Why this questionnaire: SOC for AI is the top priority coming out of the June 22 strategy session. Before we design and build the discovery and governance agents, we need to understand your current monitoring landscape, existing tooling, compliance requirements, and what "good" looks like for your teams. Your answers will directly shape the agent scope and integration plan.
Estimated time: 15–20 minutes. Written answers preferred — route each section to the person closest to that domain. Follow-up session to be scheduled after responses are received.
Understanding what AI tools, agents, and models are in use across client environments today — the baseline for discovery.
Q1.1 Critical
What AI tools, copilots, LLM-based services, or autonomous agents are you currently aware of running across managed client environments? (e.g., Microsoft Copilot, GitHub Copilot, ChatGPT Enterprise, custom LLM deployments, internal automation agents)
This establishes the known baseline. The gap between "known" and "actual" is exactly what Shadow AI Discovery is designed to close.
Q1.2 Critical
How are these AI tools currently being tracked or inventoried? Is there a centralized registry, or is tracking handled per-client / per-engagement?
Determines whether we're augmenting an existing tracking system or building the first centralized view.
Q1.3 Important
What are the biggest blind spots today? Where do you suspect AI usage is happening that isn't captured by existing monitoring?
Focuses discovery scope on highest-risk gaps rather than surveying everything equally.
Q1.4 Helpful
Are there specific client verticals or engagement types where unauthorized AI usage is a particular concern? (e.g., financial services, healthcare, government)
Shapes compliance and policy requirements — different verticals have different regulatory thresholds for AI governance.
What's already deployed that we can orchestrate — no new agents on endpoints, per the June 22 discussion.
Q2.1 Critical
Which endpoint detection / monitoring platforms are deployed across managed environments? (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black, SentinelOne)
These are the telemetry sources we'll orchestrate for endpoint-level AI discovery. Our approach is API-level integration — no additional agents installed on machines.
Q2.2 Critical
Which CASB / SSE / DLP platforms are in use? (e.g., Netskope, Zscaler, Microsoft Purview, Nightfall AI, Cyberhaven)
CASB/SSE provides the network-level visibility into SaaS-based AI usage (ChatGPT, Claude, Gemini, etc.) — the other half of the discovery picture alongside endpoint telemetry.
Q2.3 Critical
Which SIEM platforms aggregate your security telemetry? (e.g., Splunk, Microsoft Sentinel, Google SecOps / Chronicle, Datadog, Sumo Logic)
The SIEM is where we correlate multi-source AI activity data. Understanding which SIEM is primary determines our integration and dashboarding approach.
Q2.4 Important
Which identity provider manages access across these environments? (e.g., Microsoft Entra ID / Azure AD, Okta, Ping Identity)
Identity correlation is how we connect AI usage to specific users, roles, and departments — essential for governance and policy enforcement.
Q2.5 Important
For CrowdStrike specifically: do your managed tenants have access to the Shadow AI Discovery capabilities? (CrowdStrike reports detecting 1,800+ distinct AI applications across enterprise endpoints, including AI agents, LLM runtimes, and MCP servers)
If Shadow AI Discovery is available in existing CrowdStrike deployments, it becomes our richest endpoint data source. If not, we focus on Microsoft Defender + CASB-based discovery first.
Q2.6 Helpful
Are there any monitoring platforms currently deployed that provide AI-specific telemetry today — even partial? Given Deloitte's role as an Agent 365 launch partner, is Agent 365 already active in managed environments? (GA since May 2026 with Defender, Purview, Entra, and Intune integration.) If so, what capabilities are currently in use?
Avoids rebuilding what already exists. If a platform already reports on AI app usage, we integrate with it rather than duplicate.
Every integration must stay within the client's compliance perimeter — understanding these boundaries upfront prevents design rework.
Q3.1 Critical
Is the primary cloud environment Microsoft Azure / M365? And does Kindo agent orchestration operate within the client's Azure tenant, or does it require cross-tenant API calls?
Tenant-scoped integrations are the safest path for compliance. If orchestration stays inside the client's M365/Azure tenant (via Entra app registrations), we avoid data egress concerns entirely.
Q3.2 Critical
What compliance frameworks apply to the AI monitoring data? (e.g., SOC 2 Type II, FedRAMP, HIPAA BAA, specific DLP classification requirements)
Determines which integrations are viable and which need additional security review before activation.
Q3.3 Important
For CrowdStrike Falcon specifically: does the orchestration via Kindo stay within a single tenant's control plane, or does the Falcon cloud API involve cross-tenant data exposure?
This is an open architectural question — CrowdStrike operates a cloud-side control plane. We need to confirm that agent orchestration through Kindo genuinely stays "client-only" before building on Layer B.
Q3.4 Helpful
Are there any integrations or data flows that are explicitly off-limits from a compliance perspective — even if technically feasible?
Better to know the hard boundaries upfront than discover them after building.
What "done" looks like from your team's perspective — so we build the right thing, not just a technically complete thing.
Q4.1 Critical
For the initial proof of concept: what would you need to see to feel confident this is heading in the right direction? (e.g., "Show me an inventory of all AI tools detected across 3 client tenants" or "Demonstrate policy enforcement blocking unauthorized LLM usage")
Defines the PoC acceptance criteria in your words. We build to your definition of "this works," not ours.
Q4.2 Critical
Beyond discovery — what does governance look like for your teams? Is the goal visibility only (dashboard + alerts), or does it include active policy enforcement (block unauthorized AI, quarantine non-compliant agents)?
Scopes the difference between Layer A (discover + report) and Layer B (discover + govern + enforce). Determines the full build versus the initial scope.
Q4.3 Important
Who are the primary consumers of the SOC for AI output? (e.g., SOC analysts monitoring dashboards, compliance officers reviewing reports, service line leads managing client deployments)
Shapes the interface and output format — a SOC analyst needs real-time alerts; a compliance officer needs periodic reports; a service line lead needs an executive summary.
Q4.4 Important
What's the current pain point when an unauthorized AI tool is discovered in a client environment? Walk us through what happens today — who gets notified, what's the response process, how long does resolution take?
Understanding the current workflow lets us design the agent to compress the response cycle — this is where measurable time savings come from (e.g., "21 minutes per alert → 5 minutes").
Q4.5 Helpful
Are there specific metrics or KPIs you'd want the SOC for AI agent to track and report on over time? (e.g., number of AI tools discovered per tenant, policy violations per month, mean time to remediation)
Establishes the longitudinal tracking that proves the agent's value is improving month over month — the foundation for the business case.
Practical realities that shape what we can build, how fast, and where.
Q5.1 Important
Is there a preferred Kindo environment where we can build and test the SOC for AI agent? (e.g., a sandbox tenant, a development instance separate from the production Deloitte deployment)
We need a build environment to develop and validate the agent before any production deployment.
Q5.2 Important
Are there any scheduled platform changes, migrations, or freezes in the July–August timeframe that would affect integration work?
Avoids building against a platform that's about to change underneath us.
Q5.3 Helpful
Who should be the primary technical point of contact for integration questions as we build? (Given Adelina's current leave, who's the best person to route technical decisions through?)
Ensures we're not blocked waiting for a response that no one knows they're supposed to give.