Skip to content
EVVO DIGITAL

Offer / 03 · Assurance

You can't govern what you haven't inventoried.

A complete AI inventory, risk classification, governance controls and remediation plan in 4–8 weeks. Aligned to ISO/IEC 42001, NIST AI RMF, IMDA, PDPA and Vietnam Decree 13.

4–8 weeksFixed-fee assuranceBoard · CRO · CISO · DPO

Who it’s for

Risk owners watching models and agents multiply across the business — procured, built and shadow-adopted — without a register, an owner list, or evidence that any of it is controlled. And leadership teams preparing for ISO/IEC 42001, regulator questions or board assurance requests.

What you get

  • 01A complete inventory of models, agents, workflows and material AI use cases — internal and vendor-embedded.
  • 02Risk classification with named business, technical and risk owners per system.
  • 03A control framework covering data use, agent permissions, transaction limits, evaluation, monitoring, incident response and third-party risk.
  • 04Gap assessment against ISO/IEC 42001, NIST AI RMF, IMDA Model AI Governance, PDPA and Vietnam Decree 13 — as applicable to you.
  • 05A sequenced remediation plan your risk committee can track — and we can help operate.

How it works

  1. Phase / 01

    Weeks 1–2

    Discovery and inventory.

  2. Phase / 02

    Weeks 3–5

    Risk classification, control mapping, gap analysis.

  3. Phase / 03

    Weeks 6–8

    Remediation plan, governance operating model, executive readout.

Frameworks we work to

  • ISO/IEC 42001

    AI Management System

  • NIST AI RMF

    Risk Management Framework

  • IMDA Model AI Gov.

    Singapore — 2nd Ed.

  • PDPA

    Singapore

  • Decree 13/2023

    Vietnam — Personal Data

  • Cybersecurity Law

    Vietnam

Aligned to readiness and assessment — not certification of clients.

Frequently asked

Is this an audit?
It is an independent assessment producing evidence and a plan; it is not a certification audit, and we’ll tell you plainly when an accredited body is required.
We already have an AI policy — isn’t that enough?
A policy without inventory, owners, controls and evaluation is a statement of intent. We turn intent into operating governance.
Can you also fix the gaps?
Yes — remediation and ongoing governance operations are separate, clearly scoped engagements, so the assessment stays independent.

Next step

A one-page assessment outline.

Send us your context — sector, jurisdiction, current register maturity. We’ll send a one-page outline of what an engagement would cover and produce.