AI governance diagnostic cost is not a menu price. A board should expect the fee to follow scope: AI inventory, personal-data exposure, sector rules, supplier complexity, evidence quality, interviews and the board readout. Buy a defensible evidence set, not a slide deck.
This article is for chairs, company secretaries, audit and risk committees, CEOs and CIOs who need to decide whether a diagnostic is worth funding. If your organisation only needs a first baseline, start with the free Board AI Scorecard. If the board needs an assessor-led view it can minute, compare providers against the evidence below.
Key takeaways
- A useful diagnostic prices the work required to produce evidence: inventory, risk mapping, interviews, policy review, controls testing and a board-ready report.
- The cheapest quote is weak if it only produces generic recommendations; the fee should buy artefacts your board can show to auditors, regulators and customers.
- Governance AI's own GovernIQ diagnostic is published as a scoped offer: Lite at £3,950, full Diagnostic at £9,950, and Diagnostic + Roadmap from £18,000, excluding VAT. That is our offer, not a market-wide price.
- Scope rises when AI systems process personal data, affect people, rely on suppliers, serve EU users or need mapping to ISO/IEC 42001, the NIST AI RMF or sector regulator expectations.
- A self-assessment is enough for a first conversation. A diagnostic is for boards that need a dated gap analysis, named owners, prioritised actions and a readout they can govern from.
What the fee should buy
A diagnostic is not the same thing as a strategy workshop. A workshop can help a board learn the language; a diagnostic should leave the board with a scored position and the evidence behind it.
The work normally has five parts. First, an inventory of AI systems, including bought tools and AI embedded inside existing software. Second, a risk and regulatory map, because the UK government says existing regulators apply five cross-sector AI principles within their remits, including transparency, fairness, accountability and contestability. The source for that map should be the DSIT government response on AI regulation, not a vendor summary.
Third, the assessor should read the artefacts your organisation already has: policy, risk register, DPIAs, procurement records, supplier terms, board papers, training records and audit evidence. Fourth, they should interview enough people to test whether the documents describe reality. Fifth, they should produce a board-ready report with scores, gaps, owners and a sequence of actions.
On this site, the published Governance AI offer gives three entry points through the GovernIQ diagnostic: GovernIQ Lite at £3,950, the full GovernIQ Diagnostic at £9,950, and Diagnostic + Roadmap from £18,000. The same page says prices exclude VAT and larger programmes are scoped to the work. Treat those as a transparent starting point for our own service, not as proof that every provider should charge the same.
The board should ask one buying question before it asks about price: what evidence will we hold at the end?
| Option | When it is enough | Evidence the board should receive |
|---|---|---|
| Free scorecard | You need a quick baseline before a board or executive discussion | A dated self-assessment and gap list |
| Lite diagnostic | You have limited AI use or need validation of known gaps | Scored readiness report, two to three interviews, board readout |
| Full diagnostic | AI is live across functions or the board needs a defensible plan | Evidence review, five to eight interviews, scored report, prioritised action plan |
| Diagnostic plus roadmap | The board wants the remediation path as well as the gap analysis | Diagnostic report, implementation roadmap, policy starter and follow-up board session |
AI governance diagnostic cost drivers
The fee should move with the work. If a provider quotes before asking these questions, the number is not yet scoped.
System count and use-case risk. Reviewing one internal productivity pilot is not the same as reviewing ten systems that affect customers, residents, pupils, service users or employees. A board should ask which systems are in scope, which are out of scope and why.
Personal data and automated decisions. Where AI touches personal data, the Information Commissioner's Office expects a risk-based approach that identifies the risks to people's rights and implements appropriate measures. The ICO also says a DPIA must be carried out before personal-data processing begins and treated as a live document where the nature, scope, context, purpose or risk changes. That is why a diagnostic involving personal data needs enough time to read the DPIAs, test the safeguards and identify any missing reassessment trigger. See the ICO guidance on AI accountability and governance.
Sector and legal exposure. A charity, housing association, financial services firm and local authority all answer to different sector expectations. EU exposure also changes scope: the EU AI Act text can reach providers and deployers outside the EU where the output of the AI system is used in the Union. That does not mean every UK organisation is caught, but it does mean the diagnostic must test the question rather than assume it away.
Framework depth. A high-level maturity score is cheaper than a controls map. Mapping to ISO/IEC 42001 takes more work because ISO describes an Artificial Intelligence Management System with requirements for establishing, implementing, maintaining and continually improving the system. Mapping to the NIST AI RMF takes a different kind of work because the NIST core organises risk management through Govern, Map, Measure and Manage. If the report promises both, the fee should include the time to make the mapping specific to your systems, not just paste framework names into an appendix.
