User Guide
How to use Foresight by Realis to discover, score, and remediate AI tools in your organization.
What is the Realis Score?
The Realis Score is a 0–100 risk rating for each AI tool. A higher score means the tool is safer, more valuable, and better governed. A lower score means it needs attention.
It is calculated from three weighted inputs:
| Input | Weight | How it works |
|---|---|---|
| Security Score | 40% | Set automatically from vendor compliance data (SOC 2, GDPR, ISO 27001 status). Then reduced by an engagement penalty based on how many employees are using the tool and how frequently — more exposure means more blast radius. You do not enter this manually. |
| Legal Risk | 40% | Legal counsel's assessment of the tool's contractual, liability, and compliance posture. Choose from Not Reviewed (0), Limited (30), Moderate (60), or Cleared (90). A higher score means legal has fully vetted and approved the tool for enterprise use. |
| Governance | 20% | Derived automatically from regulatory flags. If no flags are set, governance scores 100%. If any flag is set, governance scores 0% and the total score is hard-capped at 40, placing the tool in the Urgent tier. |
If any regulatory flag is set → Score = min(Score, 40)
Automated Security Scoring
When you register an asset, the system looks up the vendor URL against a built-in compliance database and sets the security score automatically. You never need to research or enter it.
| Score | Meaning | Example vendors |
|---|---|---|
| 0.85–1.0 | SOC 2 Type II, GDPR, enterprise DPA available | GitHub Copilot, Google Gemini, Databricks |
| 0.60–0.84 | Partial compliance or self-attested certifications | Anthropic, Cohere, Mistral AI |
| 0.40–0.59 | Limited public compliance information | Cursor, Codeium, Perplexity AI |
| 0.10–0.39 | No known compliance certifications | Unknown or consumer-grade tools |
The security score is then reduced by an engagement penalty of up to 30 points based on usage volume:
| Condition | Penalty | Rationale |
|---|---|---|
| 100+ unique users | −15 pts | Org-wide exposure, maximum blast radius |
| 1,000+ detection events | −15 pts | High-frequency usage increases data exposure risk |
| 20–99 users or 100–999 events | −4 to −10 pts | Moderate exposure |
| Under 5 users, under 20 events | 0 pts | Minimal exposure, no penalty applied |
Scores are automatically recalculated each time a new detection event is received, so the score reflects current usage — not just the state at registration time.
Legal Risk Tiers
Legal Risk reflects the degree to which legal counsel has reviewed, negotiated, and approved the tool for organizational use. It is qualitative by design — a numeric slider implies false precision in what is fundamentally a legal judgment call.
| Tier | Score value | Legal counsel's assessment |
|---|---|---|
| Not Reviewed | 0 | No legal review has been conducted. The tool's contractual terms, data processing agreements, liability clauses, and IP ownership have not been evaluated. Use at organizational risk. |
| Limited | 30 | Legal has reviewed the tool but identified material gaps or unresolved issues — missing or unsigned DPA, unfavorable data retention or deletion terms, unclear IP ownership of AI outputs, or unacceptable indemnification clauses. Use is permitted only with documented exceptions and management sign-off. |
| Moderate | 60 | Legal has reviewed and approved the tool with standard contractual protections in place. A Data Processing Agreement is executed, liability terms are within acceptable thresholds, and the tool meets the organization's baseline compliance requirements. Ongoing monitoring recommended. |
| Cleared | 90 | Legal has fully vetted and approved the tool for broad organizational use. An enterprise agreement is executed, DPA is in place and current, IP ownership of outputs is clearly assigned to the organization, indemnification terms are favorable, and the tool has passed any required security or privacy review. |
Score Tiers & Actions
High risk. Restrict access immediately, audit data exposure, and migrate to a compliant alternative within 30 days.
Moderate risk. Negotiate a Data Processing Agreement, enforce SSO, and review quarterly.
Low risk. Add to the official AI catalog and scale adoption across the organization.
Regulatory Flags
setting any regulatory flag caps the Realis Score at 40 (Urgent tier) regardless of security or Legal Risk scores. This reflects the legal requirement for mandatory human oversight and compliance review before deploying AI in regulated contexts.
| Flag | Regulation | Set this flag when… |
|---|---|---|
| EU AI Act | EU | Tool is used for HR decisions, biometric processing, credit scoring, law enforcement, critical infrastructure, or education assessments. |
| HIPAA | US | Tool processes, stores, or has access to protected health information (PHI) — patient records, diagnoses, treatment data. |
| FERPA | US | Tool processes student education records — grades, transcripts, enrollment data, or any personally identifiable student information. |
| CPRA | California | Tool processes personal data of California residents, including sensitive personal information like health, financial, or biometric data. |
| PECR | UK | Tool involves electronic communications data of UK residents — cookies, email marketing, or location data from devices. |
How to Register an Asset
- 1Click Register Asset — in the top navigation bar.
- 2Enter the tool name — e.g. "ChatGPT", "GitHub Copilot", "Midjourney".
- 3Enter the vendor URL — e.g. https://openai.com. The system uses this to auto-set the security score from vendor compliance data and to match future Shadow AI detection events.
- 4Select a category — Generative AI, Developer Tool, or Data Science Platform.
- 5Select a Legal Risk tier — Select Not Reviewed, Limited, Moderate, or Cleared based on legal counsel's assessment of the tool. This is the only input you need to provide — security is set automatically.
- 6Set regulatory flags — Check any regulations that apply to how this tool is used. Each flag caps the score at 40.
- 7Click Register & Score Asset — The system saves the asset, calculates the Realis Score using automated security data and your ROI input, and takes you to the detail page with the full remediation roadmap.
Users & Usage Logs
Each asset detail page shows two telemetry panels populated automatically from Shadow AI detection events:
- Users — a list of every unique hashed employee ID that has accessed the tool, with their first and last seen timestamps and total event count.
- Recent Usage Log — all detection events sorted newest-first, showing the timestamp, hashed user ID, and URL matched.
All user identifiers are SHA-256 hashed before storage. No names, email addresses, or other PII are ever recorded. The hash is one-way — it cannot be reversed to identify an individual without the original identifier.
Shadow AI Detection
The /api/events/detect endpoint accepts browser telemetry events. When a user visits a known AI vendor URL, the system automatically creates or updates the asset record, logs the event, and recalculates the Realis Score to reflect the new usage volume.
See the Shadow AI page for integration guides, the full vendor list, and API reference.