Approach Frameworks Pillars Case studies FAQ

Enterprise AI Governance · Aligned to EU AI Act, NIST AI RMF, ISO/IEC 42001

AI Governance Consulting

AI governance consulting that maps your AI portfolio against the EU AI Act, NIST AI RMF and ISO/IEC 42001, then ships the policies, oversight, model risk controls and audit evidence that pass review. Delivered by senior AI engineers, not generalist GRC consultants. Trusted by Google, Microsoft and Shell since 2013.

Book your AI governance consultation See governance case studies

Book your AI governance consultation now

Talk to the AI governance team

Tell us where you are, scoping EU AI Act exposure, building an ISO/IEC 42001 ISMS for AI, or remediating live systems, and we'll tailor the engagement. Typically two to six weeks from first call to readout.

core frameworks aligned end to end: EU AI Act, NIST AI RMF and ISO/IEC 42001.

2-6w

typical governance scoping timeline from kick-off to readout, with a defensible roadmap delivered at the end.

governed legal-AI knowledge agent shipped to production for Temple University under regulated research data controls.

2013

governing and shipping regulated AI for enterprises since 2013, well before the LLM hype cycle.

What you get

What AI governance consulting actually delivers

AI governance consulting is the structured work of putting policy, oversight, model risk management, controls and audit evidence around an organisation's AI systems so they can be operated safely, lawfully and accountably. Modern AI governance is anchored in three frameworks: the EU AI Act (risk-classified obligations for AI placed on the EU market), the NIST AI Risk Management Framework (govern, map, measure and manage risk across the AI lifecycle), and ISO/IEC 42001 (a certifiable information security style management system for AI). Winder.AI delivers all three, mapped onto your existing risk function, with the engineering controls (evaluation, lineage, audit logging, guardrails) that turn a policy document into a defensible production posture. We have been shipping regulated AI for enterprises since 2013, for clients including Temple University, Google, Microsoft and Shell.

2026 update. EU AI Act obligations for general-purpose AI models and high-risk systems are now in force, NIST AI RMF has hardened around generative and agentic AI, and ISO/IEC 42001 certification has moved from novelty to procurement requirement. Our 2026 governance work covers agentic AI controls, third-party model assurance for hosted LLMs, evaluation discipline for non-deterministic systems, and the audit evidence regulators and enterprise buyers now expect.

How we compare

How AI governance partners compare

Governance approach	What you get	Best for	Main weakness
Big-4 / global SI governance programme	Branded governance framework, executive workshops, policy templates and a transformation deck	Board-level signalling, multi-year compliance programmes, regulator-facing optics	High six-figure cost, generic templates, junior analysts behind a senior pitch, weak on the engineering controls that actually pass audit
In-house GRC / risk function	Policy ownership inside the second line of defence, integrated with existing risk frameworks	Mature financial services and healthcare organisations with an established model risk function	Often lacks deep ML and LLM expertise, slow on agentic AI and generative systems, struggles with evaluation and lineage controls
Vendor or tooling-led governance (model registry, observability platform)	A platform that logs runs, scans prompts and produces compliance reports	Teams that already have policy in place and need automated controls and evidence	Tooling without a policy framework produces dashboards, not assurance; conflicts with sales incentives; rarely covers the EU AI Act conformity path
No governance, ship and hope	Faster initial pilots, deferred risk	Pre-revenue experimentation with non-sensitive data	EU AI Act, NIST AI RMF and ISO/IEC 42001 expectations have hardened; first audit, incident or regulator letter forces retrofit at 5x cost
Specialist engineering-led governance (Winder.AI)	EU AI Act risk classification, NIST AI RMF mapping, ISO/IEC 42001 ISMS for AI, model risk policy, evaluation harnesses, audit logging, lineage and assurance reports written by engineers who ship the controls	Enterprises that need a defensible governance programme aligned to EU AI Act, NIST AI RMF and ISO/IEC 42001, implemented in production, not just on slides	Boutique scale, not designed for 100-seat staff augmentation engagements

From policy to production

Policy, controls and audit, delivered end to end

Winder.AI runs AI governance as a single connected programme: a defensible policy framework, the operational controls that make the policy real, and the assurance evidence that passes audit. One engineering team, one engagement, no handover between strategy consultants and the people who implement controls.

