AI System Register
Complete inventory of in-scope AI systems with framework-aligned attributes: purpose, risk class, oversight model, data flows. Required input for most audits.
25–40 pages · Markdown + PDFSERVICES · COMPLIANCE← BACK TO SERVICES
AI Risk Assessment
A structured assessment of your AI systems against NIST AI RMF, ISO 42001, and EU AI Act — producing the documentation auditors actually want to see.
AI Risk Assessment is the compliance engagement that maps your AI deployments against published risk frameworks and produces defensible documentation. Not a checkbox audit — a substantive assessment of risk posture against named standards, with findings, gap analysis, and a roadmap to compliance. The output is what your auditors, regulators, or board are asking for.
// THE PROBLEM
What we're solving when you hire us for thisNIST AI RMF, ISO 42001, and the EU AI Act each demand a specific kind of risk documentation that most AI deployments lack. Internal risk registers built in Excel rarely survive an external auditor's review. Compliance consulting firms produce documentation that passes review but doesn't reflect actual risk. Engineering teams know the risks but don't have the framework vocabulary to document them defensibly.
AI Risk Assessment closes the gap from both directions. We work with your engineering team to surface the real risks, then translate them into the framework vocabulary auditors recognize. The result is documentation that's both technically accurate and audit-defensible — uncommon in the AI compliance space.
// HOW WE RUN IT
The five phases of an AI Risk Assessment engagement01
Framework Selection & Scoping
Based on your regulatory exposure (sector, geography, customer requirements), we recommend which frameworks apply and at what depth. Output is a written scoping document confirming the assessment's regulatory targets.
Duration 2–3 days · Output: scoping document02
System Inventory
We document every in-scope AI system: purpose, model used, data inputs, decision impacts, human oversight points, lifecycle status. Builds on Shadow-AI Recon findings if that engagement preceded this one.
Duration 3–5 days · Output: AI system register03
Risk Mapping
For each system, we identify the risks the chosen frameworks require addressing: bias, transparency, robustness, privacy, security, human oversight, accuracy. Each risk is documented with current controls and identified gaps.
Duration 5–7 days · Output: risk register04
Gap Analysis
Against the framework requirements, we identify gaps: missing controls, undocumented decisions, insufficient evidence. Each gap is rated by severity and remediation effort.
Duration 3–4 days · Output: gap analysis document05
Roadmap & Documentation Package
Final deliverable is a complete documentation package suitable for audit submission, plus a prioritized roadmap for closing identified gaps.
Duration 4–5 days · Output: documentation package + roadmap// WHAT YOU RECEIVE
Deliverables, named and specificRisk Register
Per-system risk documentation against named frameworks, with current controls and residual risk ratings.
Risk register document + spreadsheetGap Analysis
Identified compliance gaps with severity, remediation effort, and prioritization.
Gap analysis reportFramework Conformity Statements
For each applicable framework (NIST AI RMF, ISO 42001, EU AI Act), a structured conformity statement suitable for auditor or regulator submission.
Per-framework documentsRemediation Roadmap
Prioritized plan for closing gaps, with effort estimates and target timelines.
Roadmap documentStakeholder Walkthrough
Working session with compliance, security, engineering, and executive stakeholders to walk through findings and roadmap.
120-minute session// ENGAGEMENT SHAPE
Specific numbers, not approximations4–6 weeks
Per-framework depth varies2 practitioners
Compliance-fluent, both seniorWeekly working sessions
Plus daily async updatesNIST · ISO 42001 · EU AI Act
Other frameworks on requestPer-system, per-framework
Written in SOW$28,500
Single-framework; multi addsContinuous
Reviewable artifacts each week30-day Q&A support
For auditor questions// WHEN THIS IS RIGHT
Honest fit criteria// THE RIGHT FIT
—
You're subject to the EU AI Act, financial-sector AI regulations, or other emerging AI compliance requirements with an upcoming deadline.
—
Your customers (especially enterprise or public-sector) are demanding evidence of AI risk management documentation.
—
You're preparing for an external audit, vendor assessment, or regulatory examination of your AI deployments.
—
Your internal compliance team understands traditional risk frameworks but lacks the AI-specific expertise to apply them well.
// THE WRONG FIT
—
You need a security-only assessment, not framework-aligned documentation — Adversarial Probing fits better.
—
Your AI deployments are still in research or prototype phase — frameworks apply primarily to systems in or near production.
—
You want a compliance checkbox audit — we deliver substantive assessments, which take longer than a stamp-of-approval review.
—
You need ongoing compliance operations — this engagement produces documentation, not an ongoing compliance function.
// RELATED ENGAGEMENTS
Where this connects to the rest of our workEvidence Collection
Companion engagement that establishes the ongoing logging and decision-trail documentation framework risk requires.
DETAILS →
Policy Drafting
Companion engagement that produces the internal AI use policies the frameworks reference.
DETAILS →
Shadow-AI Recon
If your AI inventory is unclear, run this discovery engagement first — risk assessment requires knowing what to assess.
DETAILS →
AI Risk Assessment engagements start from $28,500. Reply within 24h. NDA before scope.
BOOK THIS ENGAGEMENT →