Every engagement is scoped to a clear outcome a board, an auditor, or an enterprise buyer can verify — never open-ended hourly work. Scope and investment are tailored to your environment.
A maintained AI inventory and model-risk register, NIST AI RMF and ISO 42001 alignment monitoring, AI-specific incident-response readiness, and a quarterly posture report to the board or audit committee. Ongoing assurance, sold as a retainer add-on to an existing security function.
A fixed-scope sprint: an AI use-case inventory, a gap analysis against the NIST AI RMF and ISO 42001, a drafted AI policy stack, a 90-day remediation roadmap with named owners, and a board-ready governance memo. The fastest defensible first step.
The full 23 NYCRR §500 lifecycle: risk assessment, evidence repository buildout, MFA and access controls, BEC and ransomware tabletop exercises, the annual certification, and the senior-governing-body reporting that now extends to AI risk.
Scope the right Trust Services Criteria or ISMS controls, close the gaps before the observation window or Stage 2 audit, stand up the evidence repository, and run both frameworks off a single control set so the second one isn't a second project.
Adversarial testing of your AI systems mapped to MITRE ATLAS — prompt injection, data poisoning, model evasion, and extraction — with findings written into a remediation plan, not just a report. Validates that the program holds under pressure.
Read a vendor's SOC 2 for what it actually covers, surface the AI features and model providers carved out of scope, run a targeted question set, and document a defensible diligence decision your auditors and board will accept.
A named, accountable security leader for the board, the audit committee, customer security reviews, and the moment risk has to be formally accepted — the work AI cannot sign off on — without the cost of a full-time executive hire.
Grounded in doctoral research on GenAI social engineering: a behavioral threat baseline, simulated deepfake and AI-assisted phishing campaigns, a staff training program, and a detection playbook for the attacks that now target high-value people.
A focused conversation about your environment, your regulatory obligations, and what's prompting the work — so the engagement targets the real outcome.
We map your AI use cases, controls, and gaps against the frameworks that apply to you — NYDFS, SOC 2, ISO 27001, NIST AI RMF, ISO 42001.
A prioritized 90-day roadmap with named owners, plus the policies, registers, and procedures your program actually needs to operate.
A governance memo and posture report written in the language the board, the audit committee, and your enterprise customers expect to see.
For retained engagements, a quarterly cadence that keeps the program — and your reporting — current as obligations and your AI footprint evolve.
Engagements are scoped and priced to your environment and obligations. The fastest way to a number is a short scope call — request a consultation and we'll talk specifics.
A board question, a customer security review, a regulatory deadline, or a new AI feature you're not sure how to govern. Book a 30-minute consultation and we'll map the fastest defensible path.