Policy & Risk Framework

Defensible AI policy mapped to the EU AI Act, NIST AI RMF and ISO/IEC 42001. Risk classification per AI system, model risk policy, acceptable use, third-party model assurance, and the operating model that sits underneath. Built to integrate with your existing risk function, not duplicate it. Part of our broader AI consulting practice.

Operational Controls & MLOps

The engineering controls that make policy real in production: evaluation harnesses for non-deterministic systems, audit logging, data lineage, guardrails, prompt-injection defences, monitoring and incident response. Delivered alongside our MLOps consulting and development practice, which provides the platform backbone.

Audit, Assurance & Training

The evidence and people side of governance: audit-ready documentation, ISO/IEC 42001 certification preparation, conformity assessment support for EU AI Act high-risk systems, regulator-facing reports, and tailored training for engineering, product and risk teams. Where readiness is the question before governance, start with our AI readiness assessment.

We sought AI engineering experts that could quickly learn our day-to-day scientific legal mapping processes enough to develop a tool to make our work more efficient. Winder.AI dug into our day-to-day workflow to thoroughly understand the value of an AI Assistant for scientific legal mapping, which is a critical process to the field of legal epidemiology.

Lindsay Cloud

Deputy Director, Center for Public Health Law Research at Temple University's Beasley School of Law

Why choose Winder.AI for AI governance

The engineering-led AI governance partner

Senior AI engineers writing policy, controls and audit evidence that survive contact with production. Aligned to EU AI Act, NIST AI RMF and ISO/IEC 42001, grounded in a decade of regulated AI delivery.

Governing Enterprise AI Since 2013

We have been governing and shipping production AI for enterprises for over a decade, long before the LLM hype cycle. As authors of the O’Reilly book on industrial autonomous AI, we have seen which controls actually pass audit and which collapse under scrutiny. The programme is grounded in real engagements across finance, healthcare, energy and public services, not consultancy theory.

Framework-Aligned, Engineering-Led

Every engagement is anchored in the EU AI Act, NIST AI RMF and ISO/IEC 42001, mapped onto your existing risk language. Findings are documented, traceable and defensible at board level and regulator level. The controls are written by the engineers who will run them, not handed to a separate implementation team six months later.

Senior Engineers, No Sales Layer

You talk to the engineers who will do the governance work and ship the controls. No offshore handover, no junior analysts staffed behind a senior pitch. The team that scopes your governance posture is the team that runs it and produces the audit evidence.

Trusted Worldwide

Trusted by global organisations for regulated AI

Governance, controls and assurance work across finance, healthcare, energy, legal, technology and regulated public services.

Governance solutions

Where our AI governance consulting bites

Each area below is delivered as a scoped workstream with named owners, written policy or technical artefacts, and the audit evidence to back it up. Mapped to EU AI Act articles, NIST AI RMF functions and ISO/IEC 42001 controls:

EU AI Act Risk Classification

Per-system classification against the EU AI Act risk tiers (prohibited, high-risk, limited-risk, minimal-risk) and the general-purpose AI model obligations. Article-by-article mapping of the technical documentation, logging, transparency, human oversight and conformity assessment requirements that apply. Sample finding: “your credit decisioning model is high-risk under Annex III; here is the conformity path”.

NIST AI RMF Mapping

End-to-end mapping of your AI lifecycle to the Govern, Map, Measure and Manage functions of the NIST AI Risk Management Framework, including the Generative AI Profile (NIST AI 600-1). Evidence catalogue, control owners, and the operating cadence that keeps the framework alive in production.

ISO/IEC 42001 ISMS for AI

Gap analysis against ISO/IEC 42001, design of the AI management system clauses and controls, and the documentation and evidence required for a successful certification audit. Modelled on the ISO 27001 management-system pattern that procurement teams already understand.

