AI Governance Advisory · Fractional AI DPO

The key to AI
governance you can
actually use.

Mid-market organizations face board-level AI risk without the expertise to manage it. Clavant delivers credentialed AI governance advisory — building programs, not just frameworks.

15+
Years GRC leadership
7
Active certifications
ISO
42001 · 27001 aligned
SOC 2 ISO 42001 ALIGNED NIST AI RMF FRAMEWORK EU AI ACT COMPLIANT HIPAA REGULATED Clarity. Control. Confidence.
What we do

AI governance that works
in the real world

Built on 15+ years of hands-on GRC program leadership — not consulting theory. Every service is designed for organizations that need governance they can actually implement and defend.

01

Fractional AI DPO

Ongoing AI governance oversight as a retained advisor — committee facilitation, risk register management, policy maintenance, regulatory monitoring, and incident escalation rights.

Ongoing oversight · Scales with your organization
Learn more →
02

AI Governance Program Buildout

End-to-end implementation of an ISO 42001-aligned AI Management System — use case register, risk register, policy framework, committee charter, and board reporting structure.

Full program delivered · ISO 42001 aligned
Learn more →
03

AI Readiness Assessment

A structured gap analysis against ISO 42001 and NIST AI RMF — delivering a scored maturity profile, prioritized remediation roadmap, and board-ready risk summary in 4–6 weeks.

Board-ready report · Delivered in 4–6 weeks
Learn more →
04

Board & Executive Advisory

Quarterly board AI risk briefings, audit committee presentations, and executive AI literacy sessions that translate technical risk into business language your board can act on.

Executive-ready · Translates risk into business language
Learn more →
05

EU AI Act Compliance

Navigate EU AI Act obligations — high-risk AI classification, conformity assessment, technical documentation, and registration requirements for US organizations operating in Europe.

High-risk AI classification · US organizations operating in Europe
Learn more →
06

AI Vendor Risk Assessment

Structured evaluation of third-party AI vendors across 7 risk domains — data governance, security, model transparency, legal protections, and regulatory compliance.

42-question framework · 7 risk domains · Scored output
Learn more →
"AI governance isn't a compliance exercise — it's a leadership decision. The organizations that get this right won't just avoid risk. They'll move faster, earn more trust, and build AI programs that last."
EDDIE TALIAFERRO · FOUNDER, CLAVANT AI GOVERNANCE
Why Clavant

Built from the inside out

01

Real programs, not frameworks

Clavant was founded by someone who has actually built AI governance programs — chaired an AI Governance Committee, authored ISO 42001-aligned policies, and managed real incidents. Not a framework exercise.

02

The credential stack no one else has

CISA · CRISC · CCISO · CIPM · ISO 27001 Lead Implementer · PhD Candidate in AI. Very few advisors hold this combination — none with hands-on AIMS program buildout experience.

03

Mid-market priced, enterprise-grade

Big 4 firms charge $300–$800/hr and aren't available to mid-market. Clavant delivers senior-level AI governance expertise at a price point your organization can sustain.

04

Regulatory fluency, not just awareness

EU AI Act. NIST AI RMF. ISO 42001. HIPAA. UK GDPR. These aren't buzzwords — they're the frameworks your board will be questioned on. Clavant speaks all of them.

How it works

Register. Monitor. Intervene.

The three-word mandate that drives every Clavant engagement. Simple enough to explain to a board. Rigorous enough to defend to a regulator.

01

Discovery Call

A free 60-minute AI governance maturity briefing. No pitch — just an honest assessment of where you stand and what matters most.

02

SOW & Engagement

A tailored Statement of Work within 48 hours of your discovery call. Clear scope, defined deliverables, transparent pricing. No surprises.

03

Program Buildout

Kickoff workshop within 5 business days. AI inventory, risk register, policies, and committee in motion within 10 weeks.

04

Ongoing Governance

Monthly retainer rhythm: committee facilitation, risk reviews, regulatory monitoring, board briefings, and incident escalation — every month, reliably.

