Saltar al contenido

Governed · sovereign · auditable AI

AI that passes your audit

The same audit discipline behind 20+ years of regulated systems, now applied to artificial intelligence. Governed, auditable AI you can run in your own environment — your data never leaves for a third-party API — for fintech, insurance, and the public sector.

Assessment from USD 6,000 · 2 to 4 weeks

01

You probably recognize one of these

I cannot send sensitive data — PII, PHI, regulated data — to a third-party cloud AI API.

I am going to use (or already use) AI, but I do not know if it passes an audit or who is accountable when it decides wrong.

I have to satisfy SOC2, HIPAA, the EU AI Act or NIST AI RMF and I do not know where to start.

I want to use AI, but mine cannot be a black box with no traceability or human control.


02

What the assessment includes

We inventory your AI use cases, evaluate the sovereignty of your data and the risk of each system, and hand you a go/no-go deployment sheet and a governance roadmap your auditor will respect and your team can actually execute.

01

Inventory of your AI use cases — current and planned — with their risk level

02

Data-sovereignty assessment: what leaves your environment and what does not

03

Mapping to the frameworks that apply to you (NIST AI RMF, EU AI Act, SOC2, HIPAA)

04

Model attack-surface review (OWASP Top 10 for LLMs 2025)

05

Per-system go/no-go deployment sheet with its enabling conditions

06

Prioritized governance and controls roadmap with effort estimates

07

Live 90-minute leadership presentation + 30-day follow-up


03

How it scales

Start with a focused, low-risk diagnosis; from there you decide what to build. The same logic as the Architecture & Compliance Review, applied to AI.

Empieza aquí · Start here

AI Readiness & Governance Assessment

From USD 6,000
2 to 4 weeks

The entry point. Maturity, risk and sovereignty diagnosis + roadmap. Most companies start here.

AI Compliance & Risk Review

From USD 12,000
4 to 6 weeks

Deep review against the EU AI Act / NIST AI RMF + due diligence on the model or vendor you plan to use. For teams that already decided to buy or build.

Sovereign AI Deployment

Quoted by scope
By scope

AI deployed in your own environment (on-prem RAG, zero data egress) on a proven reference architecture. Delivery via a senior partner network under my architecture. Typical implementations in the six-figure USD range.


04

Proof, not promises

Plenty of people claim "sovereign, auditable AI." These four assets embody it.

A working sovereign RAG I built

A 100% local agentic AI system: the data never leaves the environment. It is the reference architecture, demoable live on the call.

Two books on AI and the State

Arquitectura Simbiótica (2nd ed., ISBN 978-628-02-4845-5) proposes human-AI symbiosis as a design discipline; its sequel, El Estado Aumentado, takes the thesis into the public sector with its regulatory frame.

A MinTIC v1.0 compliance tool

I built the interactive checklist for Colombia’s newest AI security guidelines (Dec 2025) + NIST AI RMF + OWASP for LLMs. Method, not theory — you can use it.

AI already in production in government

AI integrations and semantic search delivered inside public-sector institutions. Billed experience, not aspiration.


05

Frameworks we cover

The frameworks that govern AI in regulated and public-sector settings — the same ones I already work against, not ones I read about in a course.

NIST AI RMF

AI Risk Management Framework — Govern, Map, Measure, Manage

EU AI Act

European Union AI regulation — risk-tier classification

SOC2 / HIPAA

US controls for security and healthcare data — applied to AI systems

OWASP LLM 2025

Top 10 security risks in large language models

ISO/IEC 42001

AI management system — certifiable governance

MinTIC v1.0

Colombia’s AI security & privacy guidelines (Dec 2025) — for LATAM operations


06

Frequently asked questions

What is "sovereign AI"?

AI that runs inside your own environment, where your data never leaves for an external API. For regulated industries it is often the difference between being able to use AI at all — or not.

Do you replace OpenAI or Anthropic?

No. We work on whatever model you choose — including on-prem / open-weight; our layer is governance, data sovereignty, and auditability, not the model. That layer is what your auditor and regulator actually look at.

Will this work for my audit?

Yes. The deliverable maps explicitly to the controls of the frameworks that apply to you (NIST AI RMF, EU AI Act, SOC2). It does not replace a formal audit; it gets you ready to pass one.

Who owns the project, and its continuity?

You deal directly with the senior architect who leads the work and is accountable for it — no juniors, no account managers. Large-scale implementation is delivered by a senior delivery team I lead, and your code, architecture and documentation are yours from day one.

How fast can we start?

After the discovery call and signed SOW, we typically start within 1 to 2 weeks.


Would your AI pass an audit today?

30 minutes, no commitment. I give you an honest read of your exposure — even if you decide not to engage.