Enterprise AI is shipping faster than any regulated function can govern it.
Every material AI system now sits inside overlapping obligations — EU AI Act, NIST AI RMF, ISO/IEC 42001, SR 11-7, HIPAA, GDPR, and a growing patchwork of US state laws. The evidence to prove compliance lives across Jira, Confluence, MLflow, Databricks, GitHub, model cards, PDFs and Slack. Nothing binds it together, and nothing binds it to a specific inference call.
The state of the workflow today
What actually happens inside a Fortune 2000 today.
- 01
A risk register in Excel
The 'AI inventory' is a shared spreadsheet maintained by 1–3 people in the Model Risk Management team. It goes stale within 30 days of every quarter close. Coverage of shadow AI (LangChain prototypes, Copilot deployments, business-unit vendor tools) is estimated at 20–40%. - 02
Controls mapped by consultants
A Big Four engagement (typical: $400K–$1.2M) maps EU AI Act Articles 9, 10, 13, 14, 15 to internal controls once. The map is a PDF. It is not linked to any system that generates evidence. - 03
Evidence collected by email
Ahead of every audit, GRC analysts email ML leads asking for training data lineage, bias test results, incident logs and human-oversight sign-offs. Cycle time: 6–14 weeks per audit. Rework rate: 40%+. - 04
Model risk memos rewritten manually
SR 11-7 validation memos are 40–120 page Word docs. Median regeneration time when a model is retrained: 3–5 weeks. Median frequency of retraining in production ML: monthly. - 05
No continuous monitoring tied to controls
Fiddler, Arize and WhyLabs monitor drift and performance. None of them generate the evidence artifacts an ISO 42001 or EU AI Act Article 15 auditor requires.
Quantified pain
Where the money is bleeding.
7%
of global revenue
Max EU AI Act fine (Art. 99)
$2.4M
Avg annual GRC labor
On AI-specific controls, F500 est.
6–14 wk
Audit prep cycle
Per framework, per year
42%
Models missing docs
McKinsey State of AI 2024 signal
Why current solutions fail
This is not a category with an obvious incumbent — it's a category with obvious non-incumbents.
Legacy GRC (Archer, MetricStream, ServiceNow GRC, OneTrust)
Built around static controls, quarterly attestations and human workflow. No concept of a model version, an agent trace, a prompt-injection incident, or evidence tied to an inference. Retrofitting a GRC platform to AI is a 12–18 month professional-services engagement that still produces PDFs.
Model observability (Fiddler, Arize, WhyLabs, Datadog LLM)
Excellent at drift, latency, hallucination scoring. Zero coverage of policy, documentation, third-party model risk, or audit-ready evidence packages. They are inputs to governance, not governance.
AI-native governance (Credo AI, Holistic AI, Fairly)
Correct category, early execution. Heavy on questionnaire workflow and policy libraries; light on live evidence collection, agent runtime enforcement, and the SR 11-7 depth banks require. All are pre-Series-B and none own the auditor relationship.
Consulting (Big Four + boutique AI ethics)
Six-figure engagements producing static artifacts. Solves one point in time. Rebills on every framework change — which is the exact problem the buyer is trying to escape.