Your teams are already using AI — sanctioned or not. AI governance is how you keep the leverage while controlling the risk: knowing what AI is in use, what data it touches, what could go wrong, and being able to prove all of that to customers, auditors, and regulators.
Why this is on your desk now
- Customers are asking. AI questions are now standard in enterprise security questionnaires and vendor reviews — “do you use AI, and how is it governed?” needs a better answer than a shrug.
- Regulation is real. The EU AI Act’s obligations are phasing in, and US frameworks (NIST AI RMF) are becoming the de facto reference for “reasonable” AI practice.
- Shadow AI is the norm. Most organizations underestimate their AI inventory by half — browser extensions, embedded copilots, and API integrations nobody registered.
- Certifiability arrived. ISO/IEC 42001 made AI management systems auditable, the way ISO 27001 did for information security.
What we do
- AI Governance Assessment (2–4 weeks). Inventory every AI system in use (including shadow AI), map data flows, score risk against NIST AI RMF, and deliver a prioritized roadmap.
- Program Build (3–6 months). Policies, an AI acceptable-use standard, risk assessment process, vendor review gates, and monitoring — an operating governance program, not a binder.
- ISO 42001 Readiness. Gap assessment against the standard, AIMS documentation, and audit preparation through certification.
- Ongoing Advisory. Retainer-based governance support as your AI usage and the regulatory picture evolve.
ISO 42001 vs NIST AI RMF vs EU AI Act
- ISO/IEC 42001 — a certifiable management-system standard. Choose it when customers want third-party proof of AI governance.
- NIST AI RMF — a voluntary risk framework, and the backbone of most US AI risk management programs. The lingua franca US enterprises expect.
- EU AI Act — law, not a framework. If your systems touch EU users, classification and obligation mapping is not optional.
Most clients don’t pick one — we build a single program mapped to all three, so one set of controls answers every questionnaire.
How an engagement runs
We’re a founder-led practice augmented by AI agents — which means senior judgment on every decision and automation doing the inventory, evidence, and document drudgery. You work directly with the principal from scoping through delivery; see pricing and engagement models for how engagements are sized.
Common questions
- We barely use AI — do we need this? Run the inventory first. “Barely” is usually wrong, and the assessment is the cheapest way to find out.
- How does this relate to SOC 2 or ISO 27001? It composes. AI governance controls slot into the management systems you already run — we map them rather than duplicate them. See SOC 2 and ISO 27001.
- What does it cost? Assessment-tier work is a fixed-fee project; programs and advisory are scoped to org complexity. Ranges are on the pricing page.