Model Risk Management

A model risk policy fit for LLMs and agentic AI, not just deterministic ML. Tiered model inventory, challenger and champion patterns, validation cadence, and the integration with second-line risk functions in regulated sectors. Aligned to FCA and PRA expectations (SS1/23) where applicable.

Data Governance & Lineage

The data side of AI governance: provenance, lineage, retention, residency, PII redaction at the integration boundary, consent management, and the lineage evidence regulators expect for training and inference data. Snowflake, BigQuery, Databricks, Postgres, SharePoint, Confluence, S3.

Evaluation & Guardrails

Evaluation harnesses for non-deterministic systems, prompt-injection defences, content guardrails, agentic tool-use authorisation, and the monitoring required to catch drift and abuse in production. Delivered with our MLOps consulting and development practice.

Incident Response & Reporting

AI-specific incident playbooks, serious incident reporting paths (including EU AI Act Article 73 obligations for high-risk systems), and the runbooks that let an on-call engineer triage and remediate an AI incident under time pressure.

Training & Operating Model

Tailored training for engineering, product, legal and risk teams on the EU AI Act, NIST AI RMF and ISO/IEC 42001. The operating model and RACI required to keep AI governance live as the portfolio scales, not a one-off workshop that decays after launch.

Inside the governance programme

What we ship, end to end

We deliver the policy, technical controls and assurance evidence that turn AI governance from a slide deck into a production posture. Each capability below is in scope on a typical engagement:

EU AI Act Risk Classification

Per-system risk tiering against the EU AI Act, with article-level obligations and conformity assessment paths. Coverage of high-risk Annex III categories, general-purpose AI model providers, and downstream deployer obligations.

NIST AI RMF Mapping

Govern, Map, Measure and Manage functions mapped to your AI lifecycle. Generative AI Profile (NIST AI 600-1) overlay for foundation models and agents. Evidence catalogue and operating cadence.

ISO/IEC 42001 Gap Analysis

Clause-by-clause and Annex A control gap analysis against ISO/IEC 42001. Management system design, documentation, and pre-certification audit preparation.

Model Risk Policy & Inventory

A model risk policy that handles LLMs, generative AI and agentic systems alongside classical ML. Tiered model inventory, validation cadence, challenger patterns and second-line integration.

Audit Logging & Lineage

Audit logging specifications that survive regulator review, data and model lineage tracked end to end, and the evidence storage pattern that keeps logs both queryable and tamper-evident.

Evaluation Harnesses

Evaluation harnesses for non-deterministic systems, including LLM-as-judge with calibrated rubrics, regression suites for prompts and tools, red-teaming for prompt injection, and golden-set monitoring in production.

Guardrails & Agentic Controls

Content and behaviour guardrails, prompt-injection defences, tool-use authorisation for agents, and human-in-the-loop checkpoints for high-stakes actions.

Third-Party Model Assurance

Assurance approach for hosted LLMs (OpenAI, Anthropic, Google, Mistral) and self-hosted open-source models (Llama, Qwen). Data processing addenda, sub-processor review, evaluation, and the controls that let procurement sign off.

Your AI governance questions, answered A governance programme that adapts to your regulatory scope, sector overlays and AI ambition.

Which regulatory frameworks should we anchor to?

EU AI Act, NIST AI RMF, ISO/IEC 42001

Every engagement anchors to the EU AI Act, NIST AI RMF and ISO/IEC 42001, with GDPR, HIPAA, SOC 2 and sector overlays where relevant. The roadmap reflects what your business actually has to comply with, not a generic checklist.

EU AI ActNIST AI RMFISO/IEC 42001GDPRHIPAASOC 2FCA SS1/23

How do sector overlays change the programme?

Sector-aware governance

Finance overlays SS1/23 and model risk expectations. Healthcare overlays HIPAA, MHRA and clinical safety. Energy and public sector overlay critical infrastructure and procurement-led assurance. We adapt the controls and evidence pattern accordingly.

FinanceHealthcareEnergyPublic sectorLegal

Will the controls work on our cloud or on-prem stack?

