Our AI assurance and governance services help organisations put defensible governance and independent assurance around the use of generative and agentic AI in business-critical processes, supporting Board accountability and external scrutiny.
We support clients operating under external scrutiny, including APRA for regulated entities, ASIC where AI influences customer outcomes and OAIC expectations under the Privacy Act where AI touches personal information. A common thread across these services is alignment to director-level governance guidance published by the AICD.
While the technologies associated with generative and agentic AI may be new, the underlying risks are familiar. Risks related to governance, change control, access management, ownership, model risk and third party reliance have existed for decades. What has changed is the speed and scale at which these risks can emerge, driven by decentralised adoption, rapid iteration and tools with known limitations.
Bias and fairness are also long-standing customer outcome and conduct risks that can be heightened by the use of generative and agentic AI, particularly when decisions are automated at scale with limited transparency. Effective governance therefore needs to be embedded across a number of existing risk and control domains. This includes governance and accountability, change and release management, access management and privileged access, data governance and privacy, third party risk, and monitoring and incident response.
Our AI assurance and governance services include:
AI governance framework design
We help you design an AI governance framework that can be operated day to day, not just documented. This typically includes an operating model, roles and accountability, decision rights, approved use cases, model and vendor onboarding, minimum control requirements, monitoring and escalation, and Board reporting. The objective is a practical governance foundation that fits your existing risk and assurance rhythms and supports clear accountability for AI use.
Regulatory compliance & emerging standards
We help organisations prepare for the obligations and scrutiny that already exist where AI affects customer outcomes, privacy and resilience. This includes how expectations show up in practice through the OAIC and Privacy Act where AI touches personal information, through ASIC where AI influences customer outcomes and conduct risk, and through APRA for regulated entities where AI affects information security or operational resilience. Where useful, we map governance and controls to recognised standards and frameworks, including ISO/IEC 42001, the NIST AI Risk Management Framework and ISO/IEC 23894, and identify gaps in documentation and evidence required to respond to regulators, customers and procurement teams.
AI model risk & bias assessments
We provide independent assessments of AI model risk focused on what Boards, risk teams and internal audit functions need to know. This includes suitability for purpose, data quality and provenance, bias and fairness risk, explainability, security considerations, monitoring, and controls around model changes. For vendor AI and third party models, we focus on what you can evidence and govern in your environment, not vendor claims.
Independent assurance reporting
We provide independent reporting over AI governance and controls, tailored to the audience and the assurance question being asked. This may include internal assurance reporting for Boards and audit committees, assurance packs to support customer and procurement questions, or targeted reviews to evidence whether AI use meets defined minimum standards and internal policy requirements. Reporting focuses on clear conclusions, evidence and practical actions.
We simplify the technical complexity of AI assurance by translating AI use, control evidence and technical findings into clear, decision-ready insights that directors and senior leaders can rely on.
