chore: Full consistency scan — AOC->PULSAR, fix training-data claims, fix 90% claim

AOC -> PULSAR across 10 files (engagement-model, retained-capability,
modular-engagements, blue-purple-team-foundation, about-cqre, about-cqre-cs,
consultant-field-guide, ai-assisted-tvm, m365-e3-hardening,
sovereign-tool-stack, risk-register-example).

Training-data framing corrected in:
- executive-summary.md: opening paragraph and risk table
- README.md: 90% solution claim -> 30-60% in 180 days
- modular-engagements.md: public API data use claim
- cis-controls-mapping.md: data protection framing
- antifragile-risk-register.md: risk entry softened to accurate framing
- azure-openai-sovereignty-bridge.md: consumer vs enterprise API distinction

Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>

antifragile-consulting/core/executive-summary.md

@@ -6,13 +6,13 @@
 
 ## The Problem in One Sentence
 
-Your organization is currently engaged in a **massive, unpaid research project for its competitors**—sending proprietary data, strategic reasoning, and operational intelligence to cloud platforms that are incentivized to commoditize your industry.
+Your organization depends on technology infrastructure it does not fully control — cloud platforms whose incentives are not aligned with your survival, AI tools processing your operational intelligence under agreements you cannot audit, and vendors whose pricing, terms, and continued existence are outside your influence.
 
 ## What Is at Stake
 
 | Asset Category | Current Risk | If Compromised or Extracted |
 |---------------|-------------|----------------------------|
-| Strategic intelligence | Rented from cloud AI providers | Competitors replicate your edge; your strategy becomes public model training data |
+| Strategic intelligence | Rented from cloud AI providers | Vendor dependency, data residency risk, no audit rights over inference — and a strategy that improves their platform, not yours |
 | Customer trust | Protected by compliance theater | Regulatory fines, class-action liability, irreversible reputational damage |
 | Operational continuity | Dependent on vendor stability | Single API change or geopolitical event halts revenue-critical workflows |
 | Technical talent | Wasted on maintenance of fragile systems | Burnout, attrition, inability to attract security-conscious engineers |
@@ -69,7 +69,7 @@ We do not propose a three-year transformation. We propose **four phases, 180 day
 This is not a cost centre. It is **optionality insurance**.
 
 - **Cost of the program**: Primarily configuration and process—existing tools are leveraged first.
-- **Cost of inaction**: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single competitor trained on your data renders your proprietary advantage worthless.
+- **Cost of inaction**: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single uncontrolled AI vendor relationship can expose your operational data to residency and audit failures that NIS2, DORA, or sector regulators will not overlook.
 - **ROI timeline**: Risk reduction is visible in 30 days. Regulatory evidence is demonstrable in 90 days. Competitive advantage from sovereign intelligence compounds over 12-24 months.
 
 ## The Decision Required