A Governance Framework You Can Pass an Audit With

Governance is the precondition for AI in production. I build the inventory, the risk categorization, the audit trail, and the human accountability that make your AI estate ready for the EU AI Act and ISO/IEC 42001, with concrete examples from regulated peers who solved the same problem.

Book a consultation →
AI Governance and the EU AI Act

2024

EU AI Act adopted

100%

Human accountability for AI output

42001

ISO/IEC AI Management System

The Rules Already Apply to You

Four facts set the floor for any AI estate operating in Europe today. Governance is the work that lets you meet them with evidence.

2024

The EU AI Act was adopted, setting binding obligations on AI systems by risk category.

EU AI Act, adopted 2024

Art. 4

The AI literacy obligation requires that the people working with your AI systems understand them.

EU AI Act, Article 4

42001

ISO/IEC 42001 defines a certifiable AI Management System for governing AI across the organization.

ISO/IEC 42001 AIMS

100%

Humans remain fully responsible for AI output to ensure quality and safety.

AI Operations, human accountability

The Governance Program, End to End

Six workstreams that turn shadow AI into a governed estate you can stand behind in front of a regulator.

EU AI Act Readiness

I map every AI use case to the EU AI Act risk categories and bring them into the scope of your ISMS, including the Article 4 AI literacy obligation for the people who work with these systems.

The EU AI Act was adopted in 2024 and Article 4 already places a literacy obligation on you.

ISO/IEC 42001 AIMS

I scope your AI use cases into an AI Management System and lay out the path to ISO/IEC 42001 certification, the standard for governing AI in an auditable way across the organization.

GDPR and Sensitive Data

I set the rules for sensitive-data handling and privacy controls in AI workflows, including hosting decisions for regulated sectors where self-hosted and cloud models each have a place.

Shadow-AI Discovery and Inventory

I find the AI already in use across the company and bring every tool into a single inventory with a named owner, so no system runs without record or accountability.

Audit Trails and Approval Workflows

I design the approval and release workflows and the audit trail that give you traceability and a record when something goes wrong, the foundation of an estate you can audit.

Human Accountability and Red-Teaming

I put a named human owner on every AI system, educate teams on the risk of cognitive offloading, and stress-test high-visibility use cases where the most guardrails are required.

Humans must remain 100 percent responsible for AI output to ensure quality and safety.

Three Stages of Governance Maturity

Most companies start at ad-hoc. The work moves you to managed, then to a certified state you can defend in an audit.

Stage 1

Ad-hoc

AI is in use, governance is not. Teams adopt tools on their own, no one owns the estate, and there is no record when something goes wrong.

  • Shadow tools with no clear owner
  • No inventory of AI use cases
  • No audit trail or approval path
  • Article 4 literacy obligation unmet
Stage 2

Managed

Every AI use case is inventoried, categorized by risk, and owned. Approval workflows and an audit trail are in place, and sensitive-data rules are explicit.

  • Single inventory with named owners
  • Use cases categorized by risk
  • Approval and release workflows live
  • GDPR and hosting rules documented
Stage 3

Certified

Your AI Management System maps to ISO/IEC 42001 and the EU AI Act. The estate is auditable, accountability is explicit, and the model runs as a standing capability.

  • ISO/IEC 42001 certification path
  • EU AI Act risk mapping complete
  • Human accountability framework in place
  • Governance run by your own team

The Approach

The Governance Operating Model

Three pillars carry the whole program. Together they make your AI estate auditable, accountable, and ready for the standards that apply.

Inventory and Risk Mapping

Maintain an overview of every process where AI is involved, then categorize each use case by risk and bring it into ISMS scope.

  • Shadow-AI discovery across the company
  • Single inventory with a named owner per system
  • Risk categorization under the EU AI Act
  • Use cases brought into ISMS scope

Privacy and Hosting Controls

Authorize AI only on safe systems, set privacy controls, and decide where models run for each use case.

  • Authorized-system policy that prevents shadow IT
  • Privacy controls for sensitive data
  • Self-hosted and cloud model trade-offs per use case
  • GDPR-compliant handling for regulated sectors

Accountability and Certification

Put a human owner on every system, keep an audit trail, and pursue ISO/IEC 42001 where it is worth it.

  • Humans 100 percent responsible for AI output
  • Approval workflows and audit trail for traceability
  • Article 4 AI literacy program
  • ISO/IEC 42001 AIMS certification path

From Shadow AI to Certified Estate

A structured engagement that builds a governance capability your team runs, in four steps from inventory to monitoring.

01

Step 01

Inventory All AI Use

Find the AI in use across the company, including shadow tools, and build a single overview of every process where AI is involved.

  • AI estate and shadow-AI inventory
  • Named owner assigned per system
02

Step 02

Categorize by Risk

Categorize each use case against the EU AI Act, GDPR, and ISO/IEC 42001, and bring the use cases into the scope of your ISMS.

  • EU AI Act risk categorization
  • GDPR and sensitive-data assessment
  • ISO/IEC 42001 readiness and ISMS scoping
03

Step 03

Remediate and Document

Design the approval and release workflows, the audit trail, and the privacy and hosting controls, then close gaps in priority order.

  • Approval and release workflows
  • Audit trail and privacy controls
  • Hosting and model-selection decisions
04

Step 04

Certify and Monitor

Establish human accountability, satisfy the Article 4 literacy obligation, set the path to ISO/IEC 42001, and hand the running model to your team.

  • Human accountability framework
  • Article 4 AI literacy program
  • ISO/IEC 42001 certification roadmap

Technologies we work with

Battle-tested tools across the modern cloud-native stack

Standards and Frameworks

EU AI Act
ISO/IEC 42001
GDPR
ISMS
NIST AI RMF

Hosting and Privacy

Self-hosted LLM
Private GPU infrastructure
Cloud model APIs
Privacy controls

Governance and Audit

Shadow-AI discovery
AI use-case register
Approval workflows
Audit trail

FAQ

Explore More

More of the AI catalog

AI services that work together across Engineering, In-Product, and Business Operations. Pick what fits your next move.

Agent & AI Delivery

AI agents and LLM applications taken from proof of concept to production-grade systems, with reliability, safety, and observability built in.

Agentic AILLM appsPilot to production

AI in Engineering

AI across the software development lifecycle: development, QA and testing, code review, and the data foundation underneath.

AI in QADev productivityAI-ready data

AI in Business Operations

AI that runs the back office across marketing, sales, support, finance, and operations, on an operating model that compounds.

Process automationRetail opsMeasurement

AI Discovery & Readiness

Score your data, infrastructure, talent, and governance, then get a ranked roadmap of the highest-value AI initiatives.

AI Design SprintReadiness scoringUse-case roadmap

Fractional AI Leadership

Senior AI leadership on a monthly retainer, in 90-day cycles, with board-ready ROI and a transition that builds your team.

Fractional CAIO90-day cyclesBoard-ready ROI

Let's Talk

Make Your AI Estate Auditable and Accountable

Book a confidential conversation about EU AI Act readiness, ISO/IEC 42001, GDPR, hosting decisions, and the governance that lets your AI reach production safely.

Book a consultationGet in touch

Based in Düsseldorf, Germany, working with clients across Europe