An honest read on AI risk, built from evidence, not a questionnaire. A grade, the gap between claimed and proven, and the questions worth asking next.
The Plumb Grade, start to finish
-
Illustrative. Composite subjects, not real companies.
Insurers, banks, hospitals, large employers. You moved AI into choices that affect people, and you know principles are not proof. Find your own gap before a regulator or a reporter does.
Buyers, acquirers, investors. Every vendor ships AI now, and the newest tools carry risk no one has mapped, sometimes not even the team that built them.
Boards, risk committees, CIOs. When someone asks whether you are exposed on AI, you want a defensible answer, not a feeling. Walk in with the grade, the gap, and the questions already framed.
Plumbline reads whether a vendor can show its security or only assert it. The gap between those two is where the next incident lives.
A company, a URL, or pasted policy text. There is no questionnaire. That is the whole idea.
It gathers what is public and reads anything you provide directly: policies, security questionnaires, vendor documentation. It weighs the evidence for provenance, quality, consistency, and completeness, and separates what is shown from what is only claimed.
The Plumb Grade, the assertion gap, the top risk driver, a confidence level, and the questions worth asking next.
Export the brief as a card and bring it to a committee, a vendor conversation, or your own planning. It reads clearly to people who do not live in AI.
Every new SaaS tool, every new model API, every new integration is a new assessment trigger.
A vendor graded B in January could be D by September. An acquisition, a new model, an enforcement action. The outlook is the signal to come back.
EU AI Act enforcement is live. US state legislation is accelerating. Every new regulation is a re-assessment trigger.
So the model is simple. Start free. Pay per brief when you need one. Subscribe when you own the portfolio.
You heard about it. Try it.
You have a vendor to assess before you sign.
No subscription. Buy one when you need one.
You own the portfolio and answer for it.
Annual billing available.
The grade never changes based on what you pay. Only how much of the brief you see.
An audited control counts for more than a written policy, which counts for more than a public claim. Plumbline scores the strength of the proof, the way a credit analyst trusts a filing over a press release.
The number that matters is the distance between what a company claims and what it can show. Auditors and short sellers live in that gap. For AI risk it is the finding.
A strong grade we cannot verify is a different conversation than one we can. We never blend the two. Low confidence at any level is something worth hearing out loud.
The grade reads where the evidence stands today. The outlook reads where it is heading, and whether the proof is deepening or thinning.
Absence of evidence is evidence. We score opacity as risk. We never wave it through as neutral.
In 2008 the agencies that stamped mortgage bonds AAA were paid by the people issuing them. The conflict was built in, and it was fatal.
Plumbline runs the other way. It will never raise a grade for the company being graded. The people who pay are the people who need the truth. A leader doing diligence, an insurer, a buyer assessing risk.
That one choice is why a Plumbline read can be trusted to be uncomfortable.
I spent my career where trust has to be earned, not claimed. Capital markets, custody, the software banks run on, insurance. The job never changed. Separate what is verified from what is asserted, and price the difference. AI governance has that exact problem, and nothing built to measure it. So I built one.
We call the model from the server. No credential ever reaches your browser.
Public links only, over HTTPS, with private and metadata addresses blocked, plus timeouts and size caps.
Everything you paste is treated as untrusted content, so it cannot redirect the assessment.
We do not log what you send, and we do not store your briefs. Every read is stateless.
We hold ourselves to the bar we measure others against.
Plumbline is in early access. It sharpens the questions worth asking. It does not replace counsel, an audit, or a regulator, and it does not pretend to.