What Is BYOAI and Why Is It an Enterprise Security Threat?

Quick Answer: BYOAI (Bring Your Own AI) is the practice of employees using personal, unauthorized AI tools — ChatGPT, Claude, Gemini, Apple Intelligence, Perplexity — for work tasks without IT knowledge or approval. It is the single largest unmanaged data exfiltration vector in enterprise security today. Unlike BYOD, BYOAI cannot be detected by MDM, cannot be contained to a device, and cannot be remotely wiped. In 2026, 73% of knowledge workers use at least one unauthorized AI tool weekly, and every employee with a smartphone running Apple Intelligence is a potential data leak. Your company spent $30/user/month on Copilot. Where is the ROI when your employees prefer ChatGPT on their phones?

Shadow AI is not a future threat — it is happening in every enterprise right now. Developers paste proprietary source code into ChatGPT for debugging. Analysts upload confidential financial models to Claude for summarization. Executives dictate sensitive strategy notes to Apple Intelligence on their iPhones. Sales reps drop customer lists into Gemini to draft outreach emails.

None of this shows up in your SIEM. None of it triggers your DLP policies. None of it appears in your compliance audits. Your security team is blind to the biggest data leakage channel in your organization.

EPC Group developed the 7-Layer BYOAI Governance Framework after seeing the same pattern across healthcare systems, financial institutions, federal agencies, and Fortune 500 enterprises: organizations that invested heavily in Microsoft Copilot governance were still hemorrhaging data through ungoverned consumer AI tools on personal devices.

The Scale of Shadow AI in 2026

73%

of employees use unauthorized AI tools weekly

10x

more dangerous than BYOD — data leaves forever

$4.5M

average cost of an AI-related data breach

90%

of shadow AI usage is invisible to IT

The scale of shadow AI dwarfs anything enterprises experienced with shadow IT or BYOD. When Dropbox emerged as shadow IT in 2012, CIOs had years to respond. When BYOD became a security concern in 2014, MDM vendors provided solutions within months. Shadow AI is different — it arrived at consumer scale before any governance tooling existed, and it proliferates through devices and networks that IT fundamentally cannot control.

Consider the math: a 10,000-employee organization has approximately 8,000 knowledge workers. At 73% unauthorized AI usage, that is 5,840 employees regularly sending corporate data to external AI platforms. If each employee makes 5 AI queries per day containing work information, that is 29,200 uncontrolled data transmissions daily — over 10 million per year. Not one of them shows up in your security dashboard.

Your company spent $30/user/month on Microsoft Copilot licenses. That is $2.88 million annually for a 10,000-person organization. But Copilot adoption plateaus at 40-60% in most enterprises because employees already have AI tools they prefer — free, familiar, and completely outside your governance perimeter. The ROI problem is not Copilot. The ROI problem is that you are paying for governed AI while your employees use ungoverned AI.

BYOAI vs. BYOD: Why It Is 10x Worse

Dimension	BYOD (Bring Your Own Device)	BYOAI (Bring Your Own AI)
Data Location	Data stays on the device — can be remotely wiped	Data sent to external AI model — cannot be retrieved or wiped
Detection	MDM detects device enrollment and compliance	No MDM can detect ChatGPT usage in a phone browser
Blast Radius	One device compromised at a time	Data enters training corpus — exposed to all model users
Network Visibility	Devices connect to corporate WiFi — visible	Personal phone on cellular — completely invisible
Policy Maturity	15 years of MDM, MAM, and BYOD policies	Less than 2 years of enterprise AI governance
User Intent	Users accept MDM enrollment for email access	Users actively hide AI usage fearing it will be banned
Remediation	Remote wipe, selective wipe, compliance enforcement	No remediation — once data enters an AI model, it is gone
Regulatory Impact	Well-understood compliance frameworks	Emerging regulations, unclear liability, untested enforcement

The fundamental difference is irreversibility. When an employee loses a BYOD laptop, you remote-wipe it. When an employee pastes your quarterly earnings into ChatGPT before the public release, that data is permanently in OpenAI's systems. There is no remote wipe for an AI model. There is no "undo" for data that has entered a training pipeline. BYOAI is not a device management problem. It is a data exfiltration problem masquerading as a productivity tool.

