AI governance consultancy
AI Governance Consultancy UK
Governance AI is a UK AI governance consultancy for boards: a scored diagnostic (from £3,950), policy and control design, and engineered evidence, mapped to ISO 42001, NIST AI RMF, UK GDPR and your sector regulator — led by Dr Karl George MBE, founder of The Governance Forum.
Who this applies to.
UK boards, company secretaries, risk and audit committees, and executives in regulated or public-facing organisations who are evaluating or buying AI governance help — from a first scorecard through to implementation. We work most often with:
What the board needs to decide.
Before you engage anyone, five decisions shape what you should buy and in what order.
- Whether the immediate need is diagnosis (where do we stand) or implementation (build and prove the controls).
- Whether ISO/IEC 42001 certification readiness or EU AI Act scope is in play for you this year.
- Who owns AI governance internally, and what evidence they will need to show a regulator or auditor.
- Advisory alone, or an adviser who has also shipped governed AI systems into production.
- Budget tier: the free Board AI Scorecard, then GovernIQ Lite (£3,950), the full diagnostic (£9,950), or diagnostic plus roadmap (from £18,000).
For the numbers in full, see our AI governance consultancy pricing guide.
What Governance AI does.
We run two service lines. The first is a board-level advisory programme — Foundation, Development and Accreditation — that takes a board from AI literacy to a defensible governance position and, where it fits, the Governance AI Quality Mark. The second is governance-first builds: we design and ship production AI with the controls written into the code, not bolted on to pass a review.
Most firms do one or the other. We do both, with one team, so the governance and the system are never lost in a handoff between adviser and developer.
How an engagement works
From baseline to evidence a regulator can inspect.
An engagement is a sequence of controls, each producing evidence with a named owner. This is the same discipline we apply at the model level, one rung up.
| Control | Evidence produced | Owner |
|---|---|---|
| AI inventory and scorecard baseline | Board AI Scorecard result and a first inventory of where AI is already in use | Company secretary / board |
| GovernIQ™ diagnostic | A scored readiness report across five areas, presented at a board readout | Risk or audit committee |
| Policy and roles | An AI governance policy, an acceptable-use standard, and a named accountable owner | Named AI owner (executive) |
| Engineered controls | Read-only data access, an append-only audit ledger, confidence floors and human approval gates, written into the code | CTO / delivery team |
| Assurance and Quality Mark preparation | Controls mapped to ISO/IEC 42001 and the NIST AI RMF, and an evidence pack a board or auditor can inspect | Board / external auditor |
At system level, this becomes a specific set of AI model governance controls.
The frameworks we map your governance to.
AI does not create a separate rulebook. It runs through the standards and regulators you already answer to.
| Framework | What it governs | How we map to it |
|---|---|---|
| ISO/IEC 42001 | The AI management system: policy, roles, risk process and continual improvement. | We prepare you for certification and leave the evidence in place. We do not issue the certificate. |
| NIST AI RMF | The risk function across Govern, Map, Measure and Manage. | We map each control we design to the four functions, so the work is legible to a US-facing or model-risk audience. |
| UK GDPR / ICO | Personal data, automated decisions and the duty to complete a DPIA where the risk is high. | We review where AI touches personal data and what a data protection impact assessment must record. |
| EU AI Act | Role-based scope (provider or deployer) and risk tiers, which can reach a UK-only organisation. | We assess whether the Act applies to you and, if it does, what your role obliges you to hold. |
| Sector regulator | The duties you already answer to: FCA, RICS, DfE/ESFA, the RSH or the ICO for local authorities. | We score the diagnostic against your regulator, not a generic checklist. |
Going deeper on one of these? See our guides to the ISO 42001 consultant question and EU AI Act consultancy scope.
Why Governance AI
Board authority, and systems we have actually shipped.
Our advisory is grounded in the practice of our founder, Dr Karl George MBE — founder of The Governance Forum, creator of the Governance Assessment Process and the RACE Equality Code, and Partner and Head of Governance at RSM UK. No UK boutique in this market leads with a board-governance figure of that standing.
That authority sits on top of an AI-native operating model and systems we have built and governed: read-only data access, append-only audit ledgers and confidence floors that overrule the model, engineered into production rather than described in a policy.
Common mistakes when buying AI governance.
The failures we are most often called in to fix have the same few roots.
- Buying a framework or a policy pack with no evidence behind it. A policy a regulator cannot test is a statement of intent, not a control.
- Treating a diagnostic as a one-off certificate rather than a baseline to re-score as your AI use grows.
- Hiring for brand over shipped evidence. Ask what the adviser has actually built and governed, not only what they have reviewed.
- Assuming a consultancy's certification claim is the same as an accredited certification body's audit. A consultancy prepares you; only an accredited body can certify you against ISO/IEC 42001.
For a vendor-neutral way to test any adviser, see how to choose an AI governance partner and our responsible AI consultancy selection test.
Questions boards ask us first.
If yours is not here, a short conversation will answer it faster than another page would.
Start where it is proportionate.
The free Board AI Scorecard takes about two minutes and tells you your weakest area and the right next step. The GovernIQ™ Diagnostic goes deeper, from £3,950.