How the work is governed.

Every system delivered or advised by the practice carries four things before it ships: a named business owner, a risk tier, a control set matched to that tier, and a review cadence. Governance artifacts — the ownership register, the tiering rationale, the control documentation — are deliverables of the engagement, not overhead beside it. Nothing ungoverned ships, including under deadline pressure; the gate exists precisely for the weeks when skipping it is tempting.

Engagement artifacts — Ownership register · Risk-tiering memo · Control matrix · Review calendar

Client data remains in client infrastructure by default; the practice works inside your environment rather than extracting from it. Access granted to the principal is scoped to the engagement, time-bound, logged where the client's systems permit, and revoked at engagement close — with revocation confirmed in writing. No client data is used to train models, by the practice or, contractually, by vendors the practice configures. Data-residency requirements are honored architecturally — in where systems run and store — not merely contractually.

Engagement artifacts — Access scope memo · Close-out revocation confirmation · Vendor data-terms register

Least privilege is the default in every design: for the systems built, for the integrations configured, and for the practice's own access. Secrets are managed, never shared in plain channels. Security review is a pre-deployment gate in the production path, not a post-launch audit. Infrastructure the practice configures is documented to a written baseline — the specific measures applied are recorded per engagement so the client's security team can verify rather than trust.

Engagement artifacts — Security baseline document · Pre-deployment review record

Oversight is designed, not assumed. Each system's risk tier determines its oversight pattern: human-in-the-loop for consequential decisions, human-on-the-loop with sampled review for routine ones, bounded autonomy only where failure is reversible and contained. The oversight design names who reviews, with what authority — including the authority to halt the system — and is signed by the client sponsor before deployment. Reserved decisions — classes the client designates as never fully automated — are documented explicitly.

Engagement artifacts — Oversight design · Sponsor sign-off · Reserved-decisions statement

Rollouts are staged, with rollback defined before launch, not improvised after. Pre-production gates cover security, data handling, performance, oversight readiness, and governance sign-off. Model, prompt, and configuration changes are versioned and logged — no silent swaps — and material changes trigger re-evaluation against the original acceptance criteria. The deployment discipline applied is the same one documented; there is no demo path and real path.

Engagement artifacts — Gate checklist · Change log · Rollback procedure

Systems are built so their behavior is reconstructable: inputs, outputs, decisions, and human overrides are logged in client-owned storage. The design target is a specific scenario — an auditor, a regulator, or an acquirer asks what the system did in a given case and why, and the answer is produced from evidence, not memory. Audit logging is instrumented at build time; the practice treats retrofitted auditability as the contradiction it is.

Engagement artifacts — Logging design · Sample reconstruction walkthrough

Every production system ships with its failure thinking done: documented failure modes, detection for them, an escalation path with named humans, a kill-switch confirmed to work, and a post-incident review template. Readiness is rehearsed with the client team before go-live — a response that exists only on paper is a plan to improvise. The practice's own engagement-level incidents follow the same discipline: disclosed promptly, documented, reviewed.

Engagement artifacts — Runbook · Kill-switch verification · Rehearsal record

Each engagement maintains a living risk register spanning model risk (drift, deprecation, behavior change), data risk, vendor risk (terms, pricing, continuity), regulatory exposure, and operational dependency. The register is reviewed with the sponsor on a fixed cadence and survives the engagement — it is handed over as an operating document, because the risks do not end when the engagement does.

Engagement artifacts — Risk register · Review cadence record · Handover note