The Data Leakage Attack Surface

Every consumer AI tool your employees touch is an uncontrolled data exfiltration endpoint. Here is the attack surface your security team is not monitoring.

ChatGPT (OpenAI)

Critical Risk180M+ weekly active

Attack Vector: Browser, mobile app, API. Employees paste code, documents, emails. Free tier uses data for training. Even Plus tier data accessible to OpenAI staff.

Data Retention: 30 days minimum, training opt-out not default

Claude (Anthropic)

High Risk20M+ users

Attack Vector: Browser, mobile app. Popular with developers and analysts for longer document analysis. Employees upload PDFs, spreadsheets, legal documents.

Data Retention: Conversation data retained for safety, not training by default

Gemini (Google)

Critical RiskIntegrated into Google Workspace

Attack Vector: Deep Google integration means employees with personal Google accounts get AI features that process forwarded work emails and documents.

Data Retention: Google data policies, integrated with Google account data

Apple Intelligence

Critical RiskAll iPhone 16 / iOS 18.1+ users

Attack Vector: OS-level integration reads emails, messages, notifications from work apps. Private Cloud Compute for complex queries. Siri + ChatGPT integration.

Data Retention: On-device + Private Cloud Compute, Apple retains no data (claimed)

Perplexity AI

High Risk100M+ monthly

Attack Vector: Research tool employees use for competitive analysis, market research, technical documentation. Queries reveal strategic intent and interests.

Data Retention: Queries retained, used for service improvement

AI Browser Extensions

High RiskMillions of installs

Attack Vector: Extensions like Monica, Merlin, MaxAI read all webpage content including internal portals, intranets, and SaaS applications.

Data Retention: Varies by extension, often opaque privacy policies

The iPhone 16 Problem

iPhone 16 with Apple Intelligence is the single biggest BYOAI security threat in 2026. It is on by default. It reads work emails, Teams messages, and SharePoint notifications. It summarizes them using on-device AI and sends complex queries to Apple's Private Cloud Compute. Siri now integrates with ChatGPT for queries it cannot handle locally. Every employee who receives work email on a personal iPhone 16 has AI processing corporate data outside your governance perimeter — and you cannot disable it with MDM on an unmanaged personal device. This is not a theoretical risk. It is happening on every iPhone 16 in your organization right now.

Microsoft's BYOAI Control Stack

Microsoft provides the building blocks for BYOAI governance — but assembly is required. Here is how Intune, Purview, Defender, and Conditional Access work together to combat shadow AI.

Microsoft Intune (MAM + MDM)

App protection policies preventing copy-paste from managed apps to AI tools
Web content filtering blocking AI domains on managed devices
App configuration policies for managed browser AI restrictions
Compliance policies requiring device enrollment for M365 access

Microsoft Purview

Sensitivity labels auto-applied to confidential, restricted, and regulated data
DLP policies detecting sensitive content upload to AI endpoints
Information barriers preventing cross-department data sharing via AI
Adaptive protection adjusting controls based on user risk level

Microsoft Defender

Defender for Cloud Apps: shadow IT discovery for AI SaaS usage
Defender for Endpoint: detect AI application installations and browser extensions
Defender XDR: correlate AI tool usage with data access patterns
Insider Risk Management: AI-related data exfiltration signals

Entra ID Conditional Access

Require managed, compliant device for all AI tool access
Block consumer AI domains from corporate identity sessions
Require MFA + compliant device for Copilot access
Risk-based policies escalating controls for high-risk AI access

These tools provide significant coverage for managed devices on corporate networks. The gap — and it is significant — is personal devices on cellular networks. No Microsoft tool can prevent an employee from opening Safari on their personal iPhone and pasting company data into ChatGPT over LTE. This is why governance must combine technical controls with policy, training, monitoring, and most importantly, providing a governed alternative (Copilot) that employees actually want to use. Read more about Microsoft Purview AI governance and how it forms the data protection backbone of BYOAI governance.

EPC Group's 7-Layer BYOAI Governance Framework

A comprehensive, layered defense against shadow AI — from policy to technology to culture. Each layer reinforces the others. No single layer is sufficient alone.

Policy & Acceptable Use

Formal BYOAI policy defining approved vs. prohibited AI tools per data classification level. Clear consequences for violations. Annual employee attestation.