Outcomes

What governance looks like
when it actually works

10wks
From kickoff to fully operational AI Governance Committee with charter, register, and policy framework in place.
100%
Target AI system registration coverage within 90 days of engagement start — every system governed, none operating in shadow.
72hr
Incident escalation guarantee. When something goes wrong with an AI system, Clavant is reachable and responsive — always.
Most organizations are deploying AI faster than they can govern it. The risk isn't that AI will fail — it's that no one will know until it does. Clavant exists to close that gap.
Eddie Taliaferro
Founder · Clavant AI Governance
CISA · CCISO · CIPM · ISO 27001 LI · PhD Candidate in AI
Free resource

The AI Governance
Readiness Checklist

A practical 25-point checklist for GRC leaders, General Counsels, and CROs — assess your organization's AI governance posture in under 30 minutes.

No spam. Unsubscribe anytime. Your information is never shared.

Services

AI governance advisory
built for the mid-market

Every service is grounded in real program buildout experience, aligned to ISO 42001 and NIST AI RMF, and designed to give your organization defensible governance — not just documentation.

Retainer Services

Fractional AI DPO
— three tiers

Monthly retainer engagements that give your organization a dedicated AI governance partner without the cost of a full-time hire.

Essentials
$10,000
PER MONTH · MINIMUM 6 MONTHS
Monthly AI Governance Committee facilitation
Quarterly AI Risk Register review
Policy maintenance & updates
Monthly regulatory monitoring digest
Up to 8 advisory hours per month
Comprehensive
$20,000
PER MONTH · MINIMUM 6 MONTHS
Everything in Standard
Monthly board/exec reporting
EU AI Act compliance support
Unlimited AI system approvals
M&A AI due diligence (1× /yr)
Unlimited advisory access

One-time program buildouts: $50K–$150K · AI readiness assessments: $15K–$40K · Board sessions: $5K–$10K / session

Next step

Book a call. Receive your SOW
within 48 hours.

Discovery call → tailored proposal → Statement of Work → kickoff within 5 business days. That's the Clavant process.

About

Built from the inside out

Clavant was founded by someone who has actually built AI governance programs — not just advised on them.

Eddie Taliaferro, Founder of Clavant AI Governance
Eddie Taliaferro
FOUNDER & PRINCIPAL · CLAVANT AI GOVERNANCE
Founder

Eddie Taliaferro

CISA CRISC CCISO CIPM ISO 27001 LI PhD Candidate — AI

AI governance has become a board-level imperative. Yet most mid-market organizations are left navigating ISO 42001, the NIST AI RMF, and the EU AI Act without a credible guide.

I founded Clavant to close that gap. My background spans 15+ years in GRC and information security leadership across healthcare, financial services, and SaaS — including building NetSPI's AI governance program from the ground up: committee charter, ISO 42001-aligned policies, AI use case inventory, and DPO escalation protocols.

The word Clavant is derived from clavis — Latin for key. Every organization deserves a key to AI governance they can actually use: clear frameworks, defensible controls, and confidence in front of regulators and boards.

Philosophy

Register. Monitor. Intervene.

Three words that govern every Clavant engagement. Simple enough to explain to a board. Rigorous enough to satisfy a regulator. Practical enough to implement in the real world.

Resources

Practical AI governance
intelligence

Frameworks, guides, and regulatory briefings for GRC leaders, General Counsels, and executives navigating AI governance.

Featured free resource

AI Governance
Readiness Checklist

A 25-point checklist for GRC leaders and executives — assess your organization's AI governance posture in under 30 minutes. Aligned to ISO 42001, NIST AI RMF, and EU AI Act.

Insights

AI governance intelligence
for decision-makers

⚖️
EU AI ACT
EU AI ACT

What Your Board Needs to Know About the EU AI Act in 2026

The EU AI Act is in force. High-risk AI provider obligations are effective August 2026. Here's what US organizations need to do now.

8 min read
📋
ISO 42001
ISO 42001

ISO 42001 vs NIST AI RMF: Which Framework Does Your Organization Need?

A practical comparison for GRC leaders — when to use each, how they complement each other, and which matters most for your regulatory context.

6 min read
📊
RISK MANAGEMENT
RISK MANAGEMENT

The AI Risk Register: Why Spreadsheets Aren't Enough

Most organizations try to manage AI risk in a spreadsheet. Here's why that fails at scale and what a defensible AI risk register actually looks like.

