Enterprise AI Governance & Safety Advisory
You asked for AI Governance.
You got Excel checklists, confused boards and a set of principles engineers can't use.
If it feels like it's all being improvised by people who don't understand the tech... you're probably right.
Stop paying for theatre. Call in the experts.
Trusted by
The Problem
You can't run your business on AI that's governed like a side hustle.
Most of what's sold as AI governance is theatre: an ethics board, a set of principles, a policy document, a workshop for the leadership team. The board shrugs and approves, lots of people talk about bias, HR create a community page, and it all melts on contact with the actual technology.
A business that barely knows what it has deployed gives governance no grip. So a framework full of "shoulds" meets a team that deals in specifics innovating with a technology that evolves daily. The result is foreseeable.
AI governance is the set of controls, evidence and decision rights that make an organisation's use of AI deliberate and accountable. It is operational, and it's based on confidence and understanding. You cannot govern what you cannot evaluate, you cannot evaluate what you do not measure, and you cannot provide useful measures for a system that you don't really grasp.
87% of executives claim to have clear AI governance frameworks, but fewer than 25% have fully implemented the technical tools to manage risks.
Source: IBM Newsroom
A framework is a structure, and a structure is easy to approve. But unconnected to technical implementation it's window dressing. A governance function that only has the ability to advise means the delivery timeline decides what ships. This is why AI governance frameworks fail. Real governance is the work of making your organisation's AI practice intentional.
"Should" is not a control. It never will be.
Impact
This isn't a failure of intent. Most organisations have the framework, the principles, the committee. But it stalls when governance has to leave the document and start running inside the technology: continuous evaluation, instrumentation, controls that live in the stack.
That is a different order of difficulty and well outside the comfort zone of most AI governance programs. It is the edge of what they can currently execute, not the edge of their intent
AI doesn't wait for them to catch up. The gap widens with every model pushed to production without triage, every vendor claim taken on trust, every system running that no-one is watching, every new model release.
>60%
are already using or plan to use agentic AI this year
Source: Cloud Security Alliance & Google Cloud
<28%
of respondents are confident they can secure AI used in core business operations
Source: Cloud Security Alliance & Google Cloud
<1%
of organisations have fully operationalised responsible AI
Source: World Economic Forum
The work product
None of this is a slide deck or a policy pack. Each is a working component that runs inside your systems, tuned to your models and your risk. Built to your environment, not lifted from a template.
Scrutiny scaled to consequence: heavy where it matters, light where it doesn't.
A triage that sorts every use case by what happens if it goes wrong, so a customer-facing credit model and an internal meeting-notes summariser don't carry the same paperwork. Each tier sets its own decision rights, escalation path, and evidence bar. A separate procurement track puts vendor "responsible AI" claims through real due diligence before the contract is signed, not after the incident.
A live inventory of every model, dataset, prompt, tool, and agent in production, each with an owner.
Most large organisations cannot name every model they have running, let alone the prompts, agents, and datasets feeding it. This is the discovery exercise that finds them, then tracks lineage, provenance, and dependencies as they change. It is the difference between an estate you manage and one you hope is behaving.
A risk model drawn from your actual systems, mapped to the standards you'll be audited against.
Generic risk registers list harms that could happen to anyone. This one is built from your own models, agents, and data flows, then mapped against ISO 42001, NIST AI RMF, the EU AI Act, and OWASP CycloneDX so every risk traces to a specific system and a specific control. It is the artefact that lets your risk committee and your engineers point at the same row and mean the same thing.
A versioned library of controls: input filters, output checks, and policy enforcers, tested and ready to drop in.
Without a shared library, every team rebuilds the same input filters and output checks slightly differently, none of them audited, none reusable. This collects them as versioned, tested controls any team can pull into a deployment, and gives the Bill of Materials something real to point at. As it grows it becomes the shared standard a community of practice forms around, rather than a policy nobody reads.
Continuous evaluation, tracing, and drift detection wired into your CI/CD, running on every change.
Before a model ships, evaluation suites test it for accuracy, bias, and capability limits. Once it is live, tracing and drift detection watch its real behaviour and route a failure into your incident process the same way a Sev-1 outage would. The audit trail a regulator asks for is generated automatically, as a by-product of running the thing.
Decision-traceability, hard constraint layers, and red-teaming for systems that act without a human in the loop.