Key Tools: Policy templates, employee training, acceptable use agreements

Identity & Conditional Access

Entra ID Conditional Access policies requiring managed, compliant devices for AI tool access. Block consumer AI domains from corporate identity sessions.

Key Tools: Microsoft Entra ID, Conditional Access, device compliance policies

Data Protection & DLP

Microsoft Purview sensitivity labels on all sensitive content. DLP policies preventing upload of labeled content to unauthorized AI endpoints. Encryption enforcement.

Key Tools: Microsoft Purview, sensitivity labels, DLP policies, Azure Information Protection

Endpoint Security

Defender for Endpoint detecting AI application installations. Intune MAM policies for managed apps. Browser extension controls blocking AI copilot extensions.

Key Tools: Microsoft Defender for Endpoint, Intune MAM/MDM, browser management

Network Controls

DNS-layer filtering of 200+ AI tool domains on corporate networks. Web proxy categorization for AI services. CASB inline controls for sanctioned vs. unsanctioned AI.

Key Tools: Defender for Cloud Apps, DNS filtering, web proxy, network segmentation

Monitoring & Detection

Real-time shadow AI usage dashboards. Insider Risk Management signals for AI data exfiltration. Sentinel analytics rules for anomalous AI tool access patterns.

Key Tools: Microsoft Sentinel, Insider Risk Management, Defender for Cloud Apps

Approved AI Enablement

Deploy Microsoft Copilot as the governed, sanctioned AI platform. Provide approved alternatives for every shadow AI use case. Make governance invisible to users.

Key Tools: Microsoft Copilot for M365, Copilot Studio, Azure OpenAI Service

BYOAI Policy Templates

EPC Group delivers production-ready policy documents as part of every BYOAI governance engagement. These templates are customized for your industry, regulatory requirements, and organizational structure.

BYOAI Acceptable Use Policy

Defines approved and prohibited AI tools by data classification. Includes consequences for violations and annual attestation requirements.

AI Data Classification Guide

Maps sensitivity labels to AI usage permissions. Public data: any AI. Internal: Copilot only. Confidential: no AI. Restricted: no AI, monitoring enforced.

Shadow AI Incident Response

Procedures for responding to confirmed unauthorized AI data exposure. Notification requirements, containment steps, regulatory reporting triggers.

AI Vendor Risk Assessment

Standardized questionnaire for evaluating new AI tools. Data handling, retention, training policies, SOC 2 status, sub-processor disclosures.

Copilot Governance Standards

Technical standards for Microsoft Copilot deployment including DLP, sensitivity labels, access controls, monitoring, and approved use cases by department.

Executive AI Briefing Template

Board-ready quarterly report on shadow AI risk posture, Copilot adoption, policy violations, and recommended actions. Designed for CISO/CIO presentation.

Monitoring & Detection: Finding Shadow AI

Effective BYOAI governance requires continuous monitoring across multiple detection vectors. EPC Group implements a layered detection strategy that identifies shadow AI usage even when traditional security tools are blind.

Network DNS Analysis

Monitor DNS queries for 200+ known AI tool domains (ai.com, chat.openai.com, claude.ai, gemini.google.com, copilot.microsoft.com, perplexity.ai). Identify volume, frequency, and department-level usage patterns.

Coverage: Corporate network traffic only

Defender for Cloud Apps Shadow IT Discovery

Automated discovery of AI SaaS applications through firewall and proxy log analysis. Risk scoring for each discovered AI tool. User-level attribution and usage volume.

Coverage: Managed devices with Defender agent

DLP Pattern Detection

Trigger alerts when content matching sensitive data patterns (SSN, credit card, PHI, source code signatures) is detected in outbound web traffic to AI endpoints.

Coverage: Managed endpoints with Purview DLP

Insider Risk Management Signals

Behavioral analytics detecting patterns consistent with AI data exfiltration: large copy operations, unusual paste-to-browser activity, bulk document access before AI tool usage.

Coverage: M365 ecosystem activity

Sentinel Custom Analytics

Custom KQL detection rules correlating AI tool access with sensitive data access. Automated alert escalation for high-severity shadow AI incidents.

Coverage: All integrated log sources

Integration with Your Copilot Strategy

BYOAI governance and Copilot governance are two sides of the same coin. The most effective BYOAI governance strategy is not blocking consumer AI — it is making Microsoft Copilot so good that employees prefer it.

