Audit-readiness, before the regulator asks.
A 1-2 week independent assessment of your AI deployment against the regulatory framework you have to comply with (CBUAE 2/2026, EU AI Act, ISO 42001, SOC 2, the UAE AI Charter, or others). We walk in, look at what you have, name the gaps, and produce a prioritised remediation roadmap. Fixed-fee engagement, repeated annually as frameworks and your AI both move.
Methodology
/ 4 phasesScope kickoff
We agree which AI systems are in scope, which regulatory framework the assessment maps to, and what evidence access we will need. We name a single counterpart on your side with sign-off authority for the engagement.
Document review
We read your existing AI policy, model inventory, vendor contracts, board papers, incident logs, change-management process, decision logs, and any prior audit reports. Where documentation is missing, that itself is a finding.
Interviews
Structured interviews with the people who actually run the AI systems, plus the CISO, the DPO, the Head of Risk, and whoever owns regulator communications. The question we are answering: if a regulator walked in tomorrow and asked you 14 specific questions, what would the answer be?
Gap analysis and roadmap
We fill in the framework-specific control scorecard (14 controls for CBUAE 2/2026, the equivalent for whichever framework is in scope), name every gap with evidence, and produce a prioritised remediation roadmap sequenced against your regulatory deadline. Findings workshop with your team on Day 9, signed final report delivered on Day 10.
Engagement shape
/ what you sign up for- 01Gap-analysis report, signed and dated, scoring your current state against every control in the target framework
- 02Prioritised remediation roadmap, sequenced against your regulatory deadline (e.g. CBUAE 2/2026 compliance by 16 September 2026)
- 03Evidence pack template, framework-specific, that your team can fill in as remediation work lands
- 04Annual reassessment scope, baked into the engagement so the gap analysis stays current as the framework and your AI both move
Mappings
/ 7 frameworksEvidence
/ forthcomingThe proof for this pillar gets linked here as we ship public scorecards and clear case studies for publication. We do not backfill this section with placeholders; evidence appears here only when it lands.
Why readiness audits exist
According to Grant Thornton's 2026 survey, 78% of executives cannot confidently pass an independent AI governance audit within 90 days. That number is the reason this pillar exists.
A readiness audit is not the regulator, it is the dress rehearsal before the regulator. An independent third party walks through your AI deployment with the framework checklist in hand, names what would pass and what would not, and hands you the gap analysis in time to do something about it before the real audit lands.
We run the engagement in two weeks rather than the three to four months a Big Four readiness review typically takes, because the scope is bounded and the methodology is reusable across clients. The deliverable is not a 200-page management consulting deck but a short signed report that names the gaps, prioritises them, and tells you what to fix first.
What we do not do
A readiness audit is an assessment, not an implementation. We do not deploy runtime monitoring software in your environment, run your 24/7 incident response, write your remediation code, or sign your regulatory submissions on your behalf. Those are different engagements, and for the runtime-tooling part of them the right vendors are companies like Lakera, Robust Intelligence, and others who build products in that category. We will tell you which of them fit your situation as part of the report.
What we do is tell you, in writing, what an auditor would find and what to do about it before they find it. That is the entire scope of this pillar.
Why annually
Frameworks move. The CBUAE Guidance Note shipped in February 2026, the EU AI Act's general-purpose AI obligations bind from August 2026, ISO 42001 is due for a revision in the coming year, and NIST will continue to publish profile updates as the generative-AI space evolves.
Your AI deployment moves too. New models land, new use cases get scoped, new vendors get added to the stack, new incidents reset the threat model.
An annual reassessment keeps the gap analysis honest. We bake the reassessment scope into the original engagement so the conversation in year two is shorter than the conversation in year one.