A fixed-fee, 4 to 6 week readiness engagement for mid-market companies and federal contractors putting AI into production. We inventory your AI, classify risk, find the gaps against the framework you care about — NIST AI RMF, the EU AI Act, or ISO/IEC 42001 — and map it all onto the SOC 2 / ISO 27001 program you already run, so you do not rebuild from scratch.
Senior-only delivery, no juniors. We layer AI governance onto your existing security program instead of starting over. The person who scopes the work is the person doing it.
Every engagement ships the same artifacts: a defensible inventory, a risk read, a gap assessment against the one framework that matters to you, a control crosswalk so one control set covers multiple frameworks, and a roadmap with a board / proposal-ready readout. Document once, tag twice.
An AI system inventory and use-case register covering up to five in-scope systems — the models, the data they touch, the people who own them, and the business purpose each one serves.
Each system classified and tiered against the obligations of your chosen framework, so high-risk and general-purpose AI gets the scrutiny it warrants and low-risk systems are not over-governed.
A gap assessment against one primary framework — NIST AI RMF, the EU AI Act, or ISO/IEC 42001 — that shows exactly where you stand today and what is missing to reach readiness.
A crosswalk from framework clauses to NIST AI RMF functions to your existing controls. Document once, tag twice — one control set evidenced once, mapped across the frameworks you answer to.
A 90-day remediation roadmap your team can act on, plus a board / proposal-ready executive readout you can hand a board, a buyer, or cite in a federal proposal.
The Snapshot runs in four phases over four to six weeks. You know what is happening each week and what lands at the end.
Agree the in-scope AI systems (up to five), the primary framework that matters to your auditors or buyers, and the existing SOC 2 / ISO 27001 program we will map onto. Rules of engagement in writing.
Build the AI system inventory and use-case register, interview owners, and classify and tier each system against the obligations of your chosen framework.
Assess the gaps against the primary framework and build the control crosswalk that ties framework clauses to NIST AI RMF functions to the controls you already run.
Deliver the 90-day remediation roadmap and the board / proposal-ready executive readout, and walk your team and leadership through it.
Frameworks, layered not duplicated. We anchor the assessment to one primary AI framework — NIST AI RMF, the EU AI Act, or ISO/IEC 42001 — and layer it onto the SOC 2 / ISO 27001 controls you already evidence, so a single control set answers multiple frameworks instead of standing up a parallel compliance program.
Start with the readiness Snapshot, convert it into a fractional officer who owns governance over time, or — for federal pursuits — buy the focused B&P add-on that produces the AI governance narrative for a specific solicitation.
Indicative bands; final scope and price set in a discovery call. The prices above are starting ranges. The Snapshot covers up to five in-scope AI systems; additional systems, frameworks, or environments are scoped and priced separately. The B&P add-on is often billable as bid-and-proposal cost — confirm treatment with your contracts team.
We anchor the assessment to one primary AI framework and crosswalk it onto the SOC 2 / ISO 27001 program you already evidence — so your security and compliance teams connect each gap to the obligations they already answer to.
| Framework | What we map to it |
|---|---|
| NIST AI RMF | Govern / Map / Measure / Manage functions — your AI systems and gaps tied to the risk each function is meant to address. The common pick for federal-facing work. |
| EU AI Act | Risk-tier obligations and the testing, documentation, and robustness expectations for high-risk and general-purpose AI systems serving EU markets. |
| ISO/IEC 42001 | AI management system clauses — the structure enterprise buyers increasingly ask for, mapped to the controls you can actually evidence. |
| SOC 2 / ISO 27001 | The security program you already run. The crosswalk layers AI governance on top so one control set covers multiple frameworks — document once, tag twice. |
No. DSE provides AI governance and compliance readiness consulting. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance — only accredited certification bodies or notified bodies do that. We get you ready and map the evidence; the certificate, where one exists, comes from the accredited body.
No, and we will not claim otherwise. We cannot guarantee passing an audit or avoiding enforcement. What the Snapshot does is give you a defensible inventory, a gap assessment, and a remediation roadmap so you go into an audit or a regulator conversation with your work in order.
No. We do not provide legal advice. We work alongside your counsel — the readiness work and control-mapping are an engineering and governance exercise, and your attorneys own the legal interpretation of the EU AI Act, enforcement risk, and contractual obligations.
No. That is the point of the engagement. We layer AI governance onto the program you already run with a control crosswalk, so one control set covers multiple frameworks — document once, tag twice. You are not standing up a parallel compliance program.
We anchor to one primary framework in the scope call. Federal-facing teams usually pick NIST AI RMF; teams selling into the EU pick the EU AI Act; teams answering enterprise procurement increasingly pick ISO/IEC 42001. We crosswalk to the others regardless of which one is primary.
Up to five in-scope AI systems within the fixed fee. If you run more than five, we scope the most material systems first and price additional systems separately — the band above is for the core five-system engagement.
The roadmap is yours to run, or you can convert into a Fractional AI Compliance Officer retainer (from $7.5k/mo) that owns AI governance over time, keeps policies current as the rules change, and maintains audit readiness. Ongoing accountability, not a report in a drawer.
Yes. The AI Risk & Compliance Plan for RFP / TO add-on (2 to 4 weeks, $15k–$35k, often billable as B&P) produces the AI governance narrative for a specific solicitation, a draft program AI governance plan, and a NIST AI RMF mapping. It is the lowest-friction way into a govcon relationship and can precede the Snapshot.
Tell us what you are shipping and which framework your auditors or buyers are asking about — NIST AI RMF, the EU AI Act, or ISO/IEC 42001 — and we will scope a fixed-fee readiness engagement in a 30-minute call. A principal runs it, start to finish.
Scope a 30-minute call →DSE provides AI governance and compliance readiness consulting. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance. Only accredited certification bodies or notified bodies do that.
We cannot guarantee passing an audit or avoiding enforcement. A readiness engagement is a point-in-time assessment of the systems as scoped; it gives you a defensible inventory, a gap assessment, and a roadmap to act on — not a warranty of an outcome we do not control.
We do not provide legal advice. We work alongside your counsel. The legal interpretation of the EU AI Act, enforcement exposure, and contractual obligations belongs to your attorneys; our work is the engineering and governance readiness underneath it.
Where we describe "mapping to" NIST AI RMF, the EU AI Act, ISO/IEC 42001, SOC 2, or ISO 27001, that means advisory alignment, not certification.
All engagements are governed by a signed SOW / MSA that includes a limitation of liability.