The Push-Pull Strategy

Push: BYOAI Governance

Policies prohibiting unauthorized AI for sensitive data
DLP blocking data upload to consumer AI platforms
Monitoring and alerting on shadow AI usage
Training on data handling risks with consumer AI

Pull: Copilot Enablement

Deploy Copilot with full data governance controls
Custom Copilot agents for department-specific workflows
Copilot Studio for approved business process AI
Azure OpenAI for developer AI with enterprise controls

When employees have a governed AI tool that works inside Word, Excel, PowerPoint, Teams, and Outlook — the tools they already use — shadow AI usage drops dramatically. EPC Group clients implementing the Push-Pull strategy see 60-80% reduction in shadow AI incidents within 90 days. The key insight: employees do not use ChatGPT because they prefer it. They use it because it was available first. Give them Copilot with proper governance, training, and use-case enablement, and they will switch. Learn more about our AI governance framework implementation.

90-Day BYOAI Governance Implementation Roadmap

Phase 1: Discovery & Quick Wins

Days 1-30

Shadow AI Risk Assessment — discover current AI tool usage across the organization
Emergency DLP policies for top 10 AI domains (ChatGPT, Claude, Gemini, Perplexity)
Executive briefing on current data exposure and quantified risk
Interim BYOAI acceptable use policy published to all employees
Defender for Cloud Apps shadow IT discovery enabled for AI applications
Inventory of all personal devices receiving corporate email (iPhone 16 exposure assessment)

Phase 2: Foundation

Days 31-60

Formal BYOAI policy rollout with employee training and attestation
Conditional Access policies deployed — managed devices required for AI access
Purview sensitivity labels configured and auto-labeling policies activated
Intune MAM policies preventing copy-paste from managed apps to AI tools
Microsoft Copilot pilot launched for 2-3 highest-risk departments
Sentinel analytics rules deployed for shadow AI detection

Phase 3: Optimization

Days 61-90

Full Microsoft Copilot deployment as the governed AI alternative
Custom Copilot agents built for top 5 shadow AI use cases in the organization
Comprehensive Sentinel analytics and automated alerting operational
User training and AI literacy program launched organization-wide
BYOAI compliance dashboard delivered to CISO and compliance officers
First quarterly BYOAI compliance report with metrics and recommendations

Get a Chief AI Officer Without the $500K Salary

BYOAI governance is not a one-time project — it is an ongoing program that requires executive-level AI leadership. New AI tools launch weekly. Regulations evolve quarterly. Employee behavior shifts constantly. Your organization needs a Chief AI Officer, but a full-time CAIO costs $350,000-$500,000+ in total compensation.

EPC Group vCAIO (Virtual Chief AI Officer) Service

BYOAI policy creation and ongoing governance
AI strategy development and board reporting
Copilot governance and adoption leadership
New AI tool risk assessment and approval

Regulatory compliance monitoring (HIPAA, SOC 2, GDPR)
Quarterly BYOAI compliance reports for the board
Shadow AI monitoring dashboard management
Executive education on AI trends and threats

vCAIO Service: $10,000-$25,000/month vs. $500K+/year for a full-time CAIO

EPC Group's vCAIO brings 25+ years of enterprise Microsoft ecosystem expertise, deep zero-trust security architecture knowledge, and practical experience governing AI across healthcare, financial services, government, and Fortune 500 enterprises. Your vCAIO works directly with your CISO, CIO, and executive team — not as an outside consultant, but as an embedded member of your leadership team.

Frequently Asked Questions

What is BYOAI and why is it an enterprise security threat?

BYOAI (Bring Your Own AI) is the practice of employees using personal AI tools — ChatGPT, Claude, Gemini, Apple Intelligence, Perplexity — for work tasks without IT approval. It is an enterprise security threat because corporate data entered into these tools becomes training data for external AI models, bypasses DLP controls, evades audit trails, and creates compliance violations. Unlike BYOD, BYOAI cannot be detected by MDM software, operates on personal devices over cellular networks, and employees actively hide usage because they believe AI makes them more productive. In 2026, 73% of knowledge workers use at least one unauthorized AI tool weekly.

How is BYOAI different from BYOD (Bring Your Own Device)?

