AI compliance starts with one question: which models actually run in your software, on what data, making which decisions? We surface every AI and LLM system in your code — including the shadow AI nobody reported — and map it to the laws that apply. The evidence base your counsel, board and regulator need.
One conversation. No pitch deck. We'll tell you if we can't help.
US AI regulation didn't arrive as one law. It arrived as a patchwork — Colorado, California, Texas and New York City each writing their own rules, each with their own notices, audits and assessments. Every one of them assumes you can answer the same first question: where does AI run in your software, and what does it touch?
None of these can be answered from a slide. They require a read of the code — one that's independent, defensible, and traceable to the commit.
Every model, API and LLM call in your stack. Which products use them, what data they touch, what decisions they produce. The inventory every AI law assumes you already have.
The model a team wired in last quarter. The AI buried three layers deep in a dependency. We find the systems that never made it onto a slide — usually where the exposure hides.
Where customer, financial and regulated data flows into model decisions. The map your CDO, audit committee and privacy counsel all need to answer a CPPA or GDPR question.
Which AI systems make decisions about people — hiring, lending, housing, insurance, education. The exact trigger for Colorado SB 205, NYC LL144 and California's automated-decision rules.
Your AI footprint mapped against Colorado, California, Texas, NYC and the EU AI Act — plus NIST AI RMF alignment. Surfaced from the code, not from a compliance questionnaire.
A signed, source-traced read your counsel can build notices, bias audits and risk assessments on — and a CEO can attest to. Independent, because it isn't your engineers grading their own homework.
The first comprehensive US state AI law. A duty of care against algorithmic discrimination for high-risk systems making consequential decisions. Read the Colorado breakdown →
AB 2013, the SB 942 AI Transparency Act, CPPA automated-decision rules, and frontier-model SB 53 — a stack of overlapping obligations. Read the California breakdown →
The Texas Responsible Artificial Intelligence Governance Act. Prohibited uses, intent-based standards, and Attorney General enforcement. Read the Texas breakdown →
The automated employment decision tool law. An independent bias audit, published results, and candidate notice before the tool can run. Read the NYC breakdown →
Read-only access to your codebase, dependencies and configuration. One 30-minute call. Your team keeps shipping — no engineering meetings required.
Deterministic analysis finds every model, API and LLM call. We trace data lineage into each one and flag the systems making consequential decisions about people.
A signed AI footprint and a regulatory-surface map by jurisdiction — the evidence base your counsel maps to obligations. Plus a continuous layer for the next question.
You're being asked which AI laws apply and you can't produce the notices or assessments without knowing what AI is actually in production. We give you the technical read to map.
The board has AI risk on the agenda and someone has to attest. An independent, code-level read is defensible in a way your own engineering team's summary isn't.
You're acquiring or funding a company and need its AI exposure mapped before you sign. Independence is the value, and it has to be designed in.
An independent, code-level read of your software that surfaces every AI and LLM system you actually run — which models, in which products, touching what data, making which decisions — and maps that footprint to the AI laws that apply to you. It's the evidence base regulators, auditors and boards ask for, built by reading the codebase directly, not from a questionnaire filled out from memory.
The rules most likely to reach an ordinary mid-market company are the ones about using AI: the Colorado AI Act (SB 205), California's AB 2013, SB 942 and CPPA rules, Texas's TRAIGA, and NYC Local Law 144 — plus the EU AI Act if you touch the EU market. The common thread: you can't produce the required notices, bias audits or risk assessments until you know which AI systems are in your code and what they touch.
Manual inventories catch what people remember to report; they miss the model a team wired in last quarter and the AI buried in a dependency. We read the code, package tree and integration points to find every AI and LLM call, API and library in use — including the ones that never made it onto a slide. That gap is usually where your real exposure sits.
When someone has to attest and a regulator may rely on it, an answer produced by the same team that built the systems isn't the strongest ground to stand on. An independent, code-level read is defensible precisely because it isn't the engineering team grading its own homework — it's evidence, traceable to the commit, that a board, auditor or regulator can trust.
This page is general information, not legal advice. AI statutes and their effective dates are moving targets; confirm what applies to you with your own counsel. We produce the technical read — the source-traced map of the AI in your code — that your counsel maps to the obligations that actually bind you.
Two weeks. Fixed price. Read-only. No meetings with your team. One conversation to start — we'll tell you if we can't help.
Get an AI Compliance AuditTwo weeks · Fixed price · Read-only · No engineering meetings