GGovernAI

Vol. 1 — Apr 2026

AI governance,
written like it goes
to the board.

GovernAI is the AI governance module MSPs and vCISOs use to stand up an ISO 42001 / NIST AI RMF / EU AI Act program for an SMB client in 48 hours, then keep it continuously compliant for the price of a steakhouse lunch.

MSP sign inSee pricing$99 — $199 / end-client / month
§ 01Frameworks in scope

Five complete control libraries. Loaded the moment your tenant boots, joined to your client's AI inventory, kept current as the rules drift.

ISO-42001

ISO/IEC 42001:2023

AI management system. The standard your enterprise clients ask for.

38Annex A controls

NIST-AI-RMF

NIST AI RMF 1.0

Plus the GenAI Profile (NIST-AI-600-1). The U.S. baseline.

84subcategories

EU-AI-ACT

EU AI Act

Deployer obligations + risk-tier mapping. Hot Aug 2026.

29obligations

COLO-AI

Colorado AI Act

Effective Feb 2026. The first U.S. statewide AI law.

12duties

NYC-LL-144

NYC Local Law 144

Hiring AEDTs. Bias audit + candidate notice.

4obligations

Phase 2: Texas TRAIGA · Illinois HB 3563 · California SB 1047 successor.

§ 02How a vCISO runs an engagement

Three motions. Sonnet does the typing. You do the judgement.

  1. 01Pillar 1 · Inventory

    Discover every AI tool your client touches.

    Manual entry, CSV import, and Haiku auto-classification across the EU AI Act four-tier model. PII scrubbed before any model call.

    • Up to 50 systems / minute
    • Risk tier suggested
    • Provider · model · data flows
  2. 02Pillar 2 · Assess

    Sonnet runs the seven-dimension interview.

    A 30-minute conversational risk assessment over bias, hallucination, data leakage, IP, explainability, dependency, concentration. RAG over prior assessments — your team gets sharper per client.

    • 7 risk dimensions scored 0–5
    • pgvector top-K=8 retrieval
    • 1-hour cached prefix
  3. 03Pillar 3 · Govern

    Eight policies, footnoted to source, in two minutes.

    Acceptable Use, Procurement, Data Handling, Output Review, Model Lifecycle, Vendor, Incident, Board Oversight. Hallucination-checked. Signed-link employee acknowledgements.

    • Citations to control IDs
    • Diff between versions
    • SES-delivered ack links
§ 03Output you can hand to the board

Every claim,
cited.

Generated policies and board reports trace each assertion back to a real framework control. Haiku validates citations before publish. No hallucinated SOC 2 references.

  • 167 framework controls in DB
  • 8 policy templates, MSP-voice
  • <30s board PDF render

Acceptable Use Policy v3 — Acme Manufacturing

Your team must obtain explicit, line-of-business approval before connecting any generative AI tool to a customer dataset[1] — including evaluation tiers and free-tier consumer products[2].

Where an AI system processes personal data, the system must be classified at high or limited tier[3] with a documented data-flow review.

[1] ISO-42001 A.6.2.6 — Acceptable use[2] NIST-AI-RMF GOVERN-2.1[3] EU-AI-ACT Article 6
§ 04Per end-client. Per month.

You bill the client. We bill you. The math works at one client and at fifty.

Starter

$99/ end-client / mo

For boutique vCISO practices spinning up their first AI program.

  • Up to 5 end-clients
  • All 5 frameworks
  • Standard policy templates
  • Email support

Most adopted

Growth

$199/ end-client / mo

For working MSPs with regulated SMB books — the default.

  • Unlimited end-clients
  • White-label PDFs
  • Custom brand voice
  • Slack support
  • Priority Bedrock quotas

Enterprise

Custom

Pax8 channel, SSO, SCIM, dedicated VPC, named architect.

  • Volume pricing ≥50 clients
  • Dedicated tenant
  • API & embed widget
  • Custom CNAME
  • Annual security review
Bedrock-priced; you keep the margin on retail.Full breakdown →

The next time a client asks
“what about the EU AI Act?”
have an answer ready.

Sign in to your tenant

Aug 2 2026 — EU AI Act high-risk obligations effective.