5 min read
🔍
COMPLIANCE
COMPLIANCE

Shadow AI: The Governance Risk Your Board Doesn't Know About

Employees are using unauthorized AI tools at a rate that surprises most executives. Here's how to measure the exposure and close the gap.

7 min read
🏛️
GOVERNANCE
GOVERNANCE

Building an AI Governance Committee That Actually Works

The Register, Monitor, Intervene mandate — and how to structure a committee that doesn't become another compliance checkbox.

6 min read
🏥
REGULATORY
REGULATORY

HIPAA and AI: What Healthcare Organizations Need to Know

AI systems processing protected health information create obligations most healthcare organizations haven't mapped yet. A practical guide.

9 min read
Template library

Professional AI governance templates

AI Usage Policy · AI Risk Register · Maturity Assessment · Committee Charter · Board Briefing · Vendor Risk Assessment — available to Clavant retainer clients.

Contact

Book your free
discovery call

A 60-minute AI governance briefing — no pitch, no commitment. Pick a time that works for you and we'll come prepared.

Step 1 — Pick a time

Free 60-Minute Discovery Call

Choose a slot directly from the calendar. You'll get an instant confirmation and a calendar invite. Video or phone — your choice.

Mon – Fri · 9 AM – 5 PM ET
Evenings by Request
Zoom · Teams · Phone

Instant confirmation · No credit card required

OR

Send a message instead

Prefer to reach out first? Fill this in and we'll reply within 1 business day to schedule your call.

No spam. Your information is never shared.

Contact details

Email
hello@clavant.com
Response time
Within 1 business day
Based in
Flint, Michigan · Serving clients nationwide
What happens after your call
1
60-minute discovery call
Honest assessment of your AI governance posture — no sales pitch.
2
Tailored proposal within 48 hours
Clear scope, defined deliverables, transparent pricing.
3
Kickoff within 5 business days
SOW signed, engagement starts, governance program in motion.
EU AI Act · Compliance · Regulatory
EU AI ACT

What Your Board Needs to Know About the EU AI Act in 2026

June 2026 8 min read By Eddie Taliaferro, CISA · CCISO · CIPM

The EU AI Act is in force. High-risk AI provider obligations are effective August 2026. Here's what US organizations need to do now.

LISTEN TO ARTICLE
What Your Board Needs to Know About the EU AI Act in 2026
Ready 8 min read

Why this matters even if you're based in the US

The EU AI Act applies to any organization that deploys or provides AI systems used in the European Union — regardless of where that organization is headquartered. If your company has EU customers, EU employees, or AI systems that produce outputs affecting EU residents, the Act applies to you. The extraterritorial reach mirrors the model established by GDPR, and enforcement will follow the same pattern: regulators will pursue organizations with EU market presence first.

The timeline you need to know

The Act entered into force in August 2024. Most obligations follow a phased implementation schedule. Prohibited AI practices — systems that manipulate behavior, exploit vulnerabilities, or conduct unauthorized biometric surveillance — became enforceable in February 2025. High-risk AI system obligations, which affect the broadest range of commercial deployments, become enforceable in August 2026. General-purpose AI model rules, which cover systems like large language models used in commercial products, became effective in August 2025.

What counts as high-risk

The Act classifies AI systems as high-risk based on the domain in which they operate and the potential for harm to fundamental rights. High-risk categories include AI used in hiring and employment decisions, credit scoring and financial services, educational assessment, healthcare diagnosis and treatment, law enforcement, critical infrastructure management, and systems that determine access to essential public services. If your organization uses AI in any of these domains — including third-party AI tools used for these purposes — you are likely subject to high-risk obligations.

This is the classification question your board should be asking right now: which AI systems we currently use or deploy would be classified as high-risk under the Act? Most organizations cannot answer this question because they have not completed an AI system inventory. That gap is itself a compliance risk.

What high-risk providers must do

Organizations that provide high-risk AI systems face the most substantial obligations. They must implement a quality management system covering the AI development lifecycle, conduct conformity assessments before market placement, register systems in the EU AI Act database, prepare technical documentation demonstrating conformity, and establish post-market monitoring processes. Human oversight mechanisms must be embedded in the system design itself — not bolted on afterward.

Organizations that deploy high-risk AI systems developed by others carry a different but still significant set of obligations. Deployers must conduct fundamental rights impact assessments, implement human oversight, maintain usage logs for a minimum of six months, and report serious incidents to national authorities.

