AI Governance & Assessment

What this is

The AI Governance & Assessment is the formal version of the work the Governance Workshop teaches. The workshop produces rough drafts your team builds together. The Assessment produces finished, externally-reviewed documents delivered by a practitioner, and adds the piece most SMB AI initiatives skip entirely: a measurement framework that tells you whether the AI you’ve adopted is worth what you’re paying for it.

Two parts, one engagement:

1. The governance package - five finished documents covering every part of how AI shows up in your business
2. The measurement and ROI framework - the structure for testing, tracking, and proving that your AI investments are doing what they’re supposed to do

Most consultants stop at the documents. The documents are necessary, but they don’t tell you whether AI is actually working. The measurement framework does.

What you receive

The five governance documents

• AI Tool Inventory & Approved Use Registry - the running list of every AI tool the business uses, who uses it, what it can reach, and whether it’s approved for which categories of work
• Acceptable Use Policy - the rules of the road for employees, written in plain language and structured to hold up to a regulator, an insurer, or a client asking what your AI policy is
• Data Classification Quick Reference - a one-page guide your team can consult before pasting client data into a tool, built around the consequences of escape rather than the source of creation
• AI Risk Assessment - paired Excel risk register and Word synthesis, structured the same way the bigger frameworks (NIST, ISO) structure their assessments - so the work translates if you ever need to show it to an auditor
• Onboarding & Offboarding Procedure - the AI-specific additions to your existing HR processes: which tools a new hire gets access to on Day 1, which ones get revoked when someone leaves, and how the inventory stays current

These are finished documents. Externally reviewed. Yours to put into practice on Day 1.

The Measurement and ROI framework

Most SMBs adopt AI tools and then never find out whether they worked. Licenses get bought, people use them, and 18 months later nobody can answer the basic question: did this make us better, faster, or more profitable - or are we paying for something we can’t justify?

The Measurement and ROI framework is the second deliverable. It includes:

• The success metrics that actually matter for your business - not generic AI KPIs, but the ones tied to how your firm makes money
• A pre/post testing structure - so when you adopt a new AI tool or workflow, you can tell whether it’s better than what it replaced
• A time-savings tracking method - practical enough that your team will actually use it, structured enough that the data is meaningful
• A quarterly review cadence - when to reassess, what to look at, what triggers a decision to expand, contract, or replace

This is the piece most consultants skip. It’s also the piece that turns AI from a line item on the budget into a business decision you can defend.

About identity

AI governance and identity security are the same problem from two angles - who has access to what tools, and what those tools can reach. Most engagements include identity work as part of the scope, weighted to the scope your business actually needs.

If your identity posture is already strong - MFA enforced, accounts inventoried, password hygiene under control - we focus the Assessment on the governance documents, and Measurement and ROI framework. If it isn’t, we address it as part of the engagement: account inventory, MFA review, credential exposure check, and the identity recommendations that go into your governance documents.

We don’t sell these as separate products because they don’t work as separate products. An AI governance program built on top of a weak identity posture isn’t really governance - it’s documentation of the holes. The Assessment scopes both pieces honestly during the consultation, and pricing reflects what your business actually requires.

Who this is for

You’re a fit if you:

• Run a small or mid-size business between roughly 5 and 150 employees
• Have or want AI showing up in your business - by adoption, by client demand, or because tools you already use (Microsoft 365, your case management system, your accounting platform) are adding AI features
• Need finished documents you can put into practice or hand to a regulator, insurer, or enterprise client - not a workshop where you build them yourself
• Want to know whether AI is actually paying off, not just hoping it is

You’re not a fit if you:

• Need rough drafts to work from collaboratively - the Governance Workshop is the right product for that, at a lower price point
• Need ongoing third-party attestation (SOC 2, HIPAA) - see Compliance Readiness below
• Need a fractional AI officer to maintain the program over time - see Fractional AI Officer for the ongoing engagement

How it works

A typical engagement runs four to six weeks from kickoff to delivery:

1. Intake and scoping - questionnaire and a 30-60 minute kickoff call. We map your tools, your industry’s regulatory environment, your risk level, and what you’re trying to get out of AI.
2. Interviews and inventory - typically 3–6 short conversations with people across your business who use or will use AI. We build the tool inventory and identify the use cases that matter.
3. Document drafting and measurement framework build - we develop the five governance documents and the measurement and ROI framework, calibrated to your business.
4. Review and revision - we walk through every deliverable with you, take your feedback, revise.
5. Final delivery and 60-minute debrief - finished documents handed over, measurement framework explained, recommended next steps named explicitly.

Some engagements run longer or include more depth - a deeper tool configuration review, broader interview coverage, hands-on implementation support, or expanded automation analysis. Those scope additions are quoted in the proposal based on your business size, industry, data risk profile, and how many AI use cases need to be absorbed into the assessment.

Pricing

From $2,500. The starting point covers the published deliverables — five governance documents and the Measurement and ROI framework — for a typical SMB engagement at baseline scope.

The actual price depends on company size, industry, data risk profile, and the depth of automation analysis your business needs. We work that out in the consultation, not on the page.

Workshop graduates receive a discount on the full Assessment. If you’ve taken the Governance Workshop and want the finished version of the documents instead of the rough drafts you built, mention it when you reach out.

The boundary

We assess the container, not the contents

GuardXID examines who has access to AI tools and what those tools can reach inside your business. We do not read your client files, patient records, or matter documents — and we never will. This is what makes the work appropriate for law firms, medical practices, and any business where the contents of the work are protected by professional duty.

What comes after

The Assessment is the foundation. For businesses that need more, two paths exist:

• Fractional AI Officer - if you need someone to maintain the governance program over time, advise on tool decisions as they come up, conduct ongoing employee training, automation or agent use case building, and run the measurement cadence. Ongoing retainer.
• Compliance Readiness (Vanta partner) - if your business needs to prove its governance to outsiders. SOC 2, HIPAA, or other certifications. The Assessment is where the foundation gets built; Compliance Readiness is where it gets maintained and proven to auditors, enterprise clients, and insurers.

The right next step depends on your business. We’ll talk through it in the consultation.