Cloud and on-prem audit posture

We have implemented governance controls across AWS, Azure, GCP, on-prem Kubernetes and air-gapped environments. Audit logging, lineage and evaluation are designed to fit your existing posture, not force a re-platform.

AWSAzureGCPOn-prem KubernetesDatabricksSnowflakeAir-gapped

Are we ready to govern autonomous AI agents?

Agentic governance, first-class

Agentic governance is a first-class workstream in the 2026 framework. Tool-use authorisation, multi-step evaluation, prompt-injection defences and human-in-the-loop checkpoints are designed before the agent ships, not retrofitted after an incident.

Tool useMCPEvaluationGuardrailsHuman-in-the-loopMulti-agent

Selected Case Studies

Some of our most recent work for our clients. You can find more in our portfolio.

2026Case study

How Winder.AI Helped Duetto Evaluate Reinforcement Learning for Hotel Pricing

Winder.AI helped Duetto evaluate offline reinforcement learning for dynamic hotel pricing. Over five months, the engagement progressed from behavioural cloning baselines through Implicit Q-Learning experiments on real booking data, revealing where RL outperforms simpler approaches, what data quality prerequisites exist, and how to evaluate pricing agents when ground truth is unavailable.

2025Case study

How Winder.AI Helped Apartment List Eliminate Data Drift and Scale MLOps Automation

Winder.AI helped Apartment List modernize its machine learning operations by unifying data pipelines, automating Kubeflow workflows, and introducing enterprise-grade governance. The outcome: consistent training and inference data, faster deployment cycles, and self-service capabilities that enabled Apartment List’s data science team to scale model delivery with confidence.

2025Case study

AI in Aviation Case Study: Flight Scheduling Using Digital Twins and Reinforcement Learning

Using digital twin data to build flight traffic simulators and train reinforcement learning AI agents. A leading aerospace business and Winder.AI opened new horizons for dynamic, data-driven scheduling solutions that integrate with our client’s advanced flight planning technology.

Recent mlops Articles

Find more articles in our blog.

2026AI

AI for Legal Operations: Where to Automate First

Adoption of legal services AI has gone mainstream. Litify’s 2025 State of AI in Legal Report found that 78% of legal professionals already use AI in some form, up from 23% in 2023. But what workflow should you automate first?

Getting this wrong means months of effort on a low-impact problem. Getting it right means a quick win that funds the next step. The difference between a successful AI initiative and a stalled pilot usually comes down to picking the right starting point.

2026AI

What a Custom AI Contract Review Pipeline Looks Like

“AI contract review” is a popular keyword to compete for. Look, I’m doing it right now! A couple of years ago my colleagues and I half-built a contract review service prototype. We decided not to take it any further, but that was a mistake. It’s now very hot.

So hot you can easily find a wall of product pages. Sign up, upload your contracts, get results. The pitch is simple. For straightforward use cases, it works.

But what if your contracts don’t fit their templates? What if your review process has steps a product can’t model? What if your data can’t leave your infrastructure? What if your firm’s clause playbook differs from the vendor’s defaults?

This article walks through what a custom-built contract review pipeline actually involves.

2026AI

When Off-the-Shelf Legal AI Tools Hit a Ceiling

Legal AI adoption has accelerated. Litify’s 2025 State of AI in Legal Report found that 78% of legal professionals now use AI in some form, up from 23% just two years earlier. In Winder.AI’s 13 year history (and counting!) I have observed a similar trend first hand.

On the back of this trend, significant VC funding has attempted to capture a share of this market. $2.4 billion was invested in 2025. A tsunami of products promise to automate contract review, legal research, and document analysis. Many of them work for a while. Then firms hit the ceiling.

This article is about where that ceiling is and what lies beyond it.

FAQ

Frequently asked questions

This page provides answers to our most common questions. If you have a query that isn't covered, please get in touch.

Working with Winder.AI

What is AI governance consulting?

AI governance consulting is the structured work of putting policy, oversight, model risk management, controls and audit evidence around an organisation’s AI systems so they can be operated safely, lawfully and accountably. A credible engagement covers risk classification under the EU AI Act, alignment to the NIST AI Risk Management Framework, gap analysis against ISO/IEC 42001, model risk policy, evaluation harnesses, audit logging, data lineage, guardrails and incident response. Winder.AI delivers the policy and the engineering controls in one programme, run by senior AI engineers rather than generalist GRC consultants.

