← All assessments

AI Governance & Compliance.

Know where your AI program stands against every framework that applies to you.

The problem

Most organizations cannot answer a basic question: which frameworks apply to their AI, and where do they fall short. NIST AI RMF, ISO 42001, the EU AI Act, and sector regulation each ask for different things, and AI adoption has usually run ahead of all of them.

Documented governance is what regulators and enterprise customers now expect. When it is missing, the cost shows up first as deal friction in security review, and later as regulatory exposure. This assessment measures you against every framework in scope and produces the roadmap to close the gaps.

What the assessment covers

Governance maturity

Gap analysis against the NIST AI Risk Management Framework and ISO 42001: policies, roles, AI system inventory, risk classification, and audit practices.

Regulatory compliance

EU AI Act classification of in-scope systems, a documentation audit against mandatory requirements, and mapping to the industry-specific regulation that applies to your sector.

What’s included

-Gap analysis against the NIST AI RMF Govern, Map, Measure, and Manage functions
-Mapping to ISO 42001 and industry-specific regulation relevant to your sector
-EU AI Act classification of in-scope systems (Unacceptable, High, Limited, Minimal)
-Documentation audit against mandatory regulatory requirements
-AI system inventory with risk classification
-Stakeholder interviews across leadership, security, legal, and engineering
-Policy recommendations covering acceptable use, procurement, and risk management

What you get

-Gap matrix mapping current state against target state across every framework in scope
-AI system inventory with regulatory classification per system
-Compliance roadmap with milestones aligned to enforcement dates
-Governance framework and policy recommendations customized to your organization
-Executive briefing on regulatory exposure and business impact
-Template documentation to accelerate compliance efforts

Who this is for

-Legal, compliance, and GRC teams responsible for AI regulatory readiness
-Companies with EU customers, employees, or data under EU AI Act scope
-Organizations in regulated industries scaling AI adoption
-Leadership teams demonstrating AI accountability to the board and to enterprise customers
Timeline
3–5 weeks
Structure
Fixed fee

Methodology

1. Discovery

Stakeholder interviews across leadership, security, legal, and engineering. AI system inventory. Current state documentation.

2. Classification

Risk-classify each AI system against the NIST AI RMF and the EU AI Act risk framework. Map obligations per framework.

3. Gap assessment

Assess governance maturity, documentation, and controls against every applicable framework, including ISO 42001 and industry-specific regulation.

4. Delivery

Gap matrix, compliance roadmap, policy recommendations, executive briefing, and template documentation.

Start with a focused assessment

When only one framework is in play, either of these narrower engagements stands alone and feeds into AI Governance & Compliance.

NIST AI RMF Assessment

Gap analysis against the NIST AI Risk Management Framework, mapped to ISO 42001.

EU AI Act Readiness Review

Classify systems under the EU AI Act and map the documentation gaps.

FAQ

Which frameworks does the assessment cover?

NIST AI RMF and ISO 42001 for governance maturity, the EU AI Act for regulatory classification, and industry-specific requirements relevant to your sector. The assessment is scoped to the frameworks that actually apply to your organization.

Does the EU AI Act apply to our US-based company?

Yes, if your AI systems affect EU citizens as customers, employees, or data subjects. The regulation has extraterritorial reach similar to GDPR. The assessment classifies which of your systems fall in scope.

We only need one framework, not all of them. Can you still help?

Yes. The assessment scopes to what applies to you. For a single-framework need, the focused engagements also stand alone: the NIST AI RMF Assessment and the EU AI Act Readiness Review.

Can you help us implement the roadmap, not just assess gaps?

The roadmap is the deliverable. Where it calls for continuous controls and audit on AI usage, those controls can be enforced and evidenced inline on AI traffic. Implementation support is available as a follow-on engagement.

Book a 30-minute call to discuss which frameworks apply to your AI and where you stand.