Runtime Risk and Governance Assessment.
A structured two-to-four week assessment of your autonomous AI exposure, current governance posture, control effectiveness, residual risk, and a roadmap to mature the assurance discipline.
Output: a written assessment pack. Findings, control gaps, residual risk read, and a sequenced roadmap that the executive team, the risk team, and audit can all sign off on.
The operational engagement that delivers this assessment is FSAI Assess. This page is the executive-facing view of the same work. Section 6 explains how the two relate.
Stage 2 of 4 in the engagement funnel.
Four stages. Each one scopes and qualifies the next. The Briefing surfaces the exposure picture. The Assessment quantifies it and produces the roadmap. The Pilot proves the runtime model on one workflow. The Platform rollout extends Continuous Operational Assurance across the estate.
Executive Assurance Briefing
Ninety minutes. The lay of the land for the executive sponsor.
- You are here
Runtime Risk and Governance Assessment
Two to four weeks. A written assessment pack and sequenced roadmap.
Focused Pilot
Ninety days. One agent, one workflow, audit-grade evidence.
Platform Rollout
Continuous Operational Assurance running across the estate.
Seven dimensions of the assessment.
The Assessment is structured. It is not a workshop and a slide deck. Every dimension produces evidence in the pack. Every finding is mapped back to the framework that examines it.
Autonomous AI exposure
Which workflows have agents in them. Where they sit relative to revenue, risk, and customers. What they are allowed to do, and what they are quietly doing that no one has yet inventoried.
Governance posture
Existing AI governance policies, controls, and ownership. Where the gaps are relative to SR 26-2, EU AI Act, DORA, OSFI E-23, NIST AI RMF, or the framework that applies to your enterprise.
Control effectiveness
Whether the controls in place actually fire on agent actions. Coverage rate. False positives. Bypasses. The difference between a control on paper and a control that holds at runtime.
Residual risk
What risk remains after the controls have done their work. How that risk is tracked. Whether it sits inside management-approved tolerance, and what the live signal looks like.
Evidence readiness
Whether you could produce audit-grade evidence of any agent decision in the last ninety days. The state of the evidence chain. Where the gaps are between log data and a signed record.
Three Lines of Defense alignment
Whether the first line (business), the second line (risk and compliance), and the third line (audit) have what they need to do their jobs across agentic systems. Ownership, evidence flow, escalation paths.
Maturity placement
Where your enterprise sits on the Continuous Agentic Assurance maturity model today, and what the path to Level 4 and Level 5 looks like for you specifically.
A written assessment pack.
The pack is the artifact the engagement produces. It is signed by the engagement lead. It is the basis for board, audit-committee, and regulator conversations. Same document, three audiences.
- Executive summary (1 page)
- Findings by dimension (across the seven dimensions)
- Control gap matrix
- Residual risk read
- Sequenced roadmap (90-day, 6-month, 12-month horizons)
- Maturity placement and progression plan
- Three-Lines-of-Defense alignment notes
- Appendix: agent inventory, framework mapping
The pack is signed by the engagement lead and is the basis for board, audit-committee, and regulator conversations.
Findings are framework-mapped. The control gap matrix names each gap, the framework citation it implicates, the owner, and the proposed remediation. The residual risk read is quantified against management-approved tolerance, with a live signal for the dimensions that are inside it and the dimensions that are not.
The roadmap is sequenced. Ninety-day moves are the readiness work. The six-month plan is the pilot landing surface. The twelve-month plan is the platform rollout and the maturity progression. Every line item names the owner and the framework citation it discharges.
Two to four weeks. Four phases.
Most engagements run four weeks. A two-week express engagement is available for narrower scopes, for organizations that have already completed an Executive Assurance Briefing, or where the agent inventory is small enough to compress the discovery phase.
Scoping
Agent inventory. Workflow tagging. Framework selection against your applicable regulator surface. Executive interviews with the Chief Risk Officer, the Chief Audit Executive, the engineering lead, and the line-of-business owners closest to the highest-exposure agents.
Discovery
Deep dive on the highest-exposure agents inside the scoped workflows. Control testing across the actions the agent is authorized to take. Evidence-chain trace, end to end, from action through approval through system of record.