When an agent can place an order, send a message, or change a record on its own, a wrong step stops being a wrong answer and becomes a wrong action that has already happened. This bounds what an agent is allowed to do, traces why it did what it did, and red-teams it for failure modes a conventional risk framework never anticipated. The constraints have to hold at machine speed, because nobody is reading along.
Each of these runs continuously, and each produces a decision that lands on someone's desk: a drift alert, a model nobody had catalogued, an action just blocked in a live system. They arrive at commit speed; governance runs at committee speed. And there is nowhere for them to land.
How this plays out
It almost never arrives as "our governance doesn't work." It arrives as pressure: a finding, a question the board can't answer, a headline. Underneath, two things are missing at once: an instrument that governs the real systems rather than an abstraction of them, and an organisation able to reason about what it would surface, let alone act in time.
Build the first without the second and the problem only moves: the signals arrive faster than any committee can meet, in a language the people who must act can't yet reason in. So the work runs on both. One half is instruments wired to the actual technology. The other is an organisation that can use them: the capacity to reason about risk together, decisions pushed to where the work happens, and a language for risk that holds from the engineer to the board. Where it starts depends on what's missing. Three shapes it has taken.
Scenario:
A regulatory finding had landed. The board was being asked questions it couldn't answer.
Underneath the finding, the engineering team had models in production with no agreed measures of performance, no instrumentation, and no shared vocabulary for what "working" meant. Assurance presumes a practice that can be assured, and there wasn't one yet. So the first task was not the governance framework. It was defining what good looked like in operational terms, instrumenting the systems already running, and giving the team ways to recognise failure before the regulator did.
The framework followed, with something to govern.
Scenario:
The board was asking about AI risk appetite. Nobody could answer.
The conversation kept stalling because the people being asked to set appetite had no working understanding of what they were setting it for. The exec team had been through training that left them more confident and no more capable: a panel of specialists explaining their specialisms, none of it integrated, none of it pitched at the altitude a board member actually needs. The work became rebuilding what executive AI literacy means: enough technical understanding to ask precise questions, enough strategic framing to allocate capital intelligently, enough governance fluency to set appetite without being captured by the people they are meant to be governing.
Risk appetite is downstream of comprehension. The comprehension had to be built first.
Scenario:
The systems were already past where the field had answers.
This team was technically deep and its practice was already intentional. The questions they were asking sat at the genuine frontier of the field, and the governance specialists they brought in could not grasp the situation. The work was building safety frameworks for systems whose failure modes are not yet well understood by anyone: agentic architectures, multi-agent coordination, self-modifying behaviour. Constraint architectures, red-team methodologies, and decision-traceability for systems acting without a human in the loop, where there is no established best practice to lean on.
What gets built here is what the rest of the field eventually inherits.
About
Work like this only holds when several disciplines meet in one person: safety research at the frontier, a hand in writing the standards, the hard-won craft of operationalising governance inside large regulated organisations, and the change practice that decides whether any of it gets adopted. Most people have one. The engagements that fail, fail at the seams between them.
Fifteen years in AI and machine learning, a decade specifically in AI governance and safety, and more than thirty enterprise engagements across banking, insurance, energy, healthcare, and telecom.
"I help executives turn a vision into reliable assets, and engineers turn experiments into trusted systems."
That's what makes this work. A risk taxonomy that maps to your actual technology. Governance requirements that your engineers can implement without interpretation. Board assurance that is technically honest, and a board who are confident in having those conversations.
At SingularityNET I built safety frameworks for frontier AGI systems. At nib I'm operationalising ISO 42001 and NIST AI RMF through governance boards, LLM evaluation pipelines, and agentic observability infrastructure, working with engineers on exactly how guardrails land in their stack and with the risk committee on what that means in terms they can act on.
Insights
You can't assert one correct answer for a system that's never the same twice. What AI agent evals are, the three ways to judge quality, and why you grade the path, not just the output.
Read more - Why You Can't Unit-Test an AI AgentAn AI agent can return a clean 200, pass every health check and still be wrong. Why agent reliability needs observability and evals, not just uptime dashboards.
Read more - Why Your Monitoring Stack Can't See an Agent FailingI've spent more time than is healthy over the past few months observing something oozing out of the woodwork across multiple online AI communities.
Read more - Echo in the Machine - The Emergence of Group AI PsychosisThe "Stochastic Parrot" observation has always been intriguing to me.
