AI Governance & Risk
Policies, controls and board oversight sized for your business — governance that enables speed instead of blocking it.
Your people are already using AI, with or without a policy. The question is not whether to allow it. It's whether that usage happens inside guardrails you designed, or in a shadow layer you can't see.
Good governance is an accelerant. When teams know what's allowed, what's logged and who decides the edge cases, they move faster — because every decision no longer has to escalate to you. We build governance sized for SMEs and smaller enterprises: a working policy, proportionate controls, and board oversight that fits in an hour a quarter rather than an enterprise bureaucracy transplanted into a 200-person company.
The rules around AI are being rewritten in real time — the EU AI Act is taking effect in stages, customers are asking harder questions, and insurers are updating their exclusions. Preparation is cheaper than reaction. It usually is.
Who this is for
What we do
A practical policy covering approved tools, data handling, disclosure and human review — short enough that people read it, specific enough to hold when tested.
Your AI use cases — including the undeclared ones — mapped against operational, legal, security and reputational risk, with proportionate mitigations for each.
Lightweight processes for adopting new tools and use cases, with clear thresholds for what needs sign-off and what doesn't.
A reporting template and briefing that gives directors a defensible view of AI risk in an hour a quarter.
How it works
A short conversation about your current AI exposure, your regulatory context and what's prompting the question now — an incident, an audit, or a board that's started asking.
We survey actual AI usage across your organization — sanctioned and not — and assess it against your legal, contractual and sector obligations.
We draft the policy, controls and board pack, pressure-test them with your leadership team, and adjust until they fit how your business actually runs.
A retained yearly cycle to keep the framework current as regulation, tooling and your own AI footprint change.
Outcomes
Questions
Boards and leadership teams of SMEs and smaller enterprises who are adopting AI faster than their controls are maturing — especially in regulated or trust-sensitive sectors. If you have no AI usage at all yet, you probably don't need this. Few organizations are in that position.
Yes. We map your use cases against the Act's risk tiers and obligations, alongside whatever applies in your home jurisdictions. We're strategists, not lawyers — where formal legal opinions are needed, we work alongside your counsel rather than replacing them.
Three to five weeks from the start of the audit to a board-ready framework. If you're working to a deadline — a customer audit, an insurance renewal, a tender — tell us and we'll sequence around it.
An honest picture of current AI usage, copies of the relevant contracts and policies, and an hour with the executive who owns risk. The audit takes care of the rest.
Related thinking
AI risk has moved from the IT agenda to the board agenda. Five questions directors can ask to govern AI well — and say yes to it more often, not less.
June 2, 2026 · 8 min read
Tell us where you are. We will be candid about what comes next — whether or not we end up working together.
