Every module of a working AI-first GRC program.

Intake front door and four approval gates

Employees ask for AI tools somewhere; better here than in a hallway. Requests are triaged, and systems that matter move through four documented decision gates.

• Employee tool requests triaged to approved, declined, or routed to the registry
• Prioritize, Fund, Validate, Deploy: fixed scorecard criteria per gate, decisions recorded with rationale
• Extra fair-lending criteria for systems that influence credit decisions

Impact assessments and AI incidents

High-risk systems get a structured impact assessment before validation. When AI produces a wrong, unsafe, or biased outcome, it gets logged, triaged, and resolved like the operational event it is.

• Impact assessments required for high-risk systems before Gate 3
• Incident severity levels with regulatory-reportability tracking
• Employee grievance channel for AI-related concerns

Obligation register from plain-English questions

Answer a short qualifying profile and the applicability engine maps your business to researched regulation catalogs: which rules apply, what each one obliges you to do, when, and what it costs to miss.

• Researched catalogs for banking, mortgage lending, healthcare, and field services, with citations and penalty exposure
• Dated, owned, prioritized duties with recurrence that rolls the next cycle forward on completion
• Task checklists generated per obligation, plus custom obligations for exam commitments and board resolutions

Policies with grounded AI drafting

The policy engine drafts from your actual context: your systems, vendors, risks, and roles, so the output names real things and ends enforceable. Then versioning, approval, and attestation make it operational.

• Nine policy templates from acceptable use to vendor AI, drafted against your live data
• Version history, approval metadata, review cadence, and staff attestation campaigns
• Every AI-generated draft carries a confidence band and citations to the records that grounded it

Risks, controls, and testing

A scored risk register tied to a control library that is cross-walked to NIST AI RMF, ISO/IEC 42001, SOC 2, and HIPAA, so one control satisfies many frameworks.

• Inherent and residual scoring with review cadences that keep themselves wound
• Control tests on a schedule, with effectiveness rollups and evidence attached to the control
• A coverage view that shows which framework requirements are met, by which controls, with no double counting

Vendors and AI due diligence

Third parties are where AI sneaks in. The vendor register tracks criticality, data access, contracts, and review cadence, with a standard diligence checklist seeded on every vendor.

• Due-diligence checklists including AI-specific items for vendors that use or provide AI
• Contract end and review dates surface in the attention inbox before they bite
• Diligence documents filed against the vendor

Evidence, exam packs, and audit readiness

Evidence is collected as work happens, tracked for freshness, and assembled into exam-ready packages on demand. The product was built by people who sit across the table from examiners.

• Evidence register with collection and expiry dates; stale evidence surfaces itself
• Evidence requests (PBC lists) your auditor or examiner can track to done
• Quarterly audit-pack snapshots captured automatically, plus an append-only audit trail and legal hold

Reports, board decks, and share links

Deliverables generated from live data, branded to your company: documents you hand to a board, a buyer, or a regulator without rework.

• Branded Word reports: readiness assessments, governance framework, AI inventory, remediation, and the full policy suite
• An eleven-slide board deck built from your actual posture, plus CSV and full-register exports
• Tokenized read-only share links so examiners see a live summary without an account

Advisor escalation and guided decisions

Software where you can, humans where it counts. Ask an advisor from any record and get an answer in a logged thread that becomes part of your governance evidence. For recurring judgment calls, guided decisions document the call in minutes.

• One-click escalation from obligations, policies, and AI systems to a compliance advisor
• Guided workflows: classify an AI use case, triage an incident, decide vendor diligence depth, check impact-assessment need
• Every run logged with its inputs and outcome: a decision log you can show

The 90-day program

A governance program is a sequence, not a checklist. Engagements run a phased clock: assess, establish, operationalize, hand off, with readiness criteria that warn rather than block, and a portfolio view for advisors.

• Phase targets computed from your start date; slipping phases surface in the attention inbox
• Readiness checklists per phase, deep-linked to where each gap gets fixed
• Advance with open criteria when you choose to: the accepted warnings become part of the record

The operating rhythm

Governance fails in the gaps between quarterly panics. One attention inbox unifies due dates, reviews, tests, gates, intakes, and incidents across every module, with a daily digest that matches the dashboard exactly.

• One feed across every module, ranked by urgency, deep-linked to the fix
• A daily email digest scoped per company, built from the same feed so email and dashboard never disagree
• A value recap that shows what the program produced: deliverables, policies, completions, and hours saved