Private AI services
The AI opportunity is not a generic chatbot subscription. It is a privacy operations business that helps people and small organizations use AI without making every prompt, document, and workflow a permanent vendor dossier.
Start with advice, setup, and policy that customers will pay for now. Build proprietary routing and verification only after the service work proves which tasks and risks recur. Private AI venture validation gives the commercial gates. EDPB LLM privacy risks supplies a reusable evidence base for the assessment and governance work.
Private AI readiness assessment
Customer: law practices, therapists, support organizations, small newsrooms, research teams, and professional firms that already use unmanaged AI tools.
Job: learn what confidential data currently reaches AI, which uses can move local, and what needs a better workflow.
Offer: a fixed-scope AI inventory; data-flow and vendor map; task classification; GDPR and AI Act issue list; approved-use policy; staff workshop; and a ninety-day local or confidential-AI plan.
Implementation: do not collect raw prompts in the assessment. Use representative, customer-sanitized examples and customer-held evidence. Map shadow AI, browser extensions, document connectors, feedback buttons, and tool permissions as well as the named chatbot.
Revenue: fixed assessment, followed by an optional quarterly PrivacyOps retainer.
Test: sell three paid assessments to one high-trust vertical. Measure discovered data flows, approved local tasks, and conversion to a concrete deployment.
Failure mode: selling a policy PDF that nobody follows. The deliverable must include a usable task matrix, configured defaults, training, and an owner for each control.
Local Privacy Workbench
Customer: individual professionals, small legal or research teams, journalists, and developers who need everyday AI without routine cloud disclosure.
Job: draft, summarize, translate, extract, and search private documents locally.
Offer: a supported workstation or customer-owned appliance with local models, encrypted history, local retrieval, task-specific benchmark results, update policy, recovery plan, and a short training session.
Implementation: use proven local runtimes, signed model manifests, loopback-only APIs, local embeddings, and an egress indicator. The venture retains no hidden administrator account, customer model prompts, or document corpus.
Revenue: setup fee, approved hardware margin where lawful, annual maintenance and model-update review, and employer-funded packages.
Test: ten paid installations across Swedish and English tasks with a documented hardware and quality matrix.
Failure mode: promising frontier-model performance on underpowered hardware. Benchmark the actual customer tasks and present local limitations before sale. See Local AI.
Local document vault and RAG
Customer: organizations with sensitive internal documents that want question answering, search, and drafting assistance.
Job: make a controlled document corpus useful without uploading the entire archive to a model vendor.
Offer: local ingestion, role-scoped document collections, local embeddings and retrieval, source citations, retention, export, and recovery plan.
Implementation: keep documents, chunks, and embeddings local by default. If a remote model is selected, send only the approved, minimum document excerpt through the selected route. Make the remote route, model, and data class visible before release.
Revenue: deployment project plus maintenance, access-review, and recovery-test service.
Test: one small document corpus with test questions, hallucination checks, access-control checks, and an export exercise.
Failure mode: assuming embeddings are anonymous or giving an AI agent broad access to every file. Embeddings, logs, and connector tokens are sensitive assets.
Privacy AI control plane
Customer: small organizations that cannot ban cloud AI but must make its use understandable and controlled.
Job: route each task to the least-trusting usable model and prevent silent data leakage through tools or fallback.
Offer: a native client or gateway with local task classification, secret and PII detection, placeholder substitution, provider policy, approved model registry, route indicator, and local privacy receipts.
Implementation: the sensitive policy sidecar runs locally. It defaults to local inference. Remote paths are explicitly labeled: attested confidential, contractual private, or external frontier. The original placeholder map never leaves the device.
Revenue: per-seat software, organization configuration, and recurring policy and vendor review.
Test: start as a manual, configuration-led service before building a cross-platform product. Prove that users understand and accept the route choice without creating alert fatigue.
Failure mode: claiming the redactor makes data anonymous. It reduces obvious identifiers; it cannot remove every proprietary, contextual, or re-identification risk. Private AI routing defines the boundary.
Attested Cloud Boost
Customer: organizations with tasks that local models cannot handle well enough but cannot accept ordinary cloud AI for raw content.
Job: use a stronger model with an execution boundary that is technically verifiable.
Offer: one region, one narrow open-weight model, one confidential-inference provider or partner, client verification, per-request consent, and a local receipt showing release and attestation status.
Implementation: verify fresh hardware and software evidence in the customer’s client. Encrypt each request directly to an ephemeral workload public key that the fresh attestation quote binds to the approved release. Keep tool egress off by default, and fail closed if verification fails.
Revenue: high-value pilot, usage charge, and annual assurance or independent-review package.
Test: one small high-trust team and one well-defined task, such as confidential summarization or a controlled document-review workflow.
Failure mode: treating a TEE as a magic shield. Publish residual risks: endpoint compromise, hardware flaws, metadata, external tools, and attestation-policy error. See Confidential AI computing.
AI procurement and assurance
Customer: a buyer deciding among Lumo, Leo, Mistral, local models, TEE providers, and conventional frontier APIs.
Job: turn privacy marketing into a comparable technical and contractual decision.
Offer: provider matrix, prompt and history retention review, training-use setting review, model-substitution and version policy, data-residency review, tool and connector review, AI Act and GDPR documentation, and exit/migration plan.
Implementation: create a factual evidence ledger: what is guaranteed by a client, contract, published documentation, attestation, or only a marketing statement. Recheck the ledger at renewal and whenever a provider changes models or policies.
Revenue: procurement project, subscription assurance review, and board-ready annual report.
Failure mode: merely repeating vendor promises. The deliverable must identify the live plaintext boundary, not only the encrypted storage boundary.
Safe-agent deployment
Customer: teams seeking agents that access documents, search, email, or business tools.
Job: gain useful automation without turning the agent into a high-privilege data-exfiltration path.
Offer: local tool broker, capability inventory, connector policy, prompt-injection testing, short-lived credentials, approval rules, and incident exercise.
Implementation: local retrieval first; no external tools by default; read-only scoped credentials; user confirmation before consequential actions; and no raw prompts in tracing, feedback, or support tooling.
Revenue: deployment project, testing workshop, and quarterly review.
Failure mode: a private model still leaks through the browser, email, MCP server, or plugin it can command. Agent safety is a more important differentiator than another chat UI.
Long-term research service
Customer: regulated research groups, cooperatives, or institutions with a narrow shared analytic problem.
Job: answer a specific question without pooling raw data.
Offer: feasibility study and pilot using FHE, MPC, PIR, or a zero-knowledge proof for a bounded classifier, score, eligibility check, or private lookup.
Revenue: grant-funded research, specialist pilot, and later a narrowly scoped product.
Failure mode: promising a general encrypted LLM. Zero-knowledge AI makes clear that private computation is real but must match the computation, latency, and threat model.
Private AI legal roles identifies the offerings that need counsel or should be declined by default.