Map
You cannot govern what you have not located.
Output
AI system inventory & risk classification
NIST Map 路 ISO 42001 Plan
Three practice tracks. One documented evidence pack at close.
Engagements typically run six to twelve weeks. Each track maps to a defined set of artefacts, designed for boards, regulators, and audit reviewers to work through end to end. APRA CPS 230, ASIC REP 798, Privacy Act ADM, ISO 42001, and the EU AI Act all sit inside the same operating model.
Built for
Boards & risk committees 路 Chief risk officers 路 General counsel 路 Heads of AI 路 Internal audit
We work against: APRA CPS 230 / ASIC REP 798 / Financial Accountability Regime / Privacy Act 1988 / TGA SaMD / DTA Policy 2.0 / ISO/IEC 42001 / EU AI Act / NIST AI RMF / Voluntary AI Safety Standard
Our methodology
The Evidence-First Method.
Most AI governance work produces a document that describes good intentions. Ours produces evidence that controls exist and are operating, in a form a regulator or your board can read on any given day.
Continuous assurance, not a point-in-time checkbox.
Frame
Every control is mapped to the obligation it discharges, so nothing is governance for its own sake.
Output
Governance framework, policy stack & control-to-regulation matrix
NIST Govern 路 ISO 42001 Plan
Control
Policy that sits in a folder is not a control. We wire it into the workflows that carry risk.
Output
Implemented controls, approval gates & a standing evidence trail
NIST Measure + Manage 路 ISO 42001 Do
Assure
Not an annual snapshot stale the day after sign-off, but a maintained evidence position.
Output
Assurance reports & a regulator-ready evidence pack
NIST Manage 路 ISO 42001 Check + Act
Track A
Governance & strategy.
Frameworks, policies, and operating models that hold up under board, regulator, or audit scrutiny. Designed around your existing risk taxonomy and three-lines-of-defence structure.
Typical artefacts: AI strategy, board charter, RACI matrix, policy suite, model governance procedure, incident response playbook.
01
AI governance consulting
Operating model 路 Committees
02
AI strategy development
Roadmap 路 Business case
03
AI policy development
Acceptable use 路 GenAI 路 Vendor
04
Risk framework development
CPS 230 路 NIST AI RMF 路 ISO 42001
05
Board-level AI governance
FAR 路 Corp Act s.180
06
Model governance
Validation 路 Three lines
Track B
Assessment & assurance.
Independent evaluation of AI systems and the governance wrapping them. Evidence packs sized for internal audit, external review, or pre-certification readiness.
Typical artefacts: gap analysis report, prioritised remediation roadmap, model validation findings, ISO 42001 readiness assessment, third-party vendor risk register.
Track C
Compliance & advisory.
Ongoing alignment with Australian and international regulators. Workforce uplift, board education, and standing advisory support sized to your operating tempo.
Typical artefacts: regulatory mapping, EU AI Act conformity plan, training curriculum, quarterly advisory cadence, regulator briefing decks.
Industries we work in.
Every engagement is scoped against the prudential, sectoral, and statutory frameworks that apply to your licence and operating context.
Not sure which track to start with?
Run the AI Risk Calculator first for a baseline view, or book a 30-minute scoping call. We will map your AI inventory against your regulatory environment and outline the smallest engagement that closes the highest-priority gaps.