Read more - The Narrow Band: On Models and RealityThere has been a subtle shift in the boardroom conversation about AI.
Read more - An 'AI-Ready' Culture is More Than Just TrainingAudit committees know how to ask whether AI is compliant and whether vendors are managed. The questions that create real accountability - the error rate on decisions that affect customers, whether any decision can be reconstructed, who can halt a deployment — rarely get raised.
Read more - Audit Committees Are Asking the Wrong AI QuestionsThe discipline that was supposed to prevent AI harm produced frameworks, principles, and declarations - then largely watched as the industry did whatever it was going to do anyway. The same pattern is repeating in AI governance right now.
Read more - Should Is Not a Control: How AI Ethics Built Its Own GraveyardUsing large language models to evaluate large language models introduces a class of systematic bias that most evaluation pipelines are not designed to detect.
Read more - The LLM-as-Judge Problem You Can't Calibrate AwayMost AI governance frameworks fail not from bad design but because the governance team can advise on a deployment without the authority to stop it.
Read more - Why Most AI Governance Frameworks Fail Before They StartA single model's failure modes can be enumerated; a multi-agent system's cannot, so a completed red team gives boards less assurance than they assume.
Read more - Red-Teaming Multi-Agent Systems: The Assurance It Can't GiveA practical look at how international standards translate into audit-ready enterprise posture.
Read more - IEEE P2863: Shaping the International Language of AI AccountabilityEnterprise AI projects rarely fail on the model. They fail on the organisation around it.
Read more - From Pilot Purgatory to Production: The AI Deployment ProblemWhat is an AI audit trail, and why are logs not enough? How to build audit trails for AI models that reconstruct decisions for compliance and governance review.
Read more - The Inference Audit Trail: Making Every AI Decision AccountableHard constraints, soft constraints and approval gates: why enterprise AI agent safety belongs at the tool level, not the model level, and how to build it.
Read more - Constraint Architecture for Autonomous AgentsOne of the inherent weaknesses of Large Language Models (LLMs) like GPT-4 is their struggle with grounding in reality.
Read more - To the Curators, Go the Spoils: The Rising Power in Graph-Enhanced AI ModelsEthical debt in artificial intelligence refers to the accumulated cost of unresolved ethical issues that arise during a system's design, development, and deployment.
Read more - Ethical debt - Rusting the machinery of progressThe rapid advancement of Artificial Intelligence (AI) and other emerging technologies has created new opportunities and challenges for businesses, requiring them to adapt and evolve.
Read more - Human Resources: Empowering the organisation to make responsible-use decisionsThe rapid advancement of Artificial Intelligence (AI) offers businesses of all sizes the opportunity to gain a competitive edge.
Read more - Joining the AI Party: Practical Steps for Smaller BusinessesEmerging technologies, particularly artificial intelligence (AI), machine learning (ML), and generative AI, present both opportunities and challenges for businesses across industries.
Read more - AI Governance for the BoardGenerative AI offers significant opportunities for business transformation through automating content generation, enhancing creativity, and unlocking new revenue streams.
Read more - Interim Policy for Generative AIThe AI use-cases are mounting up for small and medium enterprises (SMEs).
Read more - SMEs and Start-ups: Use AI and keep the trustThank you for providing to the people of Australia an opportunity to respond to key questions regarding Australia's AI Strategy in the form of the AI Action Plan Consultation Paper.
Read more - Australia's AI Action Plan – An Open ResponseThis reality of AI tech adoption in our private and public institutions struggles to fit into frameworks created to promote responsible and ethical use which focus heavily on the development process as the locus to effect positive outcomes.
Read more - Implementing AI Ethics: Complex architecturesMLOps, the big-bet for scaling Machine Learning, promises seamless development through to in-life use of models using automated, DevOps CI/CD workflows, but what does this mean for an AI Ethics discipline that has focused its fire-power on single-shot development projects?
Read more - MLOps - Fast-tracking AI Ethics?Contact
If you're a CRO, CISO, CDO, or board member trying to get ahead of AI risk, rather than catch up to it, I'd like to hear from you.
That might be building your first governance framework, hardening an enterprise-scale agentic deployment, stress-testing what your engineers have already built, or preparing your leadership team for what's coming. Bring the specific problem, and I'll tell you directly where I can help.
Message sent.
Thanks - I'll be in touch shortly.