The board conversation you need to have

EU AI Act compliance is not an IT project. It is a governance question that requires board-level attention for three reasons. First, the penalties for non-compliance are material: up to €35 million or 7% of global annual turnover for prohibited practice violations, and up to €15 million or 3% for other violations. Second, compliance requires decisions about which AI systems to continue using and which to modify or retire — decisions with significant business implications. Third, the Act's transparency and accountability requirements will be visible to customers, partners, and regulators in ways that affect market position.

Your board should be asking: Which of our AI systems would be classified as high-risk? Have we completed a fundamental rights impact assessment for those systems? Do we have the technical documentation required for conformity assessment? Is our AI governance program capable of supporting ongoing compliance obligations?

Where to start

The most urgent first step is an AI system inventory. You cannot assess your compliance posture without knowing what AI systems your organization uses, who uses them, for what purpose, and whether any qualify as high-risk under the Act's classification framework. This inventory should cover internally developed systems, third-party AI tools, and AI embedded in enterprise software platforms — the last category being the most commonly overlooked.

Once you have an inventory, the next step is a classification assessment against the Act's risk categories. For systems that qualify as high-risk, a gap analysis against the applicable requirements will define your compliance roadmap. Organizations with August 2026 deadlines for high-risk obligations have a narrow window to complete this work.

Clavant conducts EU AI Act readiness assessments specifically designed for US organizations with EU market exposure. If your organization has not yet assessed its EU AI Act posture, that work should begin now.

Ready to act on this?

Book a free 60-minute discovery call

No pitch, no commitment — just an honest conversation about where your organization stands.

ISO 42001 NIST AI RMF vs Framework Comparison · Standards · GRC
ISO 42001

ISO 42001 vs NIST AI RMF: Which Framework Does Your Organization Need?

May 2026 6 min read By Eddie Taliaferro, CISA · CCISO · CIPM

A practical comparison for GRC leaders — when to use each, how they complement each other, and which matters most for your regulatory context.

LISTEN TO ARTICLE
ISO 42001 vs NIST AI RMF: Which Framework Does Your Organization Need?
Ready 6 min read

Two frameworks, two different purposes

ISO 42001 and the NIST AI Risk Management Framework are the two most widely referenced AI governance standards in commercial use today. They are not competitors — they address different organizational needs and operate at different levels of specificity. Understanding the distinction is the first step toward choosing the right foundation for your AI governance program.

ISO 42001 is a management system standard. Like ISO 27001 for information security, it specifies the requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS). It is auditable, certifiable, and designed to produce documented evidence of governance. Organizations that achieve ISO 42001 certification can demonstrate to customers, regulators, and partners that their AI governance meets an internationally recognized standard.

The NIST AI RMF is a voluntary framework. Published by the National Institute of Standards and Technology in January 2023, it provides guidance — not requirements — organized around four functions: Govern, Map, Measure, and Manage. It is designed to be flexible and adaptable to any organization size, sector, or AI use case. There is no certification, no audit, and no pass/fail outcome. It is a structured way of thinking about AI risk.

When ISO 42001 is the right choice

ISO 42001 is the right primary framework when your organization needs to demonstrate AI governance to external parties. If your customers are asking for evidence of AI governance in vendor due diligence, if your sector is likely to face regulatory requirements aligned to international standards, or if you operate in markets where ISO certification carries weight — particularly in Europe, the Middle East, and increasingly in Asia-Pacific — ISO 42001 provides a credible, auditable response.

It is also the right choice if your organization already operates within an ISO management system environment. Organizations with ISO 27001 or ISO 9001 certifications will find the structure of ISO 42001 immediately familiar. The clause structure, annex approach, and audit methodology are consistent across ISO management system standards, which significantly reduces implementation effort.

When NIST AI RMF is the right choice

The NIST AI RMF is the right starting point when your primary audience is US-based and your goal is to build internal AI risk management capability rather than achieve external certification. It is widely referenced by US federal agencies, used in US government procurement requirements, and cited in emerging US state AI legislation. If your organization serves the US federal government or operates in sectors with NIST-aligned regulatory expectations — financial services, healthcare, critical infrastructure — the RMF provides the right vocabulary and structure.