BYOAI is 10x more dangerous than BYOD because: 1) BYOD moves data to a device you can wipe — BYOAI sends data to an AI model you cannot control. 2) MDM can manage BYOD devices — no MDM can prevent someone from opening ChatGPT in a phone browser. 3) BYOD data stays on the device — BYOAI data becomes part of a model training corpus. 4) BYOD risks are contained to one device — BYOAI leaks data to every user of that AI model. 5) You can see BYOD on your network — BYOAI over cellular is completely invisible. 6) BYOD has 15 years of policy maturity — BYOAI policies barely exist. The fundamental difference: BYOD is a device management problem. BYOAI is a data exfiltration problem.

What data are employees leaking through shadow AI tools?

Common data leaked through BYOAI includes: source code (developers paste code into ChatGPT for debugging), financial reports (analysts use AI to summarize quarterly results before earnings), customer PII (sales reps paste CRM data for email drafting), strategic documents (executives upload board presentations for summarization), legal contracts (attorneys use AI for contract review), patient records (healthcare workers paste clinical notes), and HR data (managers use AI to write performance reviews with employee details). Samsung banned ChatGPT after engineers leaked semiconductor source code. Every industry has equivalent exposure — most companies simply do not know it is happening.

Why is iPhone 16 with Apple Intelligence a security threat?

iPhone 16 with Apple Intelligence is the biggest BYOAI security threat because: 1) Apple Intelligence is on by default — no opt-in required. 2) It integrates at the OS level — reading emails, messages, documents, and notifications. 3) Private Cloud Compute sends prompts to Apple servers for complex queries. 4) Employees who receive work email on personal iPhones now have AI processing that corporate data. 5) Apple Intelligence summarizes notifications including Teams messages, Outlook emails, and SharePoint alerts. 6) It cannot be disabled by MDM on personal devices. 7) Siri with ChatGPT integration sends queries to OpenAI servers. For enterprises with BYOD email policies, every iPhone 16 is an uncontrolled AI processing endpoint for corporate data.

How does EPC Group detect shadow AI usage in an organization?

EPC Group detects shadow AI through 5 methods: 1) Network DNS analysis — identify traffic to ai.com, chat.openai.com, claude.ai, gemini.google.com, and 200+ AI tool domains. 2) Microsoft Defender for Cloud Apps — shadow IT discovery for AI SaaS applications including usage volume and user counts. 3) Browser extension telemetry — detect AI browser extensions and copy-paste patterns to AI sites. 4) Data Loss Prevention alerts — trigger when sensitive content patterns are detected in web uploads to known AI endpoints. 5) Endpoint behavioral analysis — identify patterns consistent with AI tool usage (large text paste operations, screenshot-to-AI workflows). Cellular/personal device usage requires indirect detection through data absence patterns and user surveys.

What is EPC Group 7-layer BYOAI Governance Framework?

The 7 layers are: 1) Policy & Acceptable Use — formal BYOAI policy defining approved vs. prohibited AI tools and data classifications. 2) Identity & Access — Conditional Access policies requiring managed devices for AI tool access, blocking consumer AI from corporate networks. 3) Data Protection — Microsoft Purview sensitivity labels, DLP policies preventing data upload to unauthorized AI endpoints. 4) Endpoint Security — Defender for Endpoint detecting AI tool installations, browser extension controls. 5) Network Controls — DNS filtering, web content filtering for AI domains, CASB integration. 6) Monitoring & Detection — Real-time alerting on shadow AI usage patterns, compliance dashboards, insider risk signals. 7) Approved AI Enablement — Microsoft Copilot deployment with governance, approved AI tool catalog, sanctioned alternatives for every shadow AI use case.

How much does a BYOAI governance implementation cost?

EPC Group BYOAI governance pricing: Shadow AI Risk Assessment ($15,000-$25,000, 2-3 weeks) — discover current shadow AI usage, quantify data exposure, and identify highest-risk departments. BYOAI Governance Framework — Standard ($50,000-$75,000, 6-8 weeks) — full 7-layer implementation for organizations with existing Microsoft 365 E5. BYOAI Governance Framework — Enterprise ($100,000-$175,000, 10-14 weeks) — multi-platform implementation including Intune MAM, Purview DLP, Defender CASB, Sentinel analytics, and Copilot deployment as the governed alternative. Ongoing BYOAI Managed Service ($5,000-$15,000/month) — continuous monitoring, policy updates, new AI tool assessment, quarterly compliance reporting. vCAIO retainer (virtual Chief AI Officer) — $10,000-$25,000/month for strategic AI governance leadership.

