Engagements / 04 · Regulated

AI Governance & Compliance

Four weeks. £18,000 fixed. ISO 27001 and SOC 2-aligned controls mapped to your AI surface, a model risk management framework your regulator will recognise, human-in-the-loop and audit logging where they matter, and the written documentation an auditor will actually accept.

£18,000 fixed 4 weeks Regulator-ready deliverables

Who this is for

You ship AI into a regulated sector — financial services, healthcare, defence, forensics, critical infrastructure, legal — or you sell into enterprise customers whose procurement teams have started asking specific questions about how your AI is governed. You do not have six months to stand up an internal risk function. You need a framework your team can operate, documentation an auditor will accept, and controls mapped onto the standards your customers test against.

What you get

  • Control mapping against ISO 27001:2022 Annex A, SOC 2 Common Criteria, and (where relevant) NIST AI RMF. Covers access, data handling, model change management, incident response, and operational resilience.
  • Model risk management framework. Inventory of AI systems, risk tier assignments, validation evidence, monitoring requirements, and a retirement process. Compatible with EU AI Act Article 9 expectations for high-risk systems.
  • Human-in-the-loop patterns. Where a human signoff is required, how it is logged, who can override whom, what the SLA is, and where the audit trail lives.
  • Audit logging specification. What gets logged per request (prompt, response, retrieval context, scores, signoffs), retention schedule, access controls on the logs themselves.
  • Regulator-ready documentation pack. AI System Description, Risk Assessment, Data Governance Statement, Incident Response Playbook, Evaluation Report. Written in the tone a real auditor expects.

How it runs

Week 1: scoping workshop with founder / CTO / data protection officer. We map your current state against the relevant standards. Week 2: drafting the controls and the framework. Week 3: implementation support — sitting in on sprints to make sure the framework actually lands in the code, not just the policy doc. Week 4: final documentation pack, walkthrough with the team, and (if relevant) a dry-run Q&A simulating an external audit.

FAQ

Do you sign off as the Responsible AI Officer?

No — that role must sit inside your organisation to satisfy most regulators. I equip whoever does hold it with the controls, documentation, and evidence base they need to do the job.

Does this cover the EU AI Act?

Yes, to the extent relevant to your system. If you operate a system that is high-risk under Annex III, the framework covers the Article 9 risk-management, Article 10 data-governance, and Article 15 robustness requirements. Specific conformity assessment remains a separate external process.

Can this run alongside a Build Sprint?

Yes, and often should. Governance wired in during build is far cheaper than governance retrofitted afterwards.

Need this before a customer audit or investor DD?

Book a 30-minute discovery call. I will tell you honestly whether this engagement is the right fit or whether you need a different path.

Book discovery call