AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs · AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs ·
AI Governance

AI Governance: A Ladder, Not a Cliff

Ten productised AI governance services, ordered from a free 10-minute self-assessment all the way to an ISO/IEC 42001 certification pathway. Start where you are; we'll tell you which rung is the right next step. Every paid service is fixed-price and time-bound, with no open-ended day rates.

Need the platform and process behind it? Explore our ServiceNow and Enterprise Service Management practices. Just need an AI policy? See AI policy for SMEs.

Start with the Free Scorecard Book a Free Consultation
00
Free · 10 Minutes

AI Readiness Scorecard

Start here. Find out where you stand in ten minutes, free.

The Problem We Solve

Most SMEs don't know whether AI rules apply to them at all. A long sales call is the wrong way to find out. So we built a free 10-minute self-assessment you can take anonymously, covering how your team uses AI, whether you make automated decisions about people, whether you sell into the EU, and which UK rules and voluntary frameworks are most relevant to you.

What You Receive

A RAG-rated readiness score across ten governance dimensions
A plain-English summary of which UK rules and benchmarks apply to you
A recommended next step: from "you're fine, here's a checklist" to "book a consultation"
No salesperson, no follow-up unless you ask

Who This Is For

Anyone curious about their AI exposure. Founders, ops directors, HR leads, compliance managers, IT leads: anywhere AI is creeping into the day-to-day.

10 minutesSelf-paced online
FreeEmail gate only
Instant reportDelivered to your inbox
Take the Free Scorecard
01
Triage · 30 to 60 Minutes

AI Exposure & Scope Check

A 30-minute call to confirm what actually applies, and what doesn't.

The Problem We Solve

The hardest question for any UK SME using AI is the most basic one: which rules are we actually subject to? The EU AI Act gets the headlines but it's only a legal duty for firms that touch the EU market. UK GDPR, the reformed Article 22 rules under the Data (Use & Access) Act 2025, and the Equality Act bite far more often, plus your sector regulator. We unpack that with you in a single call.

What We Do

A focused conversation with someone who understands both your sector and the regulatory landscape. We walk through how your business actually uses AI, then map that against UK legal duties (Bucket 1) and voluntary best-practice frameworks (Bucket 2). Most clients leave reassured. The few who don't get a clear, proportionate roadmap.

What You Receive

A short written summary of which rules apply to you and why
A clear split between "legal duty" and "voluntary best practice"
A prioritised list of next steps (most clients need fewer than they feared)
Honest scoping for any further work you actually need
30–60 minutesBy video or phone
Free intro / low-costNo obligation
Book a Free Consultation
02
Baseline · 1 to 2 Weeks

AIME-based AI Governance Health Check

A government-backed maturity score across ten governance dimensions.

The Problem We Solve

DSIT's AI Management Essentials (AIME) is the UK government's free, SME-friendly AI governance baseline, built on ISO/IEC 42001, the EU AI Act and the NIST AI Risk Management Framework. It's a thorough self-assessment but not a certification, and most teams who try to run it alone get stuck on what "good" looks like. We run it with you, properly.

What We Do

We work through the AIME questionnaire with your team, score each of the ten governance dimensions (fairness, transparency, accountability, oversight, third-party communication and the rest), and turn the result into a maturity report with a prioritised, proportionate action plan. Government framework plus our expertise equals instant board credibility.

What You Receive

Completed AIME self-assessment across all ten dimensions
Maturity heatmap showing strengths and the highest-leverage gaps
Prioritised action plan with effort estimates
A clear pathway toward ISO/IEC 42001 alignment if that's your end-goal
Board-ready summary
1–2 weeksFrom engagement
Fixed priceContact us for a quote
UK government frameworkDSIT AIME
Book Your AIME Health Check
03
EU-Exposed · 2 to 3 Weeks

EU AI Act Rapid Audit

For UK firms whose AI touches the EU market. Compliance, not best-practice.

The Problem We Solve

If you sell products into the EU, provide services to EU users, or operate AI systems whose output is used in the EU, the EU AI Act is a hard legal duty for you, not a benchmark. The 2 August 2026 enforcement window for the high-risk obligations is now close, and the Act is complex enough that most in-house teams can't safely self-assess.

