AI Governance & EU AI Act Compliance
Boards are asking questions about AI risk.
Enterprise customers want assurance about your AI governance before contracts get
signed. The EU AI Act’s binding requirements arrive August 2026.
Most AI governance frameworks come from consultants who understand regulation but not architecture, or from technical teams who understand models but not compliance.
We bring a decade of medical device risk assessment experience.
We don’t identify “AI risks” generically. We systematically map failure modes (what happens when your model misclassifies, when training data drifts, when edge cases appear), assess severity using quantifiable criteria, and prioritize mitigation by actual impact.
This produces risk documentation that satisfies both regulators and engineers. We work directly with your technical teams, legal counsel, and relevant business functions.
Typical engagements span 12-18 weeks and accommodate ongoing development.
This suits organizations with:
- AI systems in production or late-stage development
- Board or investor scrutiny about AI risk management
- Enterprise customers conducting AI governance due diligence
- SaMD or healthcare AI requiring MDR integration
- Regulated sector deployment where governance gaps create exposure
We’ll discuss specific scope and investment after understanding your technical context and stakeholder requirements.
Data Protection & GDPR
Maybe you’re expanding to European markets and customers want privacy assurance before purchase.
Maybe you received a data subject access request and discovered you can’t fulfill it properly. Maybe your current “compliance” is a privacy policy written three years ago that bears no relationship to actual data practices.
Traditional compliance approaches produce privacy policies that say “we take your privacy seriously” while your actual data handling remains undocumented.
We start by mapping what actually happens to data in your systems.
Where does email address data go after signup? Which third parties receive it? Who can access it internally? When does it delete? Most organizations discover they don’t fully know.
This data flow mapping reveals the gaps that matter.
We take two approaches depending on urgency:
30-Day Sprint:
We identify what creates immediate regulatory risk, document your current processing accurately, establish procedures for the requests you’ll actually receive, and build breach response that works within your team’s capacity.
Comprehensive buildout (12-16 weeks):
Complete legal basis analysis for every processing activity. Build privacy as a feature of your product, strengthen vendor management frameworks. Deletion procedures that account for backups and archives. Training materials and playbooks your non-legal staff can understand.
This suits:
You likely need this if:
- You're processing EU personal data;
- Your privacy policy describes an idealized version of your data practices;
- You can't respond to data subject access requests without detective work across systems;
- Customer security assessments reveal privacy gaps blocking deals;
Healthcare Privacy & Medical Device Compliance
EU Medical device Regulation, EU GDPR, and EU AI Act converge in ways that create complexity.
We understand what Notified Bodies scrutinize in technical documentation. We know how research ethics committees evaluate consent forms. We understand the technical constraints of training diagnostic AI on sensitive health data.
We implement pseudonymization that preserves diagnostic utility. We write data protection sections that survive Notified Body scrutiny, draft consent language that satisfies both research ethics committees and GDPR Article 9, and navigate genuine conflicts like GDPR’s erasure rights versus MDR’s post-market surveillance requirements.
We work with:
- SaMD developers preparing technical documentation for Notified Body review
- Clinical AI companies where algorithmic decisions affect patient care
- Organizations conducting trials requiring research ethics committee approval
- Healthcare technology companies facing Article 9 data processing complexity
Engagements typically span 12-16 weeks and align with your regulatory submission timeline. We work alongside clinical teams, regulatory affairs, and technical development – the Documentation we produce has to survive Notified Body scrutiny while remaining implementable.
DPO as a Service
The GDPR requires Data Protection Officer designation for many organizations.
Most organizations don’t need full-time dedicated privacy resources. The alternative shouldn’t be nominal designation, someone listed as DPO who provides no actual guidance. That satisfies the letter of the requirement while creating regulatory exposure.
Traditional compliance approaches produce privacy policies that say “we take your privacy seriously” while your actual data handling remains undocumented. That’s regulatory exposure disguised as compliance.
Our DPO service provides senior privacy expertise fractionally.
Monthly retainer covers strategic consultation, operational responsiveness, and regulatory representation.
You’re evaluating a cloud provider. Their DPA has non-standard language about data retention. You send us the contract. We identify problematic clauses, explain the regulatory risk, and suggest specific amendments.
A supervisory authority sends inquiry. We draft the response, explain what documentation they’re likely requesting next, and represent you in correspondence.
This suits:
- Organizations meeting Article 37 mandatory DPO criteria without scale for full- time hire.
- Companies between 50-500 employees where this model works.
- Organizations needing ongoing senior counsel as European operations scale.
- Organizations looking for a minimum six-month commitment.