We hold ourselves to the standard we sell.
We're an AI governance firm. That means our own use of AI, in outreach, client work, and internal operations, is subject to the same controls we install for clients. Human-in-the-loop approval on every client-facing output. Full audit log. Written playbooks. Kill switch. This page describes exactly how those controls work inside our own firm.
Process commitments, not certifications. We describe what we actually do, not what we wish we had.
How we govern the AI we use.
Every AI-governance engagement we sell includes the same controls we apply to our own firm. Here is exactly what those controls look like internally.
Human-in-the-loop approval on every client-facing output
No AI-generated content, proposal language, outreach, assessment findings, client reports, reaches a prospect or client without a named human reviewing and approving it first. The approval is not a rubber stamp: the reviewer reads the output, edits where needed, and signs off. If the output isn't right, it doesn't go. There is no autonomous send. This is the same control we build into the Approval Inbox for every client.
✓ AI drafts · Human reviews · Human approves · Then it sends. No exceptions.
Audit log on every AI action
Every AI-assisted action in our client work carries a log entry: what was generated, who reviewed it, what edits were made, when it was approved, when it was sent. We maintain this record so that if a question arises about what went out and who approved it, the answer is retrievable and contemporaneous, not reconstructed from memory. The same architecture underlies the E&O audit trail we build for insurance clients.
✓ Timestamped · Reviewer identified · Exportable · Retained
Written playbooks, approved parameters only
Every AI workflow we operate internally runs against a written playbook: what the AI is authorized to do, what it is not authorized to do, what escalates to a human, and what is out of scope entirely. The playbook is written down, reviewed periodically, and updated when scope changes. The AI operates within those parameters; anything outside them goes to a human. Playbooks are the governance scaffold that keeps the AI from drifting into territory we haven't approved.
✓ Written and versioned · Defines in-scope / out-of-scope · Updated on scope change
Kill switch, instant override
Any AI workflow we operate can be stopped immediately, by any team member, without approval chain, the moment something looks wrong. We don't wait to understand the full scope of an issue before shutting down a workflow. The authority to halt is permanent and unconditional. We build the same permanent kill switch into every client deployment; it would be inconsistent not to hold ourselves to the same control.
✓ Any team member can halt · No approval required · Permanent authority
AI disclosure, we identify AI involvement
When AI materially contributed to content we send, a report section, a proposal draft, outreach copy, we are prepared to say so if asked. We do not obscure AI involvement in our client-facing work. Disclosure is a design choice, not a policy we apply grudgingly. Clients have a legitimate interest in knowing how their deliverables were produced.
✓ AI contribution identifiable · Disclosure available on request · Not obscured
How we handle your data.
What we commit to on data handling, in plain language, without certification claims we can't back.
Your operational data, client names, workflow details, business data shared during an engagement, is never used to train, fine-tune, or improve AI models. It enters the engagement, does the work it was shared for, and does not persist into a training corpus. This applies to data you share during the Assessment and any subsequent implementation work.
A Data Processing Agreement describing how we handle your data, what subprocessors are involved, and what your rights are is available for any engagement. If your procurement process or internal policy requires a DPA before sharing business data with a service provider, we can provide one. Ask during the Assessment or at onboarding.
For medical billing and RCM engagements where Protected Health Information (PHI) may be involved, a Business Associate Agreement is available and required before any PHI enters our systems. We do not accept PHI without an executed BAA in place. We do not claim HIPAA certification, we claim the BAA, HIPAA-eligible infrastructure, and the process controls that a BAA requires. Your counsel should evaluate whether our implementation meets your specific HIPAA obligations.
[Not legal advice. BAA availability is not a certification. HIPAA compliance assessment is your counsel's job, not ours.]
We design implementations to minimize data movement. Where your AMS, billing platform, or practice management system is the source of truth, the AI reads from and writes to that system rather than copying data into a separate store. Integration points are scoped explicitly in the Assessment deliverable, you know before any build begins exactly what data flows where.
Data commitments are process commitments, not certifications. Requirements vary by industry and jurisdiction. Coordinate with your counsel on whether our implementation satisfies your specific obligations.
Our outreach and your right to opt out.
Honest statement on how we conduct outreach and how to stop it, no fine print.
CAN-SPAM compliance on all email outreach
Every commercial email we send includes a clear identification of the sender, a physical address, and a functional unsubscribe mechanism. We honor opt-out requests promptly, within 10 business days. We do not re-contact people who have opted out. These are not aspirational commitments; they are the minimum standard we hold ourselves to, and they reflect the same consent-documentation practices we implement for clients.
Telephone / SMS outreach, consent-based and evolving-rule aware
For any telephone or SMS outreach, we obtain appropriate consent and maintain documentation of that consent as required by applicable law. TCPA enforcement is active and state-level requirements are evolving, we track those changes and update our practices accordingly. We coordinate with counsel on our outreach architecture. We do not assert any specific TCPA rule as current law; requirements vary by state and are subject to regulatory change. If you have a concern about a contact you received from us, contact us at the address below and we will address it promptly.
Opt-out honored immediately and permanently
If you tell us to stop contacting you, by any channel, in any format, we stop. No re-opt-in campaigns. No "one last message." The request is logged and honored. If you are receiving communications from us and want them to stop, reply to any email with "unsubscribe" or contact us directly through the contact page. It takes effect immediately on our side.
✓ Opt-out honored the same day · All channels · No re-contact
Regulatory references are for context only and do not constitute legal advice. Requirements vary by jurisdiction. We verify our outreach architecture with counsel; you should do the same for yours.
What we don't claim.
Governance credibility requires honesty about gaps, not just claims about controls. Here is what we do not have yet.
No SOC 2 certification yet
We have not completed a SOC 2 Type I or Type II audit. We have process controls and documentation practices; we do not have a third-party auditor's attestation to them. If SOC 2 is a procurement requirement for your firm, we are not the right fit at this stage. We will pursue SOC 2 when client volume justifies the audit cost.
No ISO 27001 or similar certification
We manage information security with documented practices and access controls. We do not hold ISO 27001 or any equivalent formal certification. Our security posture is appropriate for our current client profile; we describe what we actually do, not what we're certified to do.
No HIPAA certification (HIPAA has no certification program)
HIPAA does not issue certifications, anyone claiming to be "HIPAA certified" is misrepresenting how the regulation works. We offer a BAA, HIPAA-eligible infrastructure, and appropriate process controls for healthcare / RCM engagements. Whether those controls satisfy your specific HIPAA obligations is a determination your counsel makes, not us.
No published penetration test results
We have not commissioned or published a penetration test of our infrastructure. We apply standard security practices; we do not have an external attestation of them. Enterprises with security review requirements should factor this into their evaluation.
We list these gaps because a governance firm that papers over its own gaps is not a credible governance firm. The absence of a certification doesn't mean the absence of a control, but you deserve to know the difference, and we're not going to pretend we have credentials we haven't earned.
See the governance architecture before you decide if you trust it.
The AI Opportunity Assessment maps your back-office workflows, identifies the governance gaps in your current process, and delivers a written scope with a fixed implementation price, including the full Oversight Layer™ architecture. You see the model before any build begins.
Fixed-fee diagnostic. Scope and price delivered in writing before any implementation begins.