Compliance Audit.
The map your CISO signs before code is written. One page, five columns, every regulatory control tied to a specific design decision. Most AI projects we've seen die in 2025-26 died at the compliance gate. Ours don't, because we start there.
A one-page document. Five columns. Signed.
The compliance map has five columns:
- Regime & control — e.g. “HIPAA Security Rule §164.312(b) — audit controls”
- Applicable scope — which part of the AI system this control governs
- Design decision — the architectural choice that satisfies the control
- Evidence — where the auditor will find the proof
- Owner — named person on the customer team accountable
No vague language. No “the system has appropriate controls.” Each row is testable. Each row has an owner. The auditor reads it once and immediately knows where to look.
What a Compliance Audit engagement looks like.
Discovery (week 1)
We work with your security/compliance team to inventory the regulatory regimes that touch the proposed AI workflow. We map data flows, system boundaries, and stakeholder accountability.
Control selection (week 2)
From each regulatory regime, we extract the controls that apply specifically to AI processing. We deduplicate across regimes and produce a unified control set.
Architecture mapping (week 2-3)
For each control, we propose the architectural decision that satisfies it: where data lives, what models can be used, how audit logs flow, what human-in-the-loop looks like, what gets escalated.
Evidence design (week 3)
We design the evidence each control will produce: log schemas, document outputs, screenshots, attestations. We pre-stage the evidence collection so audits are not surprises.
Sign-off (week 3)
Walkthrough with your CISO and security/compliance team. Revisions until the document is signable. They sign. Build follows.
We design controls and produce evidence. We don't issue audit reports.
We are not a SOC 2 audit firm. We don't issue audit reports. What we do: design the controls, produce the evidence, walk through the audit with your team. We have referral relationships with audit firms that understand modern AI systems — ask; we'll introduce you.
Compliance is the floor, not the ceiling. The map exists to make your security-and-compliance group's job easy. The architecture exists to actually make the AI useful. We do both, because doing one without the other is how good AI projects die.
Standalone compliance audit: $10-45K depending on regime breadth.
Or included in any Discovery Sprint at no additional cost. Most customers prefer the latter.