Security evidence. AI governance is not only policy. The National Cyber Security Centre's guidance breaks secure AI system development into secure design, secure development, secure deployment, and secure operation and maintenance. If the diagnostic includes technical security evidence, supplier model-change controls or prompt-injection exposure, that is a larger scope than a board-paper review. The source is the NCSC secure AI system development guidance.
Board readout and remediation planning. A written report without a board conversation is cheaper to deliver. It is also easier to ignore. If the fee includes a board readout, action sequencing and a follow-up roadmap, you are paying for judgement as well as analysis.
A board decision frame
The board is not buying an abstract assurance product. It is deciding how much proof it needs before it lets AI move further into the organisation.
Put five questions into the approval minute:
- What decision are we funding? Baseline only, diagnostic gap analysis, or a funded remediation programme.
- Which AI systems are in scope? Bought tools, built systems, embedded AI inside existing software, and informal use all need an inclusion decision.
- What would change the price? More interviews, more systems, supplier contract review, DPIA repair, EU scope assessment, sector-specific controls, or roadmap work.
- What artefacts will we own? Inventory, risk map, evidence log, scores, recommendations, owner list, board readout and action plan.
- What will the board do next? Approve a remediation plan, commission training, pause a use case, improve supplier controls or return to self-assessment.
This keeps the price conversation where it belongs. The board is not asking whether £3,950, £9,950 or another figure sounds large in isolation. It is asking whether the work produces evidence proportionate to the decisions the board has to take.
Evidence and framework mapping
A board can judge a diagnostic by the table it would be able to fill at the end. If a proposal does not name the evidence source, the owner and the framework link, ask for it before accepting the fee.
| Diagnostic area | Evidence to test | Framework or regulator link | Usual board owner |
|---|---|---|---|
| AI inventory and scope | System list, owners, purpose, users, supplier, data categories | UK five principles from DSIT, especially accountability and governance | Audit and risk chair |
| Personal data and DPIA | DPIAs, lawful basis, safeguards, reassessment triggers, DPO review | ICO AI guidance on risk-based accountability and live DPIAs | DPO or information governance lead |
| Management system | AI policy, risk process, competence records, review cadence | ISO/IEC 42001 requirements for an AI management system | CEO or executive sponsor |
| Risk practice | Risk appetite, measurement method, controls, incident route | NIST AI RMF core functions: Govern, Map, Measure, Manage | Risk lead |
| Secure AI operation | Threat model, supplier controls, deployment controls, monitoring | NCSC secure design, development, deployment and operation guidance | CIO or security lead |
| EU exposure | EU users, EU outputs, provider or deployer role, high-risk indicators | EU AI Act scope for third-country providers and deployers where output is used in the Union | General counsel or company secretary |
The mapping should be specific enough that the board can ask for the missing document at the next meeting. "Partially aligned to NIST" is not an action. "No named owner for AI risk measurement" is.
Common pricing mistakes
The first mistake is comparing day rates rather than outputs. A cheap diagnostic that creates a generic maturity slide costs less because it inspected less. A good proposal says what will be read, who will be interviewed, how scores are calculated and what the board will receive.
The second mistake is buying certification theatre. ISO/IEC 42001 is a management system standard; a consultancy can prepare you for a management system, but the diagnostic is not itself accredited certification. If certification is the destination, the proposal should separate readiness work from the later certification-body audit. Our explainer on ISO 42001 versus the NIST AI RMF sets out that distinction.
The third mistake is treating AI as only a technology budget. If the diagnostic only speaks to the CIO, it will miss how the board, DPO, procurement lead, legal lead and service owners actually create or reduce risk. The questions every UK board should ask about AI are a useful companion because they define the artefact behind each answer.
The fourth mistake is letting the price avoid difficult exclusions. If shadow AI, supplier tools or EU-facing outputs are excluded, the report should say so. An honest exclusion is governable; a silent exclusion is not.
The fifth mistake is commissioning a report with no next action. A diagnostic should end with a decision: accept the risk, close a control gap, train the board, change a supplier term, pause a use case or fund a remediation sprint.
Next step
If you are not sure whether you need paid work yet, take the free Board AI Scorecard first. It gives the board a quick baseline across accountability, policy, risk, data and capability.
If your board already knows it needs an assessor-led view, start with the GovernIQ diagnostic. Bring three facts to the scoping call: where AI is already used, whether personal data is involved, and which board decision the report needs to support. If the board first needs a maturity baseline, read the AI readiness maturity assessment guide; if the gap is director fluency, start with AI board training in the UK.
If the scope is still unclear, book a short call and use it to decide whether a scorecard, Lite diagnostic, full diagnostic or roadmap is proportionate. The right price is the one attached to a clear evidence question.
Last reviewed: 18 June 2026.
Sources: DSIT AI regulation government response · ICO AI accountability and governance guidance · ISO/IEC 42001 · NIST AI RMF core · NCSC secure AI system development guidance · EU AI Act text
