AI Governance: a regulated risk surface, not a feature.

Cybersecurity protects systems and data from unauthorized access, exfiltration, and disruption. AI governance addresses a different risk surface: what happens when authorized users interact with AI systems that have probabilistic outputs, opaque training, and unpredictable behavior. The two functions overlap on data-leakage prevention and vendor risk, but AI governance also covers model bias, hallucination liability, intellectual-property exposure in training and inference, and US regulatory obligations under Colorado AI Act, NYC LL144, CA AB 2013, FTC Section 5, sector overlays (HIPAA, SR 11-7, CMMC). A mature program runs the two as separate disciplines that share evidence and controls where it makes sense.

Required is a legal question that depends on state, sector, and use case. NYC Local Law 144 requires annual bias audits for any automated employment decision tool used in NYC. California AB 2013 (effective January 2026) requires generative-AI training data summaries. Colorado's amended AI law (SB 26-189, effective 2027) sets transparency and disclosure obligations for automated decision systems after the original SB 24-205 risk-management regime was repealed. NIST AI RMF is voluntary but is rapidly becoming the baseline for procurement, insurance, and customer-facing assurance. For US SMBs operating in regulated industries (healthcare, financial services, legal, manufacturing), the practical answer is yes. Customers and regulators expect documented AI risk management whether or not a specific statute names you. We build programs sized to the organization rather than enterprise-scale frameworks shoehorned in.

Yes. Note that Colorado's original AI Act (SB 24-205) was repealed and replaced by SB 26-189, signed in May 2026 and effective January 2027. The amended law drops the risk-management programs, impact assessments, and duty of care, and is now a narrower transparency and disclosure regime for automated decision systems. We classify your systems by consequential-decision use (employment, healthcare, financial services, education, housing, insurance, legal, criminal justice, or government services), implement the disclosure obligations the amended law expects, and build the underlying risk-management documentation on NIST AI RMF and ISO/IEC 42001 so you are covered regardless of how the statute evolves. We map your obligations to your specific deployment categories and operating states.

Copilot is the highest-volume AI surface in most organizations and the one with the broadest data exposure. We configure Copilot at the tenant level (data-loss prevention, sensitivity labels, restricted SharePoint access, audit-log retention), define and enforce an acceptable use policy, and run quarterly reviews of usage patterns and exposure. Customers running Microsoft Purview AI Hub get our help operationalizing the signal it produces; customers without Purview get equivalent monitoring through other tooling. The governance pattern is the same; the tools vary with your stack.

Yes, and healthcare is one of the verticals where we have the deepest pattern library. Clinical AI scribes (Abridge, Suki, DAX, Heidi and the rest), billing copilots, and AI-embedded EHR features all sit in scope under HIPAA Security Rule, HHS-OCR Section 1557 algorithmic non-discrimination, Colorado's amended AI law (SB 26-189) disclosure obligations, and state health-privacy laws (CMIA, MHMDA, NY SHIELD, TX MRPA). We negotiate AI-vendor BAAs, document data flows for ePHI exposure, and produce evidence packs that satisfy HIPAA OCR audits and AI-specific regulatory questions. See our healthcare industry page for the bundled offering.

AI Pen-Test is a separate engagement, billed as a fixed-fee add-on per testing window. We run adversarial testing covering prompt injection, jailbreak resistance, training-data exfiltration, model theft, output integrity, and agent guardrail bypass. The deliverable is a written report with reproduction steps, severity ratings, and remediation recommendations. Annual AI Pen-Tests are included as part of the highest-tier managed AI governance retainer.

We have operational experience across the major LLM providers (OpenAI, Anthropic, Google, Microsoft, Meta), the enterprise AI assistants (M365 Copilot, ChatGPT Enterprise, Claude Enterprise, Gemini for Workspace), the AI-embedded productivity layer (Notion AI, Salesforce Einstein, Zoom AI Companion, Slack AI), and the vertical AI ecosystem (clinical scribes, contract analytics, sales intelligence, fraud detection). For custom-deployed models we operate the standard stack: AWS Bedrock, Azure OpenAI, Google Vertex AI, and self-hosted inference.

Two to three weeks for the typical mid-market environment. The deliverable is a written report covering the full AI inventory, vendor risk assessment, policy gap analysis, NIST AI RMF and ISO 42001 mapping, a US AI risk-tier classification (NIST AI RMF tiers + state-law overlay including Colorado SB 26-189 disclosure + sector context), the top twenty prioritized risks, and an executive briefing. Larger or more complex environments take four to six weeks. The audit is fixed-fee and converts to a managed retainer with the audit fee credited toward the first quarter for customers who continue.

We build a state-by-state applicability matrix anchored to the strictest applicable law per use case. Colorado's amended AI law (SB 26-189, effective 2027) sets transparency and disclosure obligations for automated decision systems. NYC LL144 applies the moment you use any automated employment decision tool on an NYC resident. California AB 2013 + SB 1001 applies to gen-AI training data summaries and bot disclosure for California users. Illinois HB 3773 restricts AI in hiring video interviews. Utah SB 149 imposes disclosure. Tennessee ELVIS Act creates civil liability for voice cloning. Your controls are designed to satisfy the strictest applicable law per use case rather than fragmenting policy per state.

Tooling is the easy part. The hard part is the operational discipline that turns tool signal into evidence, decisions, and remediation. We layer our governance program on top of whatever tooling you already have, including Purview AI Hub, Google AI Hub, Cisco AI Defense, Wiz AI-SPM, and the rest of the emerging market. Customers without dedicated tooling get equivalent coverage through logs and audits in their existing security stack.