AI Risk & Readiness Assessment
A fixed-scope diagnostic built on the Operational Substrate Risk Audit, an open methodology for examining what AI systems actually do rather than what their documentation says they do.
Who this is for
CISOs, CTOs, and boards of mid-market companies and regulated enterprises in Europe, the US, Japan, and APAC that have moved AI systems into production, or are about to, and need a defensible answer to the question their board or their regulator will eventually ask: what is our actual exposure?
The problem
Compliance audits the description. It reads the policy, checks the documentation, confirms the register is complete, and signs off on an account of the system. The system itself, the models in production, the data they touch, the decisions they influence, the agents they grant access to, keeps operating underneath that account, and the two drift apart from the day of deployment. NIS2, DORA, and the EU AI Act all assume the description and the machine match. In my experience across thirty years of security and technology leadership, they rarely do, and the distance between them is where incidents, findings, and liability accumulate.
Most organizations discover that distance during an incident, a supervisory inspection, or a due diligence process. The purpose of this assessment is to discover it deliberately, on your schedule, while it is still a roadmap rather than a finding.
What happens
The engagement runs three to four weeks at fixed scope.
The first week establishes the inventory: which AI systems exist, what they can reach, who owns them, and what the documentation claims about each. This includes the systems procurement knows about and, usually more interesting, the ones it doesn’t.
The second and third weeks apply the Operational Substrate Risk Audit to the systems that matter: structured examination of the operational substrate beneath each system, scored against the published model, with interviews across the technical, risk, and leadership functions to measure how far the governance account and the operational reality have drifted.
The final week is synthesis and delivery, including a working session with leadership to walk through findings and priorities, so the deliverables arrive understood rather than merely received.
What you receive
A risk register covering every assessed system, scored and comparable. A prioritized remediation roadmap drawn from OSRA’s published catalogue of concrete actions, sequenced by exposure rather than by convenience. A board-ready summary, written in the language boards use to allocate responsibility and budget, that a director can read in fifteen minutes and defend in a meeting. And the assessment workpapers themselves, so your team can repeat the exercise without me.
The methodology is public
This assessment is not a proprietary black box. The Operational Substrate Risk Audit is published in full: the methodology, the scoring model, the practitioner templates, the remediation catalogue, and a complete worked example showing what a finished assessment looks like. You can evaluate the entire approach before we speak, and your auditors, regulators, or board can trace every conclusion back to a documented method. What you engage me for is the judgment: thirty years of reading the gap between how systems are supposed to behave and how they behave under pressure.
Investment
Fixed fee, agreed before the engagement begins, based on the number of systems in scope. No hourly billing, no scope drift. If the inventory week reveals the scope was wrong, we adjust the agreement before proceeding, in either direction.
Starting
A short note describing your situation, your sector, and roughly what AI systems you run is enough. I’ll tell you honestly whether the assessment fits, and if a lighter conversation is the better first step, we start there instead.
Based in Germany. Available globally. Working languages English and Italian.
