AI Governance — a regulated risk surface, not a feature.

Cybersecurity protects systems and data from unauthorized access, exfiltration, and disruption. AI governance addresses a different risk surface: what happens when authorized users interact with AI systems that have probabilistic outputs, opaque training, and unpredictable behavior. The two functions overlap on data-leakage prevention and vendor risk, but AI governance also covers model bias, hallucination liability, intellectual-property exposure in training and inference, and US regulatory obligations under Colorado AI Act, NYC LL144, CA AB 2013, FTC Section 5, sector overlays (HIPAA, SR 11-7, CMMC). A mature program operates the two as separate disciplines that share evidence and controls where it makes sense.

Required is a legal question that depends on state, sector, and use case. Colorado AI Act SB 24-205 (effective February 2026) imposes obligations on developers and deployers of high-risk AI systems across nine consequential-decision categories. NYC Local Law 144 requires annual bias audits for any automated employment decision tool used in NYC. California AB 2013 (effective January 2026) requires generative-AI training data summaries. NIST AI RMF is voluntary but is rapidly becoming the baseline for procurement, insurance, and customer-facing assurance. For US SMBs operating in regulated industries (healthcare, financial services, legal, manufacturing), the practical answer is yes — customers and regulators expect documented AI risk management whether or not a specific statute names you. We build programs sized to the organization rather than enterprise-scale frameworks shoehorned in.

Yes. We classify systems against the Colorado AI Act §6-1-1701 high-risk definition (consequential decisions in employment, healthcare, financial services, education, housing, insurance, legal, criminal justice, or government services), implement the developer and deployer obligations (impact assessment, consumer notice with right-to-appeal, opt-out from substantial-factor automated decisions, risk-management policy aligned to NIST AI RMF, annual review), and produce the documentation the act expects. The act took effect February 2026; we map your obligations to your specific deployment categories and operating states.

Copilot is the highest-volume AI surface in most organizations and the one with the broadest data exposure. We configure Copilot at the tenant level (data-loss prevention, sensitivity labels, restricted SharePoint access, audit-log retention), define and enforce an acceptable use policy, and run quarterly reviews of usage patterns and exposure. Customers running Microsoft Purview AI Hub get our help operationalizing the signal it produces; customers without Purview get equivalent monitoring through other tooling. The governance pattern is the same; the tools vary with your stack.

Yes, and healthcare is one of the verticals where we have the deepest pattern library. Clinical AI scribes (Abridge, Suki, DAX, Heidi and the rest), billing copilots, and AI-embedded EHR features all sit in scope under HIPAA Security Rule, HHS-OCR Section 1557 algorithmic non-discrimination, Colorado AI Act healthcare consequential-decision category, and state health-privacy laws (CMIA, MHMDA, NY SHIELD, TX MRPA). We negotiate AI-vendor BAAs, document data flows for ePHI exposure, and produce evidence packs that satisfy both HIPAA OCR audits and AI-specific regulatory questions. See our healthcare industry page for the bundled offering.

AI Pen-Test is a separate engagement, billed as a fixed-fee add-on per testing window. We run adversarial testing covering prompt injection, jailbreak resistance, training-data exfiltration, model theft, output integrity, and agent guardrail bypass. The deliverable is a written report with reproduction steps, severity ratings, and remediation recommendations. Annual AI Pen-Tests are included as part of the highest-tier managed AI governance retainer.

We have operational experience across the major LLM providers (OpenAI, Anthropic, Google, Microsoft, Meta), the enterprise AI assistants (M365 Copilot, ChatGPT Enterprise, Claude Enterprise, Gemini for Workspace), the AI-embedded productivity layer (Notion AI, Salesforce Einstein, Zoom AI Companion, Slack AI), and the vertical AI ecosystem (clinical scribes, contract analytics, sales intelligence, fraud detection). For custom-deployed models we operate the standard stack: AWS Bedrock, Azure OpenAI, Google Vertex AI, and self-hosted inference.

Two to three weeks for the typical mid-market environment. The deliverable is a written report covering the full AI inventory, vendor risk assessment, policy gap analysis, NIST AI RMF and ISO 42001 mapping, a US AI risk-tier classification (Colorado AI Act high-risk + state-law overlay + sector context), the top twenty prioritized risks, and an executive briefing. Larger or more complex environments take four to six weeks. The audit is fixed-fee and converts to a managed retainer with the audit fee credited toward the first quarter for customers who continue.

We build a state-by-state applicability matrix anchored to the strictest applicable law per use case. Colorado AI Act governs consequential decisions across nine categories. NYC LL144 applies the moment you use any automated employment decision tool on an NYC resident. California AB 2013 + SB 1001 applies to gen-AI training data summaries and bot disclosure for California users. Illinois HB 3773 restricts AI in hiring video interviews. Utah SB 149 imposes disclosure. Tennessee ELVIS Act creates civil liability for voice cloning. We design your controls to satisfy the most stringent applicable law per use case rather than fragmenting policy per state.

Tooling is the easy part. The hard part is the operational discipline that turns tool signal into evidence, decisions, and remediation. We layer our governance program on top of whatever tooling you already have, including Purview AI Hub, Google AI Hub, Cisco AI Defense, Wiz AI-SPM, and the rest of the emerging market. Customers without dedicated tooling get equivalent coverage through logs and audits in their existing security stack.