Offer / 03 · Assurance
You can't govern what you haven't inventoried.
A complete AI inventory, risk classification, governance controls and remediation plan in 4–8 weeks. Aligned to ISO/IEC 42001, NIST AI RMF, IMDA, PDPA and Vietnam Decree 13.
Who it’s for
Risk owners watching models and agents multiply across the business — procured, built and shadow-adopted — without a register, an owner list, or evidence that any of it is controlled. And leadership teams preparing for ISO/IEC 42001, regulator questions or board assurance requests.
What you get
- 01A complete inventory of models, agents, workflows and material AI use cases — internal and vendor-embedded.
- 02Risk classification with named business, technical and risk owners per system.
- 03A control framework covering data use, agent permissions, transaction limits, evaluation, monitoring, incident response and third-party risk.
- 04Gap assessment against ISO/IEC 42001, NIST AI RMF, IMDA Model AI Governance, PDPA and Vietnam Decree 13 — as applicable to you.
- 05A sequenced remediation plan your risk committee can track — and we can help operate.
How it works
Phase / 01
Weeks 1–2
Discovery and inventory.
Phase / 02
Weeks 3–5
Risk classification, control mapping, gap analysis.
Phase / 03
Weeks 6–8
Remediation plan, governance operating model, executive readout.
Frameworks we work to
ISO/IEC 42001
AI Management System
NIST AI RMF
Risk Management Framework
IMDA Model AI Gov.
Singapore — 2nd Ed.
PDPA
Singapore
Decree 13/2023
Vietnam — Personal Data
Cybersecurity Law
Vietnam
Aligned to readiness and assessment — not certification of clients.
Frequently asked
- Is this an audit?
- It is an independent assessment producing evidence and a plan; it is not a certification audit, and we’ll tell you plainly when an accredited body is required.
- We already have an AI policy — isn’t that enough?
- A policy without inventory, owners, controls and evaluation is a statement of intent. We turn intent into operating governance.
- Can you also fix the gaps?
- Yes — remediation and ongoing governance operations are separate, clearly scoped engagements, so the assessment stays independent.
Next step
A one-page assessment outline.
Send us your context — sector, jurisdiction, current register maturity. We’ll send a one-page outline of what an engagement would cover and produce.
