Compliance for AI systems in regulated industries. Engineering work, not legal advisory — delivered as running infrastructure, not a binder. Under 15k EUR, not 200k.
The market has two shapes. Big 4 firms quote 200k EUR and six months and deliver a binder. Checklist vendors sell a dashboard with nothing running behind it. Neither survives an auditor asking “prove this control was in force last Tuesday.”
We build compliance as running code: controls mapped to specific systems, evidence generated by your CI/CD, drift detected automatically, and an auditor-ready dashboard that reflects production — not a point-in-time snapshot.
Everything below is in scope for a standard 4-week engagement. No “implementation TBD.” No reference-architecture PDF. Shipping infrastructure from day one.
EU AI Act Article 55 (GPAI), ISO 42001 Annex A, HIPAA technical safeguards, NIST AI RMF MEASURE + MANAGE. Scored per control, with a prioritized remediation path.
Every applicable control mapped to the specific service, pipeline, or dataset it governs. Shared with engineering, legal, and audit from the first meeting.
Logging, model evaluation, red-team harness, data governance policies, model cards, post-market monitoring. Ships as PRs against your repo — not a memo.
CI/CD-generated artifacts: eval run manifests, dataset lineage, change logs, access reviews, signed model releases. Replayable for any point in time the auditor asks about.
Control status, drift alerts, last-evidence timestamp, open actions. A single URL that answers the auditor's first question without a status meeting.
12 months later we come back, re-run the gap analysis against the new regulatory landscape, and ship the delta. Regulations change; your controls shouldn't decay.
Half-day workshop with engineering and legal. We identify the applicable frameworks (GPAI, high-risk, HIPAA-covered, SOC 2-adjacent) and freeze scope.
Control-by-control walkthrough of the existing systems. Every gap gets a severity, an effort estimate, and a proposed control implementation.
Pair-building with your team. Logging, eval harness, red-team runs, model cards, evidence pipeline — merged to main, not a branch in the corner.
Auditor-ready dashboard live, runbook handed over, alerts wired to the team's oncall. Optional retainer for monthly drift review.
Every control declares the evidence it emits. The evidence pipeline runs on every release, timestamps to a content-addressed store, and the dashboard verifies freshness. Here is the control manifest we ship on day one:
# EU AI Act · Article 15 · Accuracy & Robustness
control: eu-ai-act/art-15/accuracy
applies_to: [services/inference, services/rag]
evidence:
source: ci/evals.yaml
freshness: 24h
artifact: eval-manifest-{commit}.json
store: s3://velox-evidence/{tenant}/{date}
checks:
- id: accuracy-drift
metric: task_accuracy
baseline: 0.91
tolerance: -0.03
on_fail: block_release + page oncall
- id: adversarial-robustness
suite: promptbench/v2 + velox/rag-poison
min_pass_rate: 0.85
on_fail: block_release
auditor_view:
last_run: {{ auto }}
last_pass: {{ auto }}
drift_window: 30dHIPAA technical safeguards, BAA-ready infrastructure, de-identification for training data, audit logging of every inference. We run one of these internally.
You have a copilot, a summarizer, or a RAG agent. Aug 2, 2026 is real. You need Article 55 evidence, not a legal memo.
SOC 2 is already in place. Procurement now wants NIST AI RMF mapped to your pilot, ISO 42001 gap analysis on the roadmap, and a red-team report before go-live.
No. We do engineering work grounded in the text of the regulations. If you need a legal opinion, we coordinate with your counsel — but the controls, evidence pipelines, and monitoring we build are technical deliverables, not legal instruments.
SOC 2 is mostly silent on AI-specific risks (prompt injection, data poisoning, model drift, unsafe generation). EU AI Act, ISO 42001, and the NIST GAI profile explicitly cover them. We map your existing SOC 2 controls and only build what is genuinely new.
Big 4 bills through a consulting ladder. We are a specialist studio with no partners to feed, and we reuse the same control library across engagements. The savings are structural, not a discount.
The evidence pipeline blocks the release automatically and pages oncall. The control status on the dashboard turns red. Nothing ships silently.
No. ISO 42001 certification is issued by an accredited body; we do not compete with that. We get you audit-ready so the actual audit is a two-week engagement, not a two-quarter emergency.
Remote by default (we are based in India, clients are in US/EU). On-site workshops available for scoping and kickoff if your organization requires it.
30-minute scoping call, written quote within 48h, no sales loop. We take at most two new compliance engagements per month.
Request a gap analysis →