For CEOs & boards · AI governance

"Can I attest to my AI footprint?"

Independent codebase intelligence for board technology reviews and AI governance attestation. A continuous read of your stack — code, commits, tickets, roadmaps, ownership, data. It surfaces which models run where, on what data, making which decisions — before the board asks.

Get a Read → Two weeks · Fixed price · Read-only · No engineering meetings

One conversation. No pitch deck. We'll tell you if we can't help.

Why now

The board is asking. The regulator is next. Your CTO has a slide.

Board technology reviews used to be a quarterly check-in. They aren't anymore. AI risk has put a regulatory clock on the conversation, and audit committees, lenders and insurers are pulling the same questions forward. The CEO is being asked to attest to a footprint that lives in the code, not in the deck.

The board has an AI question on the agenda. What do you bring?
Your audit committee is asking which models touch customer data. You don't know.
The EU AI Act risk-tier obligations apply to a product you didn't realize used a high-risk model.
Your CTO is selling the board on an AI roadmap. You'd like a baseline that isn't a slide.
An acquirer is asking for a technology attestation as part of the sale process. You need a defensible read.
The roadmap your board approved twelve months ago doesn't match what got built.

Each of these requires a read that isn't your CTO's quarterly narrative. Independent codebase intelligence answers them on the board's clock.

What the read covers

Six dimensions of the picture the board needs.

AI Footprint

Which models run where. What data they touch. What decisions they produce. Built for board reporting and EU AI Act risk-tier obligations.

Decision Archaeology

Why each AI integration exists. The sequence of decisions that shaped the platform — surfaced from code, commits, tickets, PRDs and ownership, correlated over time.

Data Lineage to AI

What data flows into which model decisions. Where customer, financial and regulated data touch AI components. The map your CDO and audit committee both need.

Risk Tier & Regulatory Surface

EU AI Act risk tiering by product. NIST AI RMF alignment. SOC 2, GDPR and PCI gaps surfaced from the code, not from a compliance questionnaire.

Roadmap Drift & Capability Alignment

What the board approved twelve months ago versus what was actually built. Where the team and the plan align — and where they don't.

Technology Asset Valuation

Tech debt quantification by domain, in dollars and time. Knowledge concentration and key person risk. Architecture scalability against the strategic plan.

What you receive

The Five Stories. In board vocabulary.

Five questions the board needs answered. Each one a decision you can defend — with sources, traceable to the commit.

Architecture Story

What you actually have vs. what's in the strategic plan.

Knowledge Story

Who holds the keys. What breaks if they leave. Where the hero problem lives.

Risk Story

Technical debt, AI exposure, compliance gaps — quantified, ranked, mapped to your domains.

Velocity Story

Is engineering time going to the roadmap — or to maintenance nobody approved?

Investment Story

Is the strategic plan being executed — or is investment drifting somewhere nobody decided?

Plus: executive briefing, AI footprint, risk map, key person risk map, architecture dependency view, strategic options. And the continuous intelligence layer that stays live across your stack — in your reporting, in your developers' IDEs, in your PM tools, via MCP to your LLM.

Timeline

Two weeks. Board-ready by week two.

Week 0 · Connect

Read-only access

Read-only access to your codebase, commits, tickets, roadmaps and ownership signals. One 30-minute call. Your team keeps shipping.

Week 1 · Read

Precision, correlation, business decomposition

Deterministic static analysis surfaces what's there. Multi-source temporal correlation ties it together. Every finding maps to your domains and features.

Week 2 · Deliver

Signed read + intelligence layer

The signed Five Stories for your board. The continuous intelligence layer live in your stack, ready for the next question without another engagement.

Who this is for

Three meetings on your calendar this quarter.

Board technology review

The agenda has "AI risk" on it. You'd like to walk in with a baseline that's defensible — not the same narrative as last quarter.

Audit committee or LP update

Counsel, audit or lenders are asking attestable questions about AI footprint and technology risk. You need source-traced evidence, not a deck.

Strategic transaction prep

You're being asked for a technology attestation as part of a sale, a financing or a major customer contract. Independence is the value, and it has to be designed in.

AI readiness, answered

What a board needs to know about AI.

What is an AI footprint, and what is an AI readiness assessment?

Your AI footprint is the complete picture of where AI actually runs in your software — which models, in which products, touching what data, making which decisions. An AI readiness assessment surfaces that footprint from the code itself, then maps it to the questions a board, auditor, or regulator will ask. We build it by reading the codebase, dependencies, and configuration directly — not from a questionnaire your team fills out from memory.

How do you find “shadow AI” nobody reported?

Manual inventories catch what people remember to report; they miss the model a team wired in last quarter and the AI buried in a dependency. We read the code, package tree, and integration points to find every AI and LLM call, API, and library in use — including the ones that never made it onto a slide. That gap between the reported AI and the actual AI is usually where the board's real exposure sits.

Which AI regulations actually apply to my company?

US AI regulation has fragmented into a state-by-state patchwork — and it's moving, so we don't anchor anything to a single deadline. The rules most likely to reach an ordinary mid-market company are the ones about using AI: NYC Local Law 144 if you use automated tools in hiring, California’s AB 2013 and CPPA automated-decision rules, and Texas’s TRAIGA — plus the EU AI Act if you touch the EU market. The largest frontier-developer laws (California SB 53, New York’s RAISE Act) likely don’t bind you at all. The common thread underneath all of them: you can’t produce the required notices, bias audits, training-data summaries, or risk assessments until you know which AI systems are in your code and what they touch. We produce that read; your counsel maps it to the obligations that apply.

Why independent, instead of asking our own engineering team?

When the CEO has to attest and the board has to rely on it, an answer produced by the same team that built the systems isn’t the strongest ground to stand on. An independent, code-level read is defensible precisely because it isn’t the engineering team grading its own homework — it’s evidence, traceable to the commit, that a board, auditor, or acquirer can trust.

What we lead with

We lead with the read. Independent. Defensible. Yours. We deliver the map. Whether we ride along comes next.

What you do with the read is your call. If you want a partner on what to build next, modernization or strategic options — that's a different conversation, and we can have it. The independence of the read stays intact regardless — which is exactly why your board and your regulator can rely on it.