AI Readiness & Governance Assessment
The entry point. Maturity, risk and sovereignty diagnosis + roadmap. Most companies start here.
The same audit discipline behind 20+ years of regulated systems, now applied to artificial intelligence. Governed, auditable AI you can run in your own environment — your data never leaves for a third-party API — for fintech, insurance, and the public sector.
I cannot send sensitive data — PII, PHI, regulated data — to a third-party cloud AI API.
I am going to use (or already use) AI, but I do not know if it passes an audit or who is accountable when it decides wrong.
I have to satisfy SOC2, HIPAA, the EU AI Act or NIST AI RMF and I do not know where to start.
I want to use AI, but mine cannot be a black box with no traceability or human control.
We inventory your AI use cases, evaluate the sovereignty of your data and the risk of each system, and hand you a go/no-go deployment sheet and a governance roadmap your auditor will respect and your team can actually execute.
Inventory of your AI use cases — current and planned — with their risk level
Data-sovereignty assessment: what leaves your environment and what does not
Mapping to the frameworks that apply to you (NIST AI RMF, EU AI Act, SOC2, HIPAA)
Model attack-surface review (OWASP Top 10 for LLMs 2025)
Per-system go/no-go deployment sheet with its enabling conditions
Prioritized governance and controls roadmap with effort estimates
Live 90-minute leadership presentation + 30-day follow-up
Start with a focused, low-risk diagnosis; from there you decide what to build. The same logic as the Architecture & Compliance Review, applied to AI.
The entry point. Maturity, risk and sovereignty diagnosis + roadmap. Most companies start here.
Deep review against the EU AI Act / NIST AI RMF + due diligence on the model or vendor you plan to use. For teams that already decided to buy or build.
AI deployed in your own environment (on-prem RAG, zero data egress) on a proven reference architecture. Delivery via a senior partner network under my architecture. Typical implementations in the six-figure USD range.
Plenty of people claim "sovereign, auditable AI." These four assets embody it.
A 100% local agentic AI system: the data never leaves the environment. It is the reference architecture, demoable live on the call.
Arquitectura Simbiótica (2nd ed., ISBN 978-628-02-4845-5) proposes human-AI symbiosis as a design discipline; its sequel, El Estado Aumentado, takes the thesis into the public sector with its regulatory frame.
I built the interactive checklist for Colombia’s newest AI security guidelines (Dec 2025) + NIST AI RMF + OWASP for LLMs. Method, not theory — you can use it.
AI integrations and semantic search delivered inside public-sector institutions. Billed experience, not aspiration.
The frameworks that govern AI in regulated and public-sector settings — the same ones I already work against, not ones I read about in a course.
AI Risk Management Framework — Govern, Map, Measure, Manage
European Union AI regulation — risk-tier classification
US controls for security and healthcare data — applied to AI systems
Top 10 security risks in large language models
AI management system — certifiable governance
Colombia’s AI security & privacy guidelines (Dec 2025) — for LATAM operations
AI that runs inside your own environment, where your data never leaves for an external API. For regulated industries it is often the difference between being able to use AI at all — or not.
No. We work on whatever model you choose — including on-prem / open-weight; our layer is governance, data sovereignty, and auditability, not the model. That layer is what your auditor and regulator actually look at.
Yes. The deliverable maps explicitly to the controls of the frameworks that apply to you (NIST AI RMF, EU AI Act, SOC2). It does not replace a formal audit; it gets you ready to pass one.
You deal directly with the senior architect who leads the work and is accountable for it — no juniors, no account managers. Large-scale implementation is delivered by a senior delivery team I lead, and your code, architecture and documentation are yours from day one.
After the discovery call and signed SOW, we typically start within 1 to 2 weeks.
30 minutes, no commitment. I give you an honest read of your exposure — even if you decide not to engage.
How can I help?
Mission-critical software for fintech, insurance and government: architecture, development, modernization, and governed AI.
See servicesMost start with an Architecture & Compliance Review (from USD 5,000), fixed fee.
See the ReviewAI that passes your audit: governed, sovereign, and deployable in your own environment.
See the AI practiceA 30-minute call, no commitment, directly with the senior architect.
Book a callYou talk directly to the architect — no middlemen.