How we think about governance.
Most of the engagements we are called into involve, at some point, the question of how AI work gets governed inside the organisation. Below is how we think about that work, not as an abstract framework, but as the discipline we bring into the room.
If you want a starting picture of your governance maturity before reading on, the Assess tool gives you one in about fifteen minutes.
Take the assessmentAudits establish the baseline.
Traditional audits and GRC assessments are essential. They provide point-in-time assurance: on the day, here is what the controls looked like, here is how the processes performed, here is what was documented. For deterministic, static systems where behaviour is predictable and change is controlled, this model works well. The baseline established during an audit remains valid until significant changes occur.
Audits are not the problem. They are a critical part of mature governance. The challenge is that AI systems do not behave like deterministic, static systems.
AI systems are non-deterministic and continuously changing.
AI systems present governance challenges that the existing audit cadence was not designed for. Three in particular show up in every engagement.
Non-deterministic behaviour
The same input can produce different outputs. Model behaviour changes without code changes. This makes “test once, trust always” approaches insufficient. Assurance has to be built around behaviour, not around code.
Continuous change
Providers update models, deprecate versions, change infrastructure, and adjust pricing, often without advance notice. Dependencies shift as teams experiment and iterate. What was true at the last audit may not be true today.
Dependency complexity
AI workflows often involve multiple providers, models, and integration points. Understanding what an organisation depends on, and what changes might affect it, requires continuous visibility rather than periodic inspection.
Between audits, the picture blurs.
Annual or quarterly audits provide snapshots. Between those snapshots, organisations operate with incomplete visibility. Which AI dependencies are currently active. Which models or providers are at risk of deprecation. What changes have occurred since the last assessment. How quickly the organisation can respond to provider outages or breaking changes.
Without answers to these questions, boards and regulators receive outdated assurance. Risk teams cannot assess current exposure. Technical leaders cannot prepare for change. The work of governance becomes reactive when it most needs to be anticipatory.
Continuous assurance complements audits.
The work we do with clients is designed to sit between audits. Audits establish the baseline. Continuous assurance maintains it. The two are complementary, not competing. Audits tell you where the organisation was on the day. Continuous assurance tells you where it is now.
In practice, this means designing governance frameworks that generate evidence continuously, not retrospectively. It means making AI dependency visibility a standing capability, not a project. It means setting up boards and risk committees to receive accurate, current information about AI use, rather than waiting for the next assessment cycle.
This is not audit replacement. It is audit extension.
Four principles that hold across every engagement.
Audit-complementary, not audit-competitive
We respect the role of traditional audits and GRC frameworks. The work we do is to extend their value, not to replace them. Where an organisation has an existing assurance posture, we build with it, not around it.
Evidence-led
Every recommendation is designed to generate audit-ready evidence. When compliance, regulators, or customers ask a question, the answer should be documented, not asserted.
Calm, accurate communication
Governance work is not the place for hype. Boards and regulators need sober, accurate information. The framing we use in client work avoids the language of crisis on one side and the language of marketing on the other.
Long-term posture
AI governance is not a one-time project. It is an ongoing commitment that needs to outlive any single engagement. The work we leave behind is built to be run by the organisation, not to require us.
If the work we describe here fits your situation, the way in is a conversation.
A short call. Thirty minutes, no preparation needed. We talk through where the organisation is today, where the governance posture sits, and where a useful next step might be.
Get in touch