Methodology · Patent Pending (U.S. App. No. 64/057,822)
This page explains the product workflow in business and operational terms so buyers can understand how inputs become findings, executive packages, and recurring visibility. Our proprietary six-node scoring pipeline is patent pending.
A clear operating model that shows how intake becomes findings, executive reporting, and ongoing visibility.
intake
A structured intake captures 40+ data points across AI systems, data governance, vendor management, security controls, shadow AI exposure, and regulatory context. Designed for partial completion, safe resume, and full auditability. All data is encrypted at rest (AES-256-GCM) and scoped to your organization.
6 outputs · 3 operating notes
analysis
A six-node LangGraph AI workflow processes the intake through sequential analysis stages: business context mapping, multi-framework control alignment, risk identification, risk scoring, remediation roadmap generation, and executive report synthesis. AI analysis is bounded, validated, and human-reviewed before any finding becomes customer-visible product state. Patent Pending (App #64/057,822).
6 outputs · 3 operating notes
scoring
A five-component AI Governance Maturity Score (0–100) is computed from the risk analysis output. This is the single most actionable executive signal the platform produces — giving compliance leads, boards, and auditors a quantified posture benchmark against which future assessments can be compared.
5 outputs · 3 operating notes
delivery
The generated report is packaged as a versioned, audit-ready deliverable with a formal cover page, scope and methodology section, executive briefing, risk findings, compliance mapping, control traceability matrix, and remediation roadmap. Reports undergo founder review before delivery. All prior versions are preserved for trust and traceability.
10 outputs · 3 operating notes
monitoring
After initial delivery, the platform preserves findings, risk trend snapshots, framework posture, and remediation state. Re-assessments produce delta reports showing findings resolved, new risks identified, and maturity score movement over time. This is the foundation of an ongoing AI governance program.
6 outputs · 3 operating notes
Enterprise buyers are not only buying a report. They are evaluating process discipline, reviewability, and whether the product can support repeated use.
AI systems and use case inventory. Vendor and third-party AI exposure record. Governance structure and policy documentation. Shadow AI exposure self-assessment. Regulatory context and framework selection. Evidence checklist and gap identification.
Data attestation: all intake data is provided by and attested to by an authorized representative of the assessed organization. Supports multi-user distributed completion for large organizations. Full audit log from first submission to final record.
Business context and AI use profile. Multi-framework control mapping (NIST AI RMF, EU AI Act, SOC 2, HIPAA, ISO 42001). Risk findings with severity classification (Critical / High / Moderate / Low). Shadow AI and vendor risk flags. Quantified risk scoring across six governance domains. Prioritized remediation roadmap (Immediate / 30-day / 60-day / 90-day actions).
AI execution is bounded: outputs are validated against a strict schema before entering product state. All AI analysis is disclosed in the report methodology section. Failures are durable, reviewable, and recoverable — no silent loss of customer data.
AI Governance Maturity Score (0–100). Maturity Level (Initial / Developing / Defined / Managed / Optimized). Executive Risk Rating (Critical / High / Elevated / Moderate / Low). Five-component breakdown: Governance Structure, Data Governance, Vendor Risk, Control Readiness, Evidence Readiness. Trend indicator when prior assessments are available.
Derived entirely from validated AI analysis output — no manual scoring. Designed to be repeatable: the same intake + same findings produces the same score. Delta scoring available on re-assessment to track improvement over time.
Cover page with assessment date, report ID, and confidentiality classification. Executive Briefing — maturity score, executive risk rating, top 3 priority actions. Scope and Methodology section with AI disclosure, limitations, and data attestation note. AI Inventory and use case profile. Risk findings with severity badges and framework mappings. Compliance mapping scorecard (NIST AI RMF, EU AI Act, SOC 2, HIPAA, ISO 42001). Control traceability matrix with specific control IDs. Shadow AI and vendor risk assessment. 30/60/90-day remediation roadmap. Appendix: evidence log, exception register, methodology reference.
Every report includes a formal scope section documenting what was assessed, excluded, and assumed. Patent Pending methodology note included in all deliverables. Management response workflow allows customers to formally accept, dispute, or confirm remediation of each finding.
Monitoring dashboard with live risk posture and finding status. Re-assessment delta reports (findings resolved / new / persisted). Risk score trend over time. Management response tracking across findings. Exception register for formally accepted or disputed findings. Customer-downloadable audit trail export.
Separated cleanly from one-time assessment snapshots. Designed for quarterly re-assessment cycles aligned to compliance program calendars. Provides the renewal reason and the audit evidence that justifies continued investment.