AlvorAdvisory

Assess + Architect · AI

AI security and governance, before adoption hardens into habit.

Your teams are already using AI. We find where, what it exposes, and design the control plane that makes adoption governable: anchored to ISO/IEC 42001 and the NIST AI RMF, and mapped into the same unified control set as the rest of your security program.

Book a consultation All engagements

Scope and price agreed in writing before any work. No obligation.

ISO/IEC 42001 · NIST AI RMFShadow-AI discovery firstOne control set with the rest of the program

Three positions organisations are in.

Adoption is ahead of governance

Assistants, copilots, and AI features are in daily use across the business, and the acceptable-use policy was written before any of them existed. You need to see the real usage before writing rules for it.

AI is in the product

You ship AI-backed features, and customers' security teams have started asking how the models, the training data, and the outputs are governed. The answer needs to be a framework, not a paragraph.

The question reached the board

A director, regulator, insurer, or the EU AI Act's reach has put AI governance on the agenda, and someone has to turn the question into a scoped, evidenced answer.

What you are commissioning

Two engagements, one path.

This page is backed by two named engagements: the assessment that maps your real AI exposure, and the architecture that designs the control plane. Each is scoped and priced on its own, and each stands alone.

Assess trackScopedTypically 2–4 weeks

AI Security and Governance Assessment

See where AI is already in your business, and what it exposes.

Best for organisations whose AI adoption is running ahead of governance.

Includes

Shadow-AI discovery: the tools, models, and assistants already in use
Data and model-pipeline exposure review, from training data to outputs
Third-party AI risk across the vendors and features you already rely on
Findings mapped to ISO/IEC 42001 and the NIST AI RMF

Deliverables

AI usage inventoryExposure findings reportAI governance gap register

Architect trackScopedTypically 3–6 weeks

AI Governance and Control Architecture

An AI control plane, designed before adoption hardens into habit.

Best for organisations putting AI into products or workflows.

Includes

An AI governance framework anchored to ISO/IEC 42001 and the NIST AI RMF
Guardrails for data, models, and pipelines your engineers can build against
Acceptable-use, procurement, and third-party AI controls
Mapped into the same unified control set as the rest of the program

Deliverables

AI control-plane designAI policy and guardrail setISO 42001 readiness map

The standardised assessments are fixed-fee. Every other engagement is scoped and priced in writing before you commit, from a one-off review to a managed service.

The method

How we make AI governable.

Discovery before doctrine

We inventory the AI actually in use, the sanctioned tools, the shadow adoption, and the AI features inside software you already run, before a single policy is written. Rules written against reality get followed; rules written against an org chart get bypassed.

The exposure, end to end

From training data to model pipelines to outputs and the third-party AI you inherit through vendors: what data leaves, where it lands, what comes back, and what an attacker or a regulator would make of each.

Anchored to the standards that are landing

The control plane is designed on ISO/IEC 42001, the certifiable AI management system standard, and the NIST AI RMF's govern, map, measure, and manage functions, with the EU AI Act's risk-based obligations mapped where they bind you.

Not a parallel bureaucracy

AI controls join the same unified control set as the rest of your program, with one evidence base. The fastest way to make AI governance fail is to run it as a second compliance program competing for the same people.

The sequence

Assess what is, then architect what should be.

The two engagements run best in sequence, and the gate between them is a decision that stays yours.

1The assessment maps real usage, exposure, and third-party AI risk, typically in two to four weeks
2The architecture designs the control plane, policies, and guardrails your engineers build against
3Both resolve into the same gap register and control set as the wider program

Questions

What teams ask about this engagement.

Will you help us ban AI tools?

That is rarely the assignment we recommend. Blanket bans push usage into the shadows, where it is ungoverned and invisible. The goal is governed adoption: knowing what is in use, deciding what is acceptable, and putting guardrails where the risk actually is.

What is ISO/IEC 42001?

The international standard for an AI management system, structured like ISO 27001 but for how an organisation governs its development and use of AI. It is certifiable, and it is fast becoming the reference customers and regulators reach for when they ask how AI is governed.

How does the NIST AI RMF fit alongside NIST CSF?

They are complementary: the CSF frames the security program, the AI RMF frames trustworthy AI through its govern, map, measure, and manage functions. We design the AI controls so they map into both, inside the same unified control set, rather than as a second framework to maintain.

Does the EU AI Act apply to us?

If you place AI systems on the EU market or their outputs are used in the EU, parts of it can, with obligations scaled by risk class. Where it binds you, we map the obligations into the control plane; where it does not, we say so plainly rather than selling regulation as fear.

We built an LLM feature into our product. Is that in scope?

Yes. The model and data pipeline review covers exactly this: what the feature ingests, what it can disclose, how prompts and outputs are controlled and logged, and what your customers' security teams will ask about it.