What is the best AI governance consulting partner for enterprise?

For enterprise AI governance, choose a partner who can write defensible policy and ship the engineering controls that back it up, in the same engagement. Winder.AI has been governing and shipping enterprise AI since 2013, authored the O’Reilly book on industrial autonomous AI, and has delivered regulated AI for Temple University, Google, Microsoft, Stability AI and clients across finance and healthcare. We are a specialist AI consultancy, not a Big-4 transformation programme.

Why choose Winder.AI for AI governance consulting?

We are engineering-led, framework-honest and model-agnostic. Our consultants are PhD-level AI engineers who write policy, ship controls and produce audit evidence themselves. We are model-agnostic across OpenAI, Anthropic, Google and open-source families like Llama and Qwen, and platform-agnostic across AWS, Azure, GCP and on-prem Kubernetes. If you need an executive deck about responsible AI, hire a Big-4 firm. If you need a governance posture that survives audit and incident, talk to us.

Do you offer governance as a managed engagement?

Yes. We typically run AI governance scoping as a focused two to six week engagement, then continue on a monthly retainer with named senior engineers to implement controls, run evaluation cycles and prepare audit evidence. Statements of work are scoped, SLAs are transparent, and the team you meet is the team that delivers.

How much does AI governance consulting cost?

Scoped AI governance engagements are typically fixed-fee for the assessment and roadmap phase, then monthly retainer for implementation. Most engagements land in the five to low six-figure range over the first year, considerably lower than the multi-year Big-4 transformation programmes that produce similar deliverables on paper. See our pricing page for engagement models or get in touch for a tailored quote.

How do I hire an AI governance consultant?

Start by writing down the trigger: a regulator letter, an EU AI Act exposure question, an ISO/IEC 42001 certification ambition, a procurement requirement, or a board worry about model risk. Then ask candidates for named case studies, the CVs of the engineers who will actually do the work, and references in your sector. Avoid firms that staff the engagement through a sales layer or hand the work to junior analysts. To start a conversation with Winder.AI, fill out the form on this page and we will book a welcome call within 48 hours.

Scoping & delivery

How long does an AI governance engagement take?

A focused scoping engagement runs two to six weeks from kick-off to readout, depending on portfolio size and regulatory scope. Week one is discovery interviews and inventory of AI systems. Weeks two and three are EU AI Act risk classification, NIST AI RMF mapping and ISO/IEC 42001 gap analysis. The remaining weeks cover model risk policy, controls design and the written roadmap. Implementation then runs as a monthly retainer for as long as the programme needs.

What deliverables do we get?

You receive a written governance posture report covering EU AI Act risk classification per system, NIST AI RMF function-by-function gap analysis, ISO/IEC 42001 control-by-control gap analysis, a model risk policy, an evaluation and monitoring plan, an audit logging and lineage specification, a third-party model assurance approach for hosted LLMs, and a prioritised roadmap with named owners. Everything is yours to keep, edit and circulate internally.

Which frameworks and standards do you cover?

We anchor every engagement in the EU AI Act, NIST AI Risk Management Framework and ISO/IEC 42001. Where relevant we map onto GDPR, the UK Data Protection Act, HIPAA, SOC 2, FCA and PRA expectations for model risk (SS1/23), and sector-specific guidance. If you already use an internal capability or risk model, we map our findings onto it so the readout fits your existing risk language.

Can the engagement cover regulated or on-prem environments?

Yes. We have governed AI for regulated finance, public sector, healthcare and energy clients, including organisations running air-gapped on-prem infrastructure. The programme covers data residency, model sovereignty, evaluation in disconnected environments, and the audit and lineage requirements needed to ship AI inside a regulated estate.

How quickly can you start?