What We Do

We give you a complete picture of your EU AI Act exposure in two to three weeks. We inventory your AI systems, classify each one against the Act's risk tiers (unacceptable, high, limited, minimal), gap-test against the high-risk obligations, and deliver a written audit report with prioritised actions before the enforcement deadline.

What You Receive

Written AI systems inventory across your organisation
Risk classification for each system under the EU AI Act
Gap analysis against high-risk obligations
Prioritised action plan with timescales
Executive summary suitable for board or legal review

Who This Is For

UK manufacturers and exporters with EU customers, SaaS firms whose products are accessed by EU users, healthcare and life-sciences firms with EU clinical or commercial operations, and any UK business that sells into or operates within the EU market. For purely domestic UK businesses, the EU AI Act is voluntary best practice and we'd typically point you to the AIME Health Check instead.

2–3 weeksTimescale from engagement
Fixed priceContact us for a quote
Written deliverableFull audit report
Book Your Rapid Audit
04
Article 22 · 2 to 3 Weeks

Automated Decision-Making Audit

For HR, recruitment, credit, insurance and pricing teams. UK legal duty, today.

The Problem We Solve

The Data (Use & Access) Act 2025 reformed Article 22 of UK GDPR: the rules on solely-automated decisions with legal or "similarly significant" effects on people. These rules are already in force, and they hit hiring, credit, insurance, pricing and recruitment harder than anything in the EU AI Act. They're also where you have real Equality Act exposure if your model produces biased outcomes against protected characteristics.

What We Do

A focused audit of every automated decision your AI makes about a person. We map the decision flow, identify where Article 22 conditions apply, assess your safeguards (meaningful human involvement, information rights, contestability), and stress-test for algorithmic bias against the Equality Act's protected characteristics.

What You Receive

Inventory of solely-automated and significantly-automated decisions
Article 22 conditions and safeguards assessment
Equality Act bias-risk review against protected characteristics
Contestability and human-review process recommendations
DPIA template and ICO-aligned documentation

Who This Is For

HR and people teams using algorithmic CV screening or candidate ranking. Recruitment agencies. Lenders and credit-scoring teams. Insurers. Retailers using personalised pricing. Anyone whose AI decides things about a customer or employee.

2–3 weeksTimescale from engagement
Fixed priceContact us for a quote
Book Your Article 22 Audit
05
Governance · 4 to 6 Weeks

ISO 42001-Aligned Governance Framework

Know what your AI is doing. Prove it to anyone who asks, against a certifiable standard.

The Problem We Solve

Audit findings are only useful if you act on them. Most businesses that complete an AI audit then struggle to build the governance infrastructure around it: the AI register, policies, decision audit trails and human oversight controls that regulators, insurers, customers and procurement teams increasingly demand. We build that infrastructure and align it to ISO/IEC 42001 so you have a credible certifiable end-state.

What We Do

A complete AI governance framework. AI systems register, decision audit trail architecture, staff training materials, transparency and explainability documentation, and the human oversight controls that high-risk systems require. Built to ISO/IEC 42001 structure throughout, so if certification ever becomes commercially valuable you're already most of the way there.

What You Receive

AI systems register with risk classifications
Decision audit trail design and implementation guidance
Transparency and explainability documentation
Human oversight control framework
Staff guidance and AI literacy training materials
Board-ready AI governance policy, ISO 42001-aligned
4–6 weeksTimescale from engagement
Fixed priceContact us for a scoped quote
ISO 42001-alignedCertifiable end-state
Get Your Governance Framework
06
Policy · 1 to 2 Weeks

AI Policy Starter Pack

Your team is already using ChatGPT. Get a policy around it in under a fortnight.

The Problem We Solve

Most SMEs have staff quietly using generative AI tools without a policy, without an inventory, and without any literacy training. That's the easy yes that anyone can act on. The EU AI Act's Article 4 explicitly expects AI literacy for any organisation deploying AI, which is becoming a baseline procurement expectation even for purely domestic firms.

