AI governance, installed as working systems
Six layers, from AI inventory to audit trail, shipped one two-week sprint at a time. Each sprint has its own signed acceptance criteria, and you pay $10,000 per build only after every criterion passes.
The binder is current. Production is not.
Shadow AI is already in production
Employees adopted AI tools nobody approved or recorded. You cannot govern systems you have not found.
Policies exist. Nothing enforces them.
The acceptable-use PDF is signed and filed. No control in production checks a single clause of it.
EU AI Act obligations are landing
Obligations attach by risk class. Without an inventory and risk tiering, you cannot say which obligations are yours.
Audit evidence is rebuilt by hand
Every regulator or customer question triggers weeks of screenshots and email archaeology instead of a query against an audit trail.
How we set up AI governance for your company.
Most AI governance arrives as a binder: a policy document, a committee charter, a deck for the board. Twelve months later the binder is current and the production environment is not. We install governance as working systems instead. Each control in the stack below ships as software that runs in your environment, against acceptance criteria you signed before the build started.
The unit of work is a sprint: one two-week build with its own signed acceptance criteria. The typical sequence starts with Sprint 1, an inventory and risk tiering of everything already running, including the shadow AI your teams adopted without asking. That exposure map, not a framework diagram, decides which layer we install next.
This is how we already work. A European pharmaceutical regulator runs an AI compliance scanner we built: 620+ marketing assets scanned, 11 rules per scan, around 2 minutes per asset, down from 2 to 3 hours of manual review. Governance that runs as software, not governance that sits in a binder.
The QueryNow governance stack.
Six layers, each installed as working controls. For every layer you see what we install and the failure it prevents. The last line is an example of acceptance criteria we would sign before the build starts.
AI Inventory
Know what is running before you govern it.
- •Shadow AI detection
- •System classification
- •Risk tiering
- •Ownership assignment
- •Model registry
An unsanctioned chatbot has handled customer data for months. It appears on no list, has no owner, and carries no risk tier.
Every AI system in use, including tools surfaced from network and SaaS logs, appears in the registry with an owner and a risk tier. A spot check by your team finds zero missing entries.
Data Foundation
Trace every model back to the data that feeds it.
- •Source tracking
- •Lineage mapping
- •Quality validation
- •Freshness monitoring
- •Data bias screening
A model quietly retrained on stale, unvetted data, and nobody can say where that data came from.
For any dataset feeding a tiered system, lineage to source and the latest quality and freshness checks render in a single view, with bias screening results attached.
Data Security & Access
Control who and what can touch the data.
- •Encryption
- •Anonymization
- •Role-based access
- •Least privilege
- •Key management
A retrieval path that hands restricted records to employees who were never cleared to see them.
A test account outside the approved role cannot retrieve restricted records through the model or its logs. Key rotation runs on schedule, with evidence in the vault audit log.
Model Assurance
Prove each model does what its card claims.
- •Model cards
- •Performance benchmarks
- •Fairness testing
- •Red-teaming
- •Drift detection
A model that degraded for months and was caught by a customer complaint instead of a dashboard.
Each tiered model ships with a model card and a benchmark your team can rerun. A replayed distribution shift triggers a drift alert within 24 hours.
Human Oversight
Keep a named human between the model and the consequence.
- •Decision review
- •Escalation paths
- •Override authority
- •Output validation
- •Accountability mapping
An automated decision that hurt someone, with no reviewer on record and no one accountable.
In a sampled week of decisions, every output above the risk threshold shows a named reviewer and a recorded outcome. A reviewer override halts the downstream workflow.
Compliance & Audit
Turn the first five layers into regulator-ready evidence.
- •EU AI Act mapping
- •GDPR alignment
- •Policy enforcement
- •Incident reporting
- •Audit trails
A regulator question that takes your team three weeks of manual reconstruction to answer.
Every registry entry carries its EU AI Act risk classification. A simulated incident produces a complete report from audit trail data alone, with no manual reconstruction.
How a governance sprint runs.
Inventory before policy
Sprint 1 finds everything already running, including shadow AI, and tiers it by risk. Sequencing comes from your exposure, not a template.
Criteria signed on day one
Each layer ships against executable acceptance criteria you sign before the build starts. Pass or fail is observable, not negotiated.
Built in your environment
Controls run inside your tenant against your identity model. Nothing is hosted on our side and handed over later.
Evidence as a byproduct
Every control writes its own audit trail as it runs. When a regulator asks, the answer is a query, not a reconstruction project.
Your team operates it
Each sprint ends with handover. Your team gets the runbook and the access to own the control without us.
EU AI Act-aligned by construction
Layer six maps every system to its risk class, and every implementation we deliver is aligned with the EU AI Act.
From workflow to working tool in two weeks.
Scope and sign
We define the workflow, the deliverables, and the acceptance criteria, and sign an agreement on them before anything starts.
Build
We build the tool in your environment, with Claude Code and automated evaluation against your own data.
Pay when it works
$10,000, due only after every criterion in the signed agreement is met. Nothing before that.
We scope one governance layer with you and sign executable acceptance criteria on day one. We build in your environment for two weeks, and you pay $10,000 only after every criterion passes. Nothing upfront. A full six-layer install runs as repeated sprints on the same terms.
Tell us the workflow →Questions buyers ask.
What is the QueryNow governance stack?
Six layers that cover the lifecycle of AI in your company: AI inventory, data foundation, data security and access, model assurance, human oversight, and compliance and audit. Each layer is a set of working controls we install in your environment, not a chapter in a policy document.
How is this different from a governance framework engagement?
A framework engagement produces documents that describe what should happen. We install systems that make it happen. Every layer ships as software running in your environment with signed acceptance criteria, so governance holds because a control enforces it, not because a policy requests it.
We already have AI in production. Where do we start?
Sprint 1 is an inventory and risk tiering of everything already running, including shadow AI surfaced from network and SaaS usage. The result is an exposure map with an owner and a risk tier for every system. That map, not a framework diagram, decides which layer we install next.
How does the sprint model work for governance?
A sprint is one two-week build with its own signed acceptance criteria. We scope the layer, sign the criteria on day one, build in your environment for two weeks, and you pay $10,000 only after every criterion passes. A full six-layer install runs as repeated sprints on the same terms, and you can stop after any sprint with working controls in hand.
Have you built governance systems before, or is this new?
We have been an AI implementation firm since 2014 with 200+ production deployments, including an AI-driven digital workplace for Rockwell Automation serving 28,000+ employees in 80+ countries. The controls in this stack are the same kind of build: scoped and signed up front, shipped in two weeks.
Does this cover the EU AI Act?
Layer six maps every inventoried system to its EU AI Act risk classification, with audit trails and incident reporting attached to it. We build systems to SOC 2, HIPAA, and GDPR standards, and every implementation is aligned with the EU AI Act.
Ready to ship AI that actually works?
Send us the workflow. We return a fixed scope, price, and acceptance criteria in 48 hours. You pay $10,000 only after it works.
Tell us the workflow →