Can you block employees from using ChatGPT and other AI tools?

You can partially block AI tools on managed devices and corporate networks, but complete blocking is impossible and counterproductive. On managed devices: Intune app protection policies can block AI app installations, web content filtering can block AI domains, DLP can prevent copy-paste to browser-based AI. On corporate networks: DNS filtering and proxy rules can block AI domains. However: employees will use personal phones on cellular networks, VPN workarounds exist, and new AI tools appear daily. The right strategy is not blocking — it is governing. Provide Microsoft Copilot as the sanctioned AI tool with full governance, make it better than the alternatives, and implement monitoring to detect residual shadow AI usage. Block where you can, govern what you cannot block.

How does BYOAI governance integrate with Microsoft Copilot strategy?

BYOAI governance and Copilot strategy are two sides of the same coin. The Copilot deployment becomes the "pull" factor — giving employees a governed AI tool that is better than consumer alternatives. BYOAI governance is the "push" factor — policies, controls, and monitoring that discourage unauthorized AI usage. Integration points: 1) Copilot usage analytics show which departments actively use Copilot vs. likely still using shadow AI. 2) Purview DLP policies protect data in both Copilot and shadow AI scenarios. 3) Conditional Access policies can require Copilot usage from managed devices while blocking consumer AI. 4) Copilot adoption metrics directly correlate with reduced shadow AI risk. 5) The BYOAI acceptable use policy references Copilot as the approved alternative for every common AI use case.

What is a virtual Chief AI Officer (vCAIO) and why do enterprises need one?

A virtual Chief AI Officer (vCAIO) is an EPC Group senior AI consultant who serves as your organization fractional Chief AI Officer. The vCAIO provides: AI strategy development and board-level reporting, BYOAI policy creation and enforcement oversight, AI vendor evaluation and approved tool catalog management, Copilot governance and adoption leadership, regulatory compliance monitoring for AI-related requirements, AI risk assessment for new tools and use cases, and executive education on AI trends and threats. A full-time Chief AI Officer costs $350,000-$500,000+ in salary alone. EPC Group vCAIO service delivers the same strategic leadership at $10,000-$25,000/month — a fraction of the cost with deeper technical expertise across Microsoft, compliance, and security.

What compliance regulations require BYOAI governance?

Multiple regulations now explicitly or implicitly require AI governance: HIPAA — PHI entered into unauthorized AI tools is a reportable breach. SOC 2 — shadow AI violates access control and data protection trust service criteria. GDPR — personal data processed by AI tools without DPIA or lawful basis violates Articles 5, 6, and 35. SEC/FINRA — AI-generated financial communications must be supervised and archived. NIST AI RMF — federal agencies must manage AI risks including unauthorized AI usage. EU AI Act (2026 enforcement) — organizations must inventory and govern all AI systems including employee-introduced tools. CCPA/CPRA — consumer data processed by unauthorized AI tools lacks required contractual protections. State AI Laws — Colorado, Illinois, and other states have enacted AI transparency and governance requirements.

How long does it take to implement a BYOAI governance framework?

EPC Group 90-day implementation roadmap: Days 1-30 (Discovery & Quick Wins): Shadow AI risk assessment, emergency DLP policies for top 10 AI domains, executive briefing on current exposure, interim acceptable use policy. Days 31-60 (Foundation): Formal BYOAI policy rollout, Conditional Access policies deployed, Purview sensitivity labels configured, Defender for Cloud Apps shadow IT discovery enabled, Copilot pilot launched for high-risk departments. Days 61-90 (Optimization): Full Copilot deployment as governed alternative, Sentinel analytics and automated alerting, user training and awareness program, compliance dashboard delivery, first quarterly BYOAI compliance report. Ongoing: Monthly policy reviews, new AI tool assessments, Copilot adoption tracking, quarterly board reporting via vCAIO service.

Stop Shadow AI Before It Becomes Your Next Data Breach

Start with a Shadow AI Risk Assessment ($15,000-$25,000). We will discover exactly what AI tools your employees are using, quantify your data exposure, and deliver a 90-day BYOAI governance roadmap tailored to your industry and compliance requirements.

Get BYOAI Governance Assessment (888) 381-9725