Hard2bit delivers AI security services for organizations deploying AI models, agents and applications: technical audit against OWASP LLM Top 10 and MITRE ATLAS, EU AI Act compliance, ISO/IEC 42001 and NIST AI RMF implementation, AI-agent and MCP-server hardening, and corporate shadow-AI governance within the GDPR framework.
Spanish cybersecurity company founded in 2013, headquartered in the Community of Madrid. The security audit service is part of Hard2bit's own certified scope under ENS High category (Royal Decree 311/2022) and ISO/IEC 27001:2022, audited by an ENAC-accredited body. We combine in-house AI R&D — NormexAI and Hard2bit Scanner with AI Agent Readiness — with hands-on experience in audit, NIS2, DORA and ISO/IEC 27001.
Scope
Buyers searching for "AI security" usually already deploy models or agents and need to: measure real risk, demonstrate compliance to a regulator or customer, secure the model lifecycle and govern internal use of generative AI. This is the typical coverage.
Assessment against OWASP LLM Top 10 (2025): prompt injection, sensitive information disclosure, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, unbounded consumption. Report with evidence and a prioritized mitigation plan.
Applicability analysis of Regulation (EU) 2024/1689, classification of each AI system by risk level (unacceptable, high, limited, minimal), mandatory documentation for high-risk systems and design of an AI management system aligned with ISO/IEC 42001:2023.
Access control, authentication, authorization and observability for autonomous agents. Prevention of prompt injection and tool abuse in agentic architectures. Review of MCP servers, Agent Skills and RFC 9727/9728 policies where applicable.
Detection of uncontrolled use of public generative AI with sensitive data, design of corporate policy, deployment of authorized enterprise alternatives (Copilot, ChatGPT Enterprise, Claude for Enterprise) and monitoring of compliance within the GDPR framework.
The scope adapts to the goal: prepare EU AI Act conformity, pursue ISO/IEC 42001 certification, audit a specific model before going to production, secure an AI agent with access to internal tools, or deploy a corporate generative-AI policy with enterprise alternatives.
Why Hard2bit
Hard2bit builds NormexAI (an AI compliance platform) and Hard2bit Scanner with an AI Agent Readiness module — the first commercial scanner that measures the 11 emerging standards for 2025-2026. We don't just advise on AI: we operate it.
Practical knowledge of NIST AI RMF, ISO/IEC 42001:2023, OWASP LLM Top 10, MITRE ATLAS and EU AI Act, combined with experience in ISO 27001, ENS High, NIS2 and DORA — the frameworks AI security actually leans on in practice.
We deliver with contractual scope, traceable evidence, an externally defensible report and a remediation plan with concrete actions. Not a paperwork exercise.
Offices in Leganés and Las Rozas. ENS High accreditation and ISO/IEC 27001 certification. Projects with public administration, private healthcare, industry, financial services and B2B SaaS. Operational proximity and Spanish legal accountability.
Methodology
We identify all AI systems in use (in-house, integrated, SaaS), classify them by risk level under the EU AI Act and document purpose, data processed, model type and dependencies.
Technical audit of the model or application against OWASP LLM Top 10 and MITRE ATLAS, together with a documentary review of AI governance (policies, roles, processes, risk management).
Findings are cross-referenced with EU AI Act, ISO/IEC 42001, NIST AI RMF and, where applicable, NIS2 or DORA. Legal obligations are identified and prioritized by impact and enforceability.
Delivery of the technical report with evidence, executive summary for leadership, prioritized remediation plan and hands-on support during implementation when the client needs it.
Frameworks and methodologies
The service draws on internationally recognized frameworks and guidance from competent bodies — European (European Commission, ENISA), national (AESIA, CCN-CERT) and international (NIST, ISO, OWASP, MITRE). That methodological base is what makes the report defensible to regulators, external auditors and steering committees.
European regulation on artificial intelligence. Applied progressively from August 2024 to August 2027. Classifies AI systems by risk level and defines specific obligations for high-risk systems.
International standard for AI management systems (AI Management System). It is to artificial intelligence what ISO/IEC 27001 is to information security. Certifiable framework.
Methodological framework published by the US National Institute of Standards and Technology. Four functions: Govern, Map, Measure, Manage. Global reference for AI risk management.
List of the ten most critical vulnerabilities in applications using language models, maintained by the Open Web Application Security Project. Technical baseline for model auditing.