Typically two to four weeks from first call to kick-off. Discovery and contracting take one to two weeks each. Urgent engagements (for example to respond to a regulator letter, a procurement question, or a pre-launch governance review) can start inside a week. Get in touch early even if your timeline is flexible, as our calendar fills four to eight weeks ahead.

What happens after the scoping engagement?

Most clients move into implementation on a monthly retainer. We embed the controls, build evaluation harnesses, wire up audit logging and lineage, and produce assurance evidence. The same engineering team runs the controls through our MLOps consulting and development practice, so policy and platform stay aligned. Where readiness needs scoping first, start with our AI readiness assessment.

AI governance, explained

What does AI governance actually mean?

AI governance is the combination of policy, oversight, controls and assurance that lets an organisation operate AI safely, lawfully and accountably. It covers who owns risk for each AI system, how risk is classified, what controls apply, how evidence is logged and how the organisation responds to incidents. A governed AI portfolio can move a use case from idea to production inside a single quarter without unplanned compliance work. An ungoverned portfolio stalls in pilot purgatory or fails the first audit.

What does the EU AI Act require?

The EU AI Act classifies AI systems by risk: prohibited, high-risk, limited-risk and minimal-risk, with separate obligations for general-purpose AI models. High-risk systems require a risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness and cybersecurity, plus a conformity assessment before placement on the EU market. General-purpose AI model providers face transparency and copyright obligations, with stricter rules for models with systemic risk. Winder.AI maps each of your AI systems to the relevant risk class and the specific articles you must satisfy.

What does the NIST AI RMF cover?

The NIST AI Risk Management Framework is a voluntary US framework organised around four functions: Govern, Map, Measure and Manage. Govern sets up the policies and accountabilities. Map identifies context and risks. Measure puts evaluation, testing and monitoring in place. Manage operates and remediates risk in production. The Generative AI Profile (NIST AI 600-1) extends the framework for generative and foundation models. We map your AI lifecycle to each function and produce the evidence regulators and enterprise buyers expect.

What is ISO/IEC 42001?

ISO/IEC 42001 is the international standard for an AI Management System. It defines requirements for an organisation to establish, implement, maintain and continually improve a management system for AI, modelled on ISO 27001 for information security. Certification has moved from novelty to a procurement requirement in regulated sectors. Winder.AI runs gap analysis against the standard, designs the management system clauses and controls, and prepares the documentation and evidence required for a successful certification audit.

How is AI governance consulting different from a Big-4 responsible AI programme?

A Big-4 responsible AI programme is typically a multi-year transformation engagement, staffed by junior analysts behind a senior pitch, producing executive decks and policy templates. The engineering controls (evaluation, lineage, audit logging, guardrails) are usually out of scope or sub-contracted. Our programme is delivered by the engineers who will also ship the controls, on a focused engagement that produces a defensible posture in weeks, not years. We are the engineering-led alternative.

Do you cover agentic AI and generative AI specifically?

Yes. In 2026 our governance programme treats autonomous agents and generative AI as first-class concerns, including tool-use authorisation, evaluation of non-deterministic behaviour, prompt-injection defences, third-party model assurance for hosted LLMs, and human-in-the-loop checkpoints. See our AI agent development service for the follow-on delivery and our MLOps consulting and development practice for the controls and audit backbone.

How does AI governance relate to AI readiness?

AI readiness measures whether your organisation can adopt AI at all; AI governance defines how you do it safely once you start. Most clients run an AI readiness assessment first if they are early on the curve, then move into governance scoping. Mature organisations with live AI portfolios usually start directly with governance.

Get Started

Book your AI governance consultation

Whether you are scoping EU AI Act exposure, building an ISO/IEC 42001 ISMS for AI, or hardening live systems against the next audit, talk to the team that has been shipping regulated AI since 2013.

You'll talk to senior AI engineers, never a sales layer
Welcome call booked within 48 hours
Typical governance scoping: 2 to 6 weeks, with a defensible roadmap at readout

Ready when you are

Send us a brief and book a welcome call within 48 hours.

Talk to the AI governance team

Need a defensible AI governance posture for the EU AI Act, NIST AI RMF and ISO/IEC 42001? Book your AI governance consultation