Our methodology
The Evidence-First Method.
Most AI governance work produces a document that describes good intentions. Ours produces evidence that controls exist and are operating, captured as you go, in a form a regulator or your board can read on any given day.
Continuous assurance, not a point-in-time checkbox. Four phases, each tied to a defined artefact, with Te Tiriti obligations built in from Phase 1.
Map
You cannot govern what you have not located.
We inventory every AI system, data flow, and automated decision point, then classify each against the regimes that bind you: the Privacy Act 2020, Te Tiriti and Māori data sovereignty obligations, FMA and RBNZ exposure, EU AI Act risk tiers for exporters, and ISO 42001 scope.
Output
An AI system inventory and risk classification that becomes the baseline the rest of the engagement is measured against.
NIST Map · ISO 42001 Plan
Frame
Nothing is governance for its own sake.
We set the governance architecture: policies, roles, accountabilities, risk appetite, and the operating model that holds them together. Every control is mapped to the specific obligation it discharges, with Te Tiriti obligations built in rather than reviewed at the end.
Output
A governance framework, policy stack, accountability map, and a control-to-regulation traceability matrix.
NIST Govern · ISO 42001 Plan
Control
Policy that sits in a folder is not a control.
We embed the framework into the workflows that actually carry risk: model lifecycle, approval gates, third-party onboarding, and incident handling. Evidence capture is wired into business as usual, not bolted on at audit time.
Output
Implemented controls, approval gates, model governance procedures, and a standing evidence trail.
NIST Measure + Manage · ISO 42001 Do
Assure
A maintained evidence position, not an annual snapshot stale the day after sign-off.
Independent, ongoing verification that the controls are working, reported at board and supervisory grade. This is where continuous assurance lives: an evidence position you can put in front of the Privacy Commissioner, the FMA, the RBNZ, or your risk committee whenever they ask.
Output
Assurance reports and a regulator-ready evidence pack, refreshed on a defined cycle.
NIST Manage · ISO 42001 Check + Act
Why the method ends in continuous assurance.
AI systems change after they go live. A governance model that stops at deployment leaves the Office of the Privacy Commissioner, an auditor, or your board looking at evidence that no longer matches the system in production.
Phase 4 closes that gap. Board reporting and a defined refresh cycle carry the governance forward, so the evidence pack stays current between reviews. Te Tiriti obligations and Māori data sovereignty are held through the same cadence rather than reviewed once and filed away.
Every service sits inside a phase.
You can engage the whole method end to end, or start at the phase where your gap is. Each service below produces the artefact that phase contributes to the evidence pack.
See full service detailPhase 01
Map
Phase 02
Frame
Phase 03
Control
Start with a map. Leave with an evidence pack.
Run the calculator for a baseline read on your exposure, then we scope the phase that fits where you are and outline the work to close the gap.