Our Approach

Three ways to engage. The methodology stays the same.

Where we start depends on what you already know about your problem. How we build, how we govern, and how we run the engagement does not change.

How we engage

Pick the mode that fits where you are.

You bring a process

You know which workflow is eating hours. We scope it, build the agent, validate against your historical data, and hand it off.

You have a pain point

You know something is consuming senior time. You are not sure where to start. We diagnose first, build second.

You want advisory

You have AI deployed, or you are evaluating it. You want an honest read on whether what you have holds up.

When you already know which process needs fixing, we run a structured engagement aligned to DMAIC, the framework we bring from our Big 4 consulting experience.

Define. Scope the problem in measurable terms: cycle time, error rate, senior hours consumed, audit findings.

Measure. Baseline the current state with real data before we touch anything.

Analyze. Find the bottlenecks, the manual handoffs, the steps producing errors.

Improve. Build the agent. Deterministic backbone for the work with a right answer. A narrow AI layer for the parts that genuinely need language judgment. An audit-trail output layer that records every decision.

Control. Validate against your historical data. Document the system. Hand it off with a rule catalog, a limitations page, and a production gap list.

Typical timeline: 8 to 14 weeks from scoping call to handoff.

Define

Measure

Analyze

Improve

Control

When the problem is clear but the starting point is not, we embed with your team and run a process discovery before we build anything. The approach is what you would expect from a top-tier process-assessment engagement (Centric, Gartner, Blue Prism patterns).

Map workflows as they actually run. We walk the floor with the people doing the work, not with the documentation.

Identify bottlenecks: rework loops, manual handoffs, approval delays, error-prone steps, tasks that have clear rules but no automation.

Score each process on four dimensions: volume, complexity, business impact, automation feasibility. The processes with high volume, low complexity, and high error rates go first.

Produce a prioritized roadmap. The top two or three candidates become Phase 1 builds, each running the DMAIC lifecycle above.

Typical timeline: 2 to 3 weeks for the discovery, then 8 to 14 weeks per build.

When you have AI in production or under evaluation and you want to know whether the architecture, the governance, and the risk posture hold up, we run an assessment against the frameworks that already apply to your context.

Inventory. What AI systems exist. What they do. Who owns them. Including third-party AI embedded inside vendor products.

Governance assessment. Are roles, escalation paths, and decision rights documented and operational? Is the human-in-the-loop model tiered deliberately or by default?

Risk assessment against the standards that apply: NIST AI RMF, ISO 42001, COSO adapted for AI, or the IIA AI Audit Framework. We use whichever your organization already operates under, or recommend the best fit if you have not adopted one.

Gap analysis. Where the current architecture falls short. Which gaps carry the most risk. Which are cheapest to close.

Roadmap. Prioritized recommendations with effort bands and a suggested sequence.

Typical timeline: 3 to 6 weeks.

How we build

Five principles that shape every agent we ship.

These are architectural decisions made at scoping and held through the build. They map to the standards your auditor already knows.

Deterministic where possible

If a script can do the work reliably, the script does it. The AI handles only what genuinely needs language judgment — reading receipts, classifying documents, writing narrative around verified numbers. Everything else is engineering. The agent ends up faster, cheaper, and debuggable.

Mitigates OWASP LLM01 (prompt injection) by minimizing the AI attack surface

Flags only, never approvals

The agent surfaces. Your team decides. The audit trail names a person, not an algorithm. In finance and compliance, "AI approval" is a category error that creates exposure under audit. Our agents place items into queues. People work the queues.

Aligns with NIST AI RMF human-in-the-loop requirements

Read-only at the data layer

The agent reads your source data. It never writes to it. Decisions land in a separate store, linked to the source record. A bug can produce wrong flags. It cannot corrupt your ledger.

Aligns with ISO 42001 data integrity controls

Versioned rule catalogs

Your business rules live in versioned config files, not in code. Each rule has an ID, a description, a severity, and the logic that triggers it. When a regulation changes, the rule updates without a software deployment. The history stays preserved for audit.

Supports regulatory audit requirements for change traceability

Audit trails on every decision

Every flag the agent raises carries the rule that fired, the source evidence, the suggested remediation, and a timestamp. When the auditor asks why something was flagged, the answer is in the flag. Not in a spreadsheet. Not in someone's memory.

Aligns with NIST AI RMF transparency and COSO documentation requirements

Layer 5Audit trails on every decisionNIST transparency, COSO documentation

Layer 4Flags only, never approvalsNIST AI RMF human-in-the-loop

Layer 3Deterministic where possibleOWASP LLM01 compliance

Layer 2Versioned rule catalogsRegulatory change traceability

Layer 1Read-only at the data layerISO 42001 data integrity

↑ Data flows up. Trust builds at every layer.

Every decision traces to a named rule and a source quote.

Engagement model

What working with us actually looks like.

Qualify

Week 0

Discover

Weeks 1-2

Build

Weeks 3-12

Validate

Weeks 11-14

Handoff

Weeks 14-15

A 30-day stabilization window follows handoff. New scope gets its own envelope.

Pricing

We scope after a call

Every engagement is different. We do a 30-minute scoping call before we quote anything.

Contract

Plain terms

Scope, deliverables, timeline, data handling, stabilization, termination. No exotic structures.

Communication

Honest framing

Two-scenario estimates. Bad news travels at the same speed as good news. Decisions stay with you.

The estimate comes back within 48 hours of the call.

Every estimate has two scenarios. Scenario A: if the working assumptions hold. Scenario B: if a key dependency does not hold. The dependency is named so neither of us is surprised later.

The estimate separates Phase 1 (discovery) from Phase 2+ (build). Some clients commission only Phase 1 first, with a decision gate after.

If you need a rough size before a call to know whether this fits your budget, we can give you a band once we have heard the shape of the work.

Every engagement contract sets out: scope (what is in, what is out, what sits on the production gap list), deliverables by phase with named acceptance criteria, timeline with two-scenario framing, pricing (flat-fee or fixed-fee-per-phase), data handling provisions, the 30-day stabilization window, and termination clauses that protect both sides.

No innovation fees. No value-share structures. No retainer that grows quietly.

Every effort estimate ships with two scenarios. Every status report uses the same numbers across audiences, framed differently for context. If a program is two weeks behind, the report says two weeks behind, not "tracking to plan with minor adjustments."

Recommendations are explicit, but they remain recommendations. The decision belongs to you. We do not soften the trade-off to make our preferred answer easier to accept.

New scope gets its own envelope. "While you are in there" is a signal to write a change request, not to silently absorb the work.

Want to see this applied to your situation?

A 30-minute call. We listen, frame the problem in your vocabulary, and tell you whether it is something we should build for you.

Book a scoping call See recent work→