Counterpart to MITRE ATT&CK applied to machine-learning systems. Catalogues real-world adversarial techniques observed against AI models.
Guidance from the European Union Agency for Cybersecurity and, in Spain, from the Spanish Agency for the Supervision of Artificial Intelligence. Regulatory and best-practice reference at European and national level.
Framework selection follows the goal: EU AI Act for legal conformity in the European Union, ISO/IEC 42001 for corporate certification of the AI management system, NIST AI RMF as a shared international language, OWASP LLM Top 10 and MITRE ATLAS for the technical audit component.
Sectors
The EU AI Act and sectoral frameworks classify high-risk AI systems based on their use. These are the environments where audit and governance demand is highest.
Scoring models, fraud detection, automated KYC or AI-driven customer support. Need to combine EU AI Act with DORA's operational resilience obligations.
AI-assisted diagnosis, triage, clinical prediction and patient interaction. Special category of data under GDPR, high risk under EU AI Act and NIS2 obligations where they apply.
AI systems in public services, citizen support, subsidy controls, automated decisions. Default high risk under EU AI Act and explicit algorithmic transparency requirements.
Predictive maintenance, vision-based quality control, OT automation with AI. Intersection with NIS2 and the need to protect the supply chain of models and data.
Companies integrating LLMs into their product who must demonstrate to enterprise customers (due diligence) that AI is secured and governed.
Chatbots, shopping assistants, AI personalization. Risk of prompt injection, customer data leakage and impersonation affecting brand and compliance.
When it makes sense
Related products and services
FAQ
Yes, if it places on the market, distributes or uses AI systems within the European Union. Specific obligations depend on each system's risk classification. Application is staged through August 2027. High-risk AI systems (biometrics, HR, credit scoring, education, migration, public administration, critical infrastructure, etc.) carry the most obligations: technical documentation, conformity assessment, EU register, human oversight, robustness, cybersecurity and transparency.
A classic cybersecurity audit reviews controls, configuration and technical exposure. An AI audit adds three layers: evaluation of the model itself (bias, robustness against adversarial inputs, prompt injection, data poisoning), governance of the model lifecycle (training data, validation, production monitoring) and AI-specific regulatory compliance (EU AI Act, ISO 42001, NIST AI RMF). In real-world settings, the two are usually run together.
They are complementary, not mutually exclusive. NIS2 and DORA regulate operational resilience, incident management and the technology supply chain. The EU AI Act regulates the reliability, transparency, oversight and robustness of AI systems. A financial institution under DORA that uses AI for scoring is subject to both: to DORA because of the operational criticality and to the EU AI Act because of the model's nature.
Yes. The report documents scope, methodology (based on NIST AI RMF, OWASP LLM Top 10, ISO/IEC 42001 and EU AI Act), evidence collected, prioritized findings and mitigation plan. It is designed to integrate with the existing ISMS or AI management system and provide traceability for external audit, AESIA inspection or AEPD supervision when it intersects with GDPR.
Shadow AI is the use of public generative AI tools (ChatGPT, Gemini, Claude, Copilot and others) by employees without a corporate policy regulating which data may be shared. It is one of the fastest-growing risks since 2024: sensitive information shared with external services may end up in training data, generate GDPR non-compliance and compromise commercial secrets. Governance is built on explicit policy, awareness, authorized enterprise alternatives and technical monitoring.
AESIA is the Spanish Agency for the Supervision of Artificial Intelligence, created by Royal Decree 729/2023 and headquartered in A Coruña. It is the Spanish authority responsible for overseeing the application of the EU AI Act in Spain, alongside other sectoral authorities depending on the scope. Organizations deploying AI systems in Spain need to treat AESIA as a reference interlocutor.
Yes. The security audit service is part of Hard2bit's own certified scope under ENS High category (Royal Decree 311/2022) and ISO/IEC 27001:2022, audited by an ENAC-accredited body. This means the service we deliver to clients itself undergoes a recurring external audit against public criteria, including audits of systems with AI components.
It depends on scope. A focused audit on a single model or application can usually be delivered in 3-5 weeks. A full EU AI Act + ISO 42001 assessment across a mid-sized organization usually takes 8 to 14 weeks, including inventory, classification, technical evaluation of critical models, regulatory mapping and final reporting.
Next step
If you need to audit a model, prepare for the EU AI Act, certify ISO 42001 or roll out a corporate generative-AI policy with real technical judgment, we can review your context and propose a proportional scope.
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
