A complete, organization-specific AI governance program — built from your regulatory obligations, your existing AI tool landscape, and your team structure. Every document is written for your organization, not adapted from a generic template.
Scoped on a briefing call. Fixed-fee proposal issued within 24 hours. Typically engaged after a Tier 1 audit, following a board mandate or audit committee requirement, or for organizations building a defensible AI governance program from scratch.
Each deliverable is written to your regulatory framework, industry, and named organizational roles — not adapted from a generic template.
A complete, organization-specific AUP written for your regulatory obligations — HIPAA minimum necessary, SOX record-keeping, GLBA safeguards, CCPA consumer rights, and attorney-client privilege protocols where applicable. Written for your approved and prohibited tools, your named compliance officer and data officer, and your actual current state. Not a template with your logo inserted.
Includes a 30-day review session to revise for any organizational changes after initial delivery.
Structured documentation mapping your AI tool landscape and governance controls to the NIST AI RMF — Govern, Map, Measure, Manage. Produces the governance evidence record regulators and auditors expect when examining AI oversight programs. Written to serve as a defensible artifact, not a self-assessment checklist.
NIST AI RMF is the current US federal standard for AI risk governance and the framework most likely to be cited in regulatory guidance, insurance underwriting, and board-level AI oversight requirements.
A practical AI governance training program written for your employees — what they can use, what they cannot, what to do when something goes wrong, and how to report concerns. Includes a slide deck for live delivery, a written module for async completion, and a one-page employee quick reference card.
Written at a reading level appropriate for non-technical staff. Legal and compliance language is reserved for policy documents, not employee communications.
A repeatable framework for evaluating AI tool vendors against your specific compliance requirements — including a scoring worksheet, an 8-criterion evaluation rubric (matching our AVRA methodology), and a vendor registry template. Your procurement and IT teams can use this independently going forward.
Includes assessment of up to 3 vendors currently in use as part of initial delivery. Additional vendors available at AVRA report rate.
Documented protocols for how AI-generated content and AI-processed data are retained, classified, and deleted — aligned to HIPAA minimum necessary, SOX record-keeping requirements, and CCPA deletion obligations. Includes a data classification matrix for AI outputs specific to your data types and a written justification memo your legal team can attach to the policy.
For publicly traded organizations or those preparing for a transaction, a documented set of AI-related internal controls aligned to SOX Section 302 and 404 requirements — covering AI tool usage controls, access governance, output review procedures, and the certification language your CEO and CFO can rely on. Integrates with your existing ICFR framework.
Applicable to public companies, PE-backed organizations approaching an exit, and organizations subject to audit committee scrutiny of technology controls.
A prioritized, week-by-week implementation roadmap with clear ownership (legal, IT, HR, compliance), milestones, and success criteria. Not a vague list of recommendations — a structured plan that a CCO can present to the board with specific commitments attached.
Includes a 30-day check-in call after delivery to review implementation progress and address blockers.
For organizations with EU operations, employees, or customers: the specific technical documentation required under EU AI Act Article 11 — system descriptions, intended purposes, performance metrics, and oversight mechanisms formatted to satisfy Annex IV requirements for high-risk AI systems.
Included for organizations with EU exposure. Scoped accordingly for US-only organizations where this obligation does not apply.
Complexity drives timeline. A single-framework engagement (HIPAA or SOX) typically completes in 4 weeks. Multi-framework, multi-jurisdiction engagements run 6–8 weeks.
Kickoff call with compliance, legal, and IT leadership. Current-state assessment of AI tools in use, existing policies, and regulatory obligations. Delivery of engagement plan with milestones.
First drafts of the AUP, EU AI Act documentation, and data retention protocols delivered for legal review. Feedback incorporated within one revision cycle.
Employee training materials drafted and reviewed. Vendor risk assessment framework built and tested against your current vendor list. Up to 3 existing vendors scored.
90-day implementation roadmap finalized with your team. All deliverables packaged and delivered. 60-minute debrief call with all stakeholders. 30-day check-in call scheduled.
Post-audit remediation. A Tier 1 AI Exposure Audit identified gaps in policy, vendor oversight, and documentation. The governance implementation turns those findings into a functioning program.
Board or audit committee mandate. Leadership has been asked to demonstrate AI governance before the next board meeting, audit cycle, or insurance renewal. HIPAA audits, SOX 302/404 certifications, and PE/insurer due diligence are the most common triggers. EU AI Act (August 2026) applies additionally if your organization has EU operations, employees, or customers.
Building from scratch. No AI policy exists. Employees are already using AI tools. A new CCO, CISO, or GC has been tasked with building a governance program before the next board meeting or audit cycle.
Board or investor requirement. Governance documentation has been requested by the board, a PE firm, or an insurer as a condition of approval, funding, or coverage. The roadmap provides the documented commitment.
No — but it helps. If you've completed a Tier 1 AI Exposure Audit with us, the governance implementation benefits from the findings: your policy will reference actual tool usage, your training will address real observed behaviours, and your vendor framework will start with assessed vendors. Without the audit, we work from your self-reported tool inventory, which is a valid starting point.
Yes — and we recommend it. Every draft is delivered to your General Counsel for review before final delivery. One full revision cycle is included in the engagement fee. If your legal team requires significant structural changes, a second revision cycle can be added at an agreed rate.
Either — determined at scoping. If your existing policy covers the structural requirements but needs regulatory alignment and depth, we update and extend it. If it is a generic template that does not reflect your actual tools, roles, or obligations, a full replacement is typically more efficient and produces a cleaner document.
The base engagement covers HIPAA, SOX, GLBA, and CCPA as applicable, plus NIST AI Risk Management Framework alignment. EU AI Act (Article 11 / Annex IV) is included for organizations with EU operations, employees, or customers. Multi-framework coverage — for example, HIPAA + SOX + EU AI Act simultaneously — is scoped accordingly and is reflected in the higher end of the price range.
Yes. The async module is written specifically for self-completion without a trainer present. The slide deck requires a facilitator and is typically run by your compliance or HR team. We provide facilitator notes. We do not deliver training sessions directly, but we can advise your team on delivery approach during the check-in call.
The briefing call is 30 minutes, under NDA, and produces a fixed-fee proposal within 24 hours. No obligation beyond that.