Synthesis
Findings consolidation. Control gap matrix. Residual risk read against management-approved tolerance. Maturity placement against the Continuous Agentic Assurance model. Roadmap drafted in 90-day, 6-month, and 12-month horizons.
Pack delivery
Written assessment pack delivered, signed by the engagement lead. Executive readout with the Chief Risk Officer, the Chief Audit Executive, and the audit-committee chair if requested. Roadmap workshop to convert findings into sequenced work.
Two-week express engagements compress the scoping and discovery phases into a single week. The synthesis and pack-delivery weeks remain intact so the output quality does not change.
FSAI Assess is the engagement that produces this assessment.
The Assessment is the executive-facing product. FSAI Assess is the operational engagement that delivers it. Same team. Same written assessment pack. Two entry points, sized to two audiences.
Runtime Risk and Governance Assessment
This page. Framed for the Chief Risk Officer, the Chief Audit Executive, the General Counsel, and the audit-committee chair. The output the executive sponsor signs off on, takes to the board, and walks the regulator through.
FSAI Assess
Part of the FSAI services tier of Forge. Framed for the engineering lead, the security lead, and the operations team. Same team, same workstreams, same pack. The technical entry point for the same engagement.
Same delivery team
The FSAI practice runs the engagement regardless of which entry point the buyer used. The engagement lead, the principal engineer, and the pod do not change.
Same written pack
The output is the assessment pack described in Section 4. Same table of contents. Same signature. Same framework mapping.
Different audience framing
The Assessment page is written for the executive sponsor. The FSAI Assess page is written for the technical lead. The naming reflects audience, not work product.
The same engagement, framed for the technical buyer. Workstreams, deliverables, and the instrumentation surface.
What changes when the regulator changes.
The seven dimensions are constant. The framework mapping, the agents most worth scrutinizing, and the weight on each dimension shifts with the regulator surface that applies to your enterprise.
Banking
Credit-decisioning agents, payments orchestration, KYC and AML workflows. Heavy weight on model risk management, three-lines alignment, and evidence chain back to the originating decision.
Capital Markets
Trading-surveillance agents, best-execution monitoring, market-conduct workflows. Time-stamped evidence, defensible reasoning, and contemporaneous records become first-class assessment artifacts.
Insurance
Claims-triage, fraud-detection, and underwriting agents. Risk-tolerance and policyholder-fairness focus. Evidence that the agent did not breach treating-customers-fairly obligations on any decision.
Life Sciences
Clinical-trial agents, regulatory-submission agents, pharmacovigilance agents. PCCP-aligned change management, validated systems posture, and a record chain that holds up to FDA inspection.
Healthcare Systems
Clinical-decision-support, prior-authorization, and revenue-cycle agents. HIPAA-aware data handling, clinician-in-the-loop escalation paths, and audit chain that survives external review.
Defense
Air-gapped deployment focus. Classified-data handling. Coalition-partner interoperability and the evidence chain required for accreditation across allied frameworks.
Common questions about the Assessment.
Do I need to have done a Briefing first?
It is the cleanest path. The Briefing scopes the right Assessment shape for your organization. We can start cold, but the Assessment is faster and more accurate when the Briefing has happened.
What's the price?
Pricing is scoped to the engagement after the initial scoping conversation. Two-week express engagements and four-week full engagements have different price points.
Who needs to be involved on our side?
Executive sponsor (typically the Chief Risk Officer or Chief Audit Executive), engineering lead, and at minimum one business workflow owner. Risk and compliance attend the readouts.
Will the pack hold up to regulator review?
Yes. The pack is framework-mapped and structured the way SR 26-2, OSFI E-23, EU AI Act, and DORA examination requests expect.
What happens if the findings show we are not ready for a Pilot?
Then we say so. The roadmap will sequence the readiness work before the Pilot, not skip it. The Assessment exists to qualify the Pilot, not to upsell into one.
Can the Assessment be done remotely?
Yes. Most of the engagement runs remote with one or two on-site days for executive readouts if your governance posture requires it.
A scoped engagement with a scoped output.
Two to four weeks. A written assessment pack. A roadmap your team can act on.