S4 · GRC programme

Governance you can
put in front of a regulator.

A 120-day governance, risk and compliance programme aligned to ISO 42001, NIST AI RMF, and APRA expectations. Designed for organisations operating in regulated sectors where AI assurance must be demonstrable, evidenced, and audit-ready.

Book a discovery call All services
Engagement summary

What we deliver, and why.

The AI Governance & Compliance Programme is the engagement we recommend when AI assurance has moved from internal hygiene to external obligation. Across 120 days we build, evidence, and operationalise a full GRC programme aligned to ISO 42001 and NIST AI RMF, integrated with APRA, OAIC, and sector-specific obligations. The deliverable is an AI control environment your audit committee can table, your auditor can test, and your regulator can interrogate.

The phases

How we run this engagement.

  1. Frame & baseline

    Map regulatory obligations applicable to your sector, baseline existing controls, and confirm the target framework (ISO 42001 alignment, NIST AI RMF, sector overlay). Establish the artefact taxonomy.

  2. Design

    Author or revise the AI policy suite, AI risk taxonomy, control library, register architecture, and the integration with existing risk, security, and compliance governance.

  3. Implement

    Operationalise governance forums, embed controls into the second-line risk environment, run executive and operational training, and populate the control evidence baseline.

  4. Assure & attest

    Internal assurance review against the framework, attestation pack production for the audit committee or board, and structured handover with a 12-month assurance cadence.

Deliverables

What you actually receive.

Every artefact below is yours to keep, drafted in your house style and language, and designed to be defensible to your board, audit committee, or regulator.

  • Full AI GRC framework (ISO 42001 aligned)
  • AI control library and register
  • AI risk taxonomy and rating model
  • Policy suite (acceptable use, data, procurement, model lifecycle)
  • Integration with enterprise risk and compliance
  • Internal assurance review report
  • Audit committee attestation pack
  • Twelve-month assurance cadence and calendar
Frequently asked

Answers to the questions we get most.

No. ISO 42001 certification requires an accredited certification body, which Optivity is not. S4 produces a framework aligned to ISO 42001 and ready for certification audit if you choose to pursue it.
Directly. The control library and operating procedures we produce explicitly map to CPS 230's operational risk management obligations as they apply to AI-enabled processes. The same applies to CPS 234.
Yes. About half of our S4 engagements follow a prior S2 or S3 with the same client. Where this is the case, we credit the relevant prior work and reduce the S4 scope to reflect what is already in place.
Yes, by design. The framework is built to be tested by internal audit, and we work openly with audit functions to ensure the evidence base is testable, traceable, and structurally sound.

Want this delivered?

Book a 30-minute discovery call. We'll confirm fit, walk you through the playbook in detail, and shape a proposal calibrated to your context.

Book a discovery call Explore other services