AI Governance & Cyber Risk Advisory.

Four ways to govern AI with confidence.

Every engagement is scoped to where you actually are, not where a template assumes you should be. I start with a conversation, then build the right program around your company, your regulatory environment, and your board's expectations.

Free 30-minute discovery call Response within one business day No public pricing. Every engagement is scoped to fit
01 / Entry engagement
Good starting point

AI Vendor Risk
Snapshot

Most companies don't have a complete picture of which AI tools their teams are actually using, let alone which ones are creating exposure. Shadow AI is the rule, not the exception. This engagement answers the question clearly, quickly, and without disrupting your operations.

Delivered in five working days. The output is an executive summary your CFO can act on that afternoon, not a 60-page report that sits in a folder.

Start with a Snapshot →
What's delivered
AI Vendor Risk Snapshot
Fixed scope · 5 working days
  • Full AI tool discovery across all departments, including tools IT doesn't know about
  • Red / Amber / Green vendor scorecard for every tool identified
  • 2-page executive risk summary written for a CFO audience
  • Top 3 immediate action items with clear owner and timeline
  • Shadow AI exposure map: tools in use without approval or vetting
Natural entry point into the Full Assessment
02 / Core engagement
Most comprehensive

Full AI Risk
Assessment

A complete AI governance program built around your company, not a generic framework dropped in a folder. Your board gets a one-page summary they can act on. Your legal team gets documentation they can stand behind. Your team gets a policy they can actually follow.

Structured over 3–4 weeks. Includes stakeholder interviews, vendor contract review, and a live readout with your CFO, COO, and legal counsel present.

Discuss an Assessment →
What's delivered
Full AI Risk Assessment
3–4 week engagement
  • Deep vendor contract and DPA review across all active AI tools
  • AI governance maturity gap analysis against NIST AI RMF and EU AI Act
  • Custom AI acceptable use policy, scoped to your industry and regulatory environment
  • AI risk register (living document) with owner, risk rating, and review cadence
  • Full assessment report and one-page board summary
  • Live executive readout with your leadership team
Most clients move to a retainer after this engagement
03 / Ongoing partnership
Advisory retainer

Ongoing Advisory
Retainer

AI adoption doesn't stop after an assessment, and neither does the regulatory landscape. This is for companies that want a trusted advisor in their corner as their tool stack evolves, new regulations take effect, and the board starts asking harder questions.

Typically follows a Full Assessment. Replaces the need for a full-time hire with on-demand access to senior AI governance expertise.

Discuss a Retainer →
What's included
Advisory Retainer
Monthly · ongoing
  • Monthly AI risk register review and update
  • New tool vetting on demand, response within 48 hours
  • Regulatory monitoring: EU AI Act, SEC guidance, SR 11-7 developments
  • Quarterly board briefing package, plain language, board-ready format
  • Incident response advisory, available when something goes wrong
  • Policy updates as your tool stack and regulatory requirements evolve
For companies managing ongoing AI tool adoption
04 / Premium program
For companies deploying autonomous AI agents New

Agentic AI
Governance Program

Your teams are already deploying AI agents: tools that don't just answer questions, but take autonomous actions across your systems. They query databases. They send emails. They execute code. They approve workflows. Most of them weren't vetted by IT and aren't in your risk register. This program makes the invisible visible, before a regulator or an incident does it for you.

Agentic AI Governance
Two questions worth asking your leadership team right now: Do you know every AI agent your company has deployed in the last 90 days, not tools people use, but agents that take autonomous actions on company systems? Do you know what each one can access, and what decisions it can make without a human approving each step? Most companies cannot answer either. That's the gap this program closes.
Pillar 01
Agent inventory & access mapping
A complete, living inventory of every autonomous AI agent operating in your environment: what it can access, what decisions it can make, who deployed it, and whether it was approved. Without this, governance cannot begin.
Pillar 02
Privilege policy design
Least-privilege access frameworks for your specific agent stack: Copilot, Claude Code, custom LLM workflows, automated decisioning. Not a generic template. Scoped to what your agents actually do and what they should be allowed to do.
Pillar 03
Behavioral monitoring protocol
The signals to watch for when an AI agent is acting outside its intended scope, including when it's been manipulated by an external actor. Defines who reviews, what triggers escalation, and what constitutes an agentic security incident.
Pillar 04
Agentic incident response playbook
Standard IR playbooks weren't designed for autonomous AI agents. This one is. What to do when an agent acts in ways it shouldn't, how to isolate it, and how to communicate to regulators and the board, before you need it.
Pillar 05
Board communication layer
A quarterly briefing that translates agentic AI risk into plain language for non-technical leadership. The artifact that lets your CFO walk into an audit committee meeting with clarity, not a technical report that needs a translator.
Pillar 06
Regulatory alignment
EU AI Act high-risk provisions (August 2026 deadline), NIST AI RMF Govern function, SR 11-7 model risk management as applied to agentic systems. Targeted regulatory alerts when something relevant changes, not a monthly digest.
Monthly
Governance review
60–90 min working session. New agents deployed, changed access, emerging threat patterns. Risk register updated in real time.
Quarterly
Board briefing package
One-page summary of agentic AI risk posture. What agents exist, what they can access, what's changed, what the regulatory exposure looks like.
On demand
New agent vetting
Before any new AI agent is deployed, it goes through a review. What access does it require, what can it decide autonomously, what's the rollback plan. Response within 48 hours.
Discuss the Agentic Program →
Right for companies where AI agents can take real-world actions: send emails, query databases, execute code, make decisions without human approval on each step
Add-on / Deal engagement
M&A Cyber Due Diligence
Know what you're acquiring
before the deal closes.
For PE firms, acquirers, and companies being acquired. A structured AI and cybersecurity risk assessment of the target, scoped to your deal timeline, built on deep hands-on experience in enterprise M&A security work. Now includes agentic AI risk: what autonomous systems does the target operate, what do they have access to, and what liability does that create post-close.
AI vendor & agent inventory
Agentic AI access & liability review
AI supply chain risk
Contract & DPA review
Board-ready risk summary
Deal-timeline scoped
Discuss your deal →
How engagements work

No pitch. No pressure.
Just clarity.

Every engagement starts the same way: with a conversation about where you actually are, not where I assume you should be.

01
Free 30-minute call
I'll learn about your situation: AI tools in use, regulatory pressure, board concerns, upcoming audits. No agenda other than understanding what you need.
02
Scoping & proposal
I'll identify the right engagement for where you are. You receive a clear scope of work with defined deliverables and timeline. No surprises.
03
Engagement delivery
I do the work: discovery, analysis, documentation, and stakeholder interviews. You stay informed at every step without being pulled into the weeds.
04
Readout & next steps
Every engagement ends with a live readout for your leadership team. Findings presented in plain language. Decisions, not just data.

Not sure which engagement
is right for you?

Start with the 30-minute call. We'll figure it out together. No pitch, no pressure, just an honest conversation about where you stand.

Book a free call → Start with the free checklist