What We Do

A done-for-you policy and governance starter pack. We give you an acceptable-use policy tailored to your business, a simple AI system register your team will actually maintain, role and accountability assignments, and a short AI-literacy module for your staff.

What You Receive

Tailored acceptable-use policy for AI tools
AI system inventory / register template, pre-populated for your stack
Role and accountability matrix (who owns AI risk, who reviews, who signs off)
Staff AI-literacy training pack (Article 4 aligned)
Quarterly refresh checklist
1–2 weeksFrom engagement
Fixed priceSME-friendly
Get the Policy Starter Pack
07
Security · 3 to 4 Weeks

AI Controls & Security Assessment

Your AI estate is growing. Aligned to NCSC AI cyber-security guidance.

The Problem We Solve

AI systems introduce new attack surfaces, data risks and operational vulnerabilities that traditional IT security frameworks weren't designed to address. As AI adoption accelerates, most organisations have accumulated a sprawling, undocumented AI estate with little visibility over what data it processes, what decisions it influences, and where it is exposed.

What We Do

A comprehensive security and controls assessment of your AI estate, aligned to NCSC and DSIT AI cyber-security guidance. We map what you have, identify vulnerabilities, assess data-handling risks, and deliver a prioritised remediation plan.

What You Receive

Full AI estate discovery and mapping
Security vulnerability assessment
Data handling and privacy risk analysis
Controls gap analysis against NCSC AI guidance
Prioritised remediation roadmap
AI security controls framework documentation
3–4 weeksTimescale from engagement
Fixed priceContact us for a quote
Book Your Security Assessment
08
Implementation · 6 to 12 Weeks

Agentic AI Implementation

Stop using AI to advise. Start using AI to act, governed from day one.

The Problem We Solve

Most businesses use AI reactively, a chatbot here, a summarisation tool there. The real competitive advantage comes from agentic AI: systems that independently take actions, manage workflows and make decisions within defined parameters. Building it correctly, with the governance, oversight and controls the regulators (and your customers) expect, demands specialist expertise most organisations don't have in-house.

What We Do

We design, build and deploy agentic AI systems for your specific business context. From automated customer handling to internal process orchestration, the systems work autonomously within clearly defined guardrails, with compliance architecture embedded from day one, not retrofitted.

What You Receive

Discovery and scoping workshop
Agentic AI system design and architecture
Build, test, and deployment
Compliance documentation for the deployed system
Staff handover and training
30-day post-deployment support
6–12 weeksDepending on scope
Tailored proposalContact us to discuss your use case
Discuss Your AI Implementation
09
Long-Term · Ongoing Retainer

ISO/IEC 42001 Certification Pathway

The end-state. The only certifiable international AI-management-system standard.

The Problem We Solve

ISO/IEC 42001:2023 is the only certifiable international standard for AI management systems. Under 100 organisations worldwide are currently certified. It's becoming a powerful procurement and trust signal, particularly for SaaS firms, regulated sectors and anyone selling enterprise. Getting there is a multi-year journey if you go it alone. We shorten it.

What We Do

An ongoing retainer that takes you from your current governance baseline through to certification readiness. Gap analysis against ISO 42001, controls implementation, internal audit cycles, management review preparation and liaison with your certification body. Designed to run alongside your existing AIME and ISO 27001 work.

What You Receive

ISO 42001 gap analysis against your current state
Controls implementation roadmap with quarterly milestones
Documented AI management system aligned to Annex A controls
Internal audit programme and management review cycle
Certification body liaison and stage 1 / stage 2 audit preparation
OngoingMonthly retainer
Scoped proposalBased on your starting maturity
Trust signalUnder 100 firms globally
Discuss ISO 42001 Certification
Not Sure Where to Start?

Start at Rung 00. It's Free.

Take the 10-minute AI Readiness Scorecard. It'll tell you where you sit across the ten AIME governance dimensions, which UK rules and benchmarks actually apply, and which rung of the ladder is the right next step. No salesperson, no follow-up unless you ask.

Take the Free Scorecard Or Book a Free Consultation