms of Use, the following are not on this page and not in any artifact:
- The AI endpoint registry implementation details
- The assessment prompt library and prompt-engineering structure
- The scoring rubrics and severity-ranking logic
- The regulatory clause-mapping logic that anchors findings and policy sections to specific clauses
- The audit methodology and finding-type taxonomy
- The verification record schema and tamper-evidence design
This isn’t a contradiction with the open-publishing posture. Public-facing reference content is open — because educating CISOs, IT directors, boards, brokers, and auditors on what they need to know about Shadow AI governance is the public good SanctumShield chooses to provide. The methodology that produces customized, primary-source-anchored, third-party-validatable artifacts in 10 minutes is the engine — and the engine is the product.
The cybersecurity field abandoned “security through obscurity” decades ago for defensive controls. But the engineering investment that produces the artifacts is exactly the kind of intellectual property that competitive law protects, and that customers benefit from us protecting.
The artifact you receive is yours; the way it’s produced stays ours.
The same body of work has historically been available only through three high-cost channels.
1,000+ pages of regulatory and threat-research synthesis distilled into mid-market-clear governance documentation isn’t new. What’s new is the price.
| Source | Typical cost | What you get |
|---|---|---|
| Big 4 advisory engagement (Deloitte, PwC, EY, KPMG) | $40,000 – $250,000 per engagement | Customized AUP + risk assessment, 4–8 month delivery, snapshot in time |
| Outside privacy / cybersecurity counsel | $5,000 – $25,000 per AUP | AUP only, no audit, no risk assessment |
| Enterprise AI security platform deployment (Wiz, Palo Alto AI Access Security, Cisco AI Defense, CrowdStrike Falcon for AI) | $50,000 – $180,000 per year | Runtime detection + operational tooling, requires platform engineering team to deploy |
| SanctumShield | $99 / month | Open public library plus customized artifacts — month-to-month, no commitment, no trial period |
The mid-market organization that wants to demonstrate Due Care and Due Diligence on Shadow AI to its regulators, underwriters, auditors, board members, and supply-chain partners now has a budget-shaped path to do so.
18+ primary sources. Every URL clickable. No email gate, no registration, no contact data shared with anyone.
The 1,000+ pages of source material distilled into the SanctumShield library aren’t referenced by name only — every primary source is hyperlinked on the glossary’s Authoritative References table. CISOs, brokers, auditors, board members, and counsel can verify any claim, citation, or finding by clicking through to the official source — without spending hours searching the web for each authority.
NIST AI RMF (AI 100-1) · NIST AI 600-1 Generative AI Profile · OWASP LLM Top 10 / Agentic Security Initiative · MITRE ATLAS · ISO/IEC 42001 · EU AI Act · Colorado AI Act (SB 24-205) · NAIC AI Model Bulletin
Plus Anthropic Claude Mythos / Project Glasswing announcements + UK AISI independent evaluation
HIPAA · GDPR · CCPA / CPRA · SOC 2 (AICPA Trust Services Criteria) · ISO/IEC 27001 · DORA
NIST SP 800-207 — Zero Trust Architecture · MITRE ATT&CK — adversary tactics, techniques, and procedures matrix
CrowdStrike 2026 Global Threat Report · CrowdStrike Five Steps for Frontier AI Security Readiness
Most authoritative sources require registration. CrowdStrike’s excellent reports — properly cited throughout SanctumShield’s glossary — require business email, company, role, phone, country, and consent for CrowdStrike to share contact information with partners. That is a standard vendor lead-generation choice.
SanctumShield’s choice is different. No gate. No friction. No cybersecurity education used as a sales lure. The glossary, the /why-now regulatory-cliff content, and the Authoritative References table are open, refreshed monthly, and free to read, share, or cite — no email, no form, no contact data shared with anyone. The expertise that lived in Big 4 retainers, enterprise platform deployments, and outside counsel memos is at the fingertips of the businesses underserved by all three.
Most mid-market businesses have never had affordable access to a current, primary-source-mapped AI governance reference. The expertise lived in Big 4 advisory teams, enterprise security platform deployments, and outside counsel — at price points that excluded the buyers underserved by both. SanctumShield publishes this list openly, refreshes it monthly alongside the endpoint registry and regulation tracking, and uses it as the authority foundation for the audit, AUP, and Board Memo every $99/month subscription produces.
The Authoritative References table is reviewed monthly alongside the registry refresh and regulatory clause-tracking cycle. Broken or relocated authority links are corrected within 30 days of discovery. New authority documents are evaluated for inclusion when widely cited by federal agencies, ISO, MITRE, OWASP, or peer-reviewed primary sources.
The peer-reviewed research and operational standards under the methodology.
Every claim SanctumShield makes about AI governance traces to a primary source: a peer-reviewed paper, a regulatory text, a published framework, or a vendor security disclosure. The catalog below is the durable foundation. It is the same treatment applied to academic research and to operational standards — both are first-class citations.
- Randazzo, S., Joshi, A., Kellogg, K. C., Lifshitz, H., Dell’Acqua, F., & Lakhani, K. R. (July 2025).GenAI as a Power Persuader: How Professionals Get Persuasion Bombed When They Attempt to Validate LLMs.Harvard Business School Working Paper 26-021. SSRN abstract · DOI 10.2139/ssrn.5678644 · HBS D³ Institute summary (Nov 2025)The foundational research naming persuasion bombing — the documented failure mode underlying SanctumShield’s research-anchored AUP clauses PEV-001 through PEV-005 (see Persuasion Bombing and Adversarial Validation in the glossary).
- Stackpole, T. (March 18, 2026).LLMs Are Manipulating Users with Rhetorical Tricks.Harvard Business Review. hbr.org →
- Randazzo, S., Joshi, A., Kellogg, K., Lifshitz, H., & Lakhani, K. (February 3, 2026).Validating LLM Output? Prepare to Be ‘Persuasion Bombed.’MIT Sloan Management Review. sloanreview.mit.edu →
Tier-1 management press coverage converts the working paper into a publicly-validated finding a CISO can defend to a board without reading the underlying academic paper.
The frameworks below appear by name and clause across the generated AUP, the Executive Risk Report, the Board Memo, and every verification URL surface. Each carries an authoritative primary source; the consolidated index lives in the Authoritative References table.
An AI governance vendor that does not cite peer-reviewed research is producing templates, not controls. An AI governance vendor that cites only frameworks is producing checklist mappings, not methodology. SanctumShield’s position is that the artifact a CISO signs has to trace every controlled risk to a primary source — academic when the failure mode is documented by academic research, regulatory when the obligation is statutory, operational when the standard is published by a recognized body. That is what produces an artifact a regulator verifies rather than a deliverable that survives marketing review.
Built because the gap was real, the deadlines were firm, and existing options were either too expensive or too slow for the underserved mid-market.
EU AI Act August 2, 2026. Colorado AI Act June 30, 2026. The 2026 cyber renewal cycle starting now. SOC 2 Type II audits with 12-month observation windows. The forcing functions are firm.
If you want to inspect any specific source, follow the Authoritative References table. If you want to see what an artifact actually looks like, /sample-outputs renders three full Acme Health artifacts in production format. If you’re an auditor, MSSP, law firm, insurance carrier, broker, or want a direct advisory engagement, /partners is the door.
This is what’s under the hood. The work is the product. The library is at your fingertips.