The RMF is also well-suited for organizations in early stages of AI governance maturity. Its flexibility and lack of certification requirements make it a lower-friction starting point than a full ISO 42001 implementation. Many organizations use the RMF to build foundational practices and then layer ISO 42001 requirements on top as their program matures.

The case for using both

The most robust AI governance programs use both frameworks in combination. The NIST AI RMF's GOVERN function maps closely to ISO 42001's leadership and organizational context requirements. The MAP function aligns with ISO 42001's risk assessment and AI system inventory requirements. MEASURE aligns with performance evaluation and monitoring. MANAGE aligns with risk treatment and continual improvement.

Building your program on the NIST AI RMF's conceptual structure while implementing controls that meet ISO 42001's requirements gives you the best of both: a flexible, risk-based approach to AI governance with the option to pursue certification when the time is right.

The practical question for your organization

Start with three questions. First, do your customers, regulators, or partners require or request evidence of AI governance that an ISO 42001 certification would satisfy? Second, does your organization already operate within an ISO management system? Third, is your primary regulatory environment US-centric or international? The answers will point clearly toward one framework as your primary foundation — and toward the other as a complementary reference.

If you are unsure how to answer these questions for your specific context, that uncertainty is itself a signal that an AI governance assessment is the right first step.

Ready to act on this?

Book a free 60-minute discovery call

No pitch, no commitment — just an honest conversation about where your organization stands.

HIGH MED LOW LOW MED-L MED-H HIGH SPREADSHEET NOT DEFENSIBLE AI Risk Register · Risk Management · Compliance
RISK MANAGEMENT

The AI Risk Register: Why Spreadsheets Aren't Enough

May 2026 5 min read By Eddie Taliaferro, CISA · CCISO · CIPM

Most organizations try to manage AI risk in a spreadsheet. Here's why that fails at scale and what a defensible AI risk register actually looks like.

LISTEN TO ARTICLE
The AI Risk Register: Why Spreadsheets Aren't Enough
Ready 5 min read

The spreadsheet problem

When organizations first attempt to document AI risk, the instinct is to open a spreadsheet. It is familiar, accessible, and requires no new software. A GRC leader or compliance manager builds a tab with columns for system name, risk description, likelihood, impact, and owner. It gets shared in a Teams channel. For six months, nothing happens to it.

This pattern is nearly universal, and it fails for predictable reasons. Spreadsheets have no workflow — a risk identified in column F has no mechanism to trigger a remediation task, escalate to a risk owner, or notify a committee. They have no version control — when someone edits a cell, the previous state is gone unless someone remembered to save a copy. They have no access controls — everyone with the link can edit everything. And they have no audit trail — when a regulator asks who reviewed a risk assessment and when, the spreadsheet cannot answer.

What a defensible AI risk register actually requires

A defensible AI risk register is one that you could present to a regulator, an auditor, or a board member and answer three questions with documented evidence: What AI systems does your organization operate? What risks have you identified for each system? What have you done about those risks, and when?

Meeting this standard requires five structural elements that spreadsheets cannot reliably provide. First, a linked AI system inventory — each risk entry must be traceable to a specific, documented AI system with a defined owner, purpose, and deployment context. Second, a consistent risk taxonomy — likelihood and impact ratings must be applied consistently across all entries using defined scales, not subjective judgment varying by contributor. Third, an audit trail — every change to a risk entry, every status update, every review must be timestamped and attributed to a named individual. Fourth, a workflow — risk treatment tasks must generate assignments, deadlines, and escalation paths. Fifth, a review cadence — the register must document when it was last reviewed, by whom, and what changed.

The ISO 42001 requirement

ISO 42001 requires organizations to identify and assess AI-specific risks as part of their AI Management System. Clause 6.1 requires a documented risk assessment process with defined criteria for risk acceptance. The standard does not prescribe a tool, but it does require that the process be repeatable, documented, and subject to regular review. A spreadsheet maintained inconsistently by one person does not meet this requirement in practice, even if no specific tool is mandated.

What good looks like in practice

Organizations with mature AI risk registers maintain a structured inventory of AI systems that feeds directly into the risk register — every system in scope has corresponding risk entries. Risk owners receive automated reminders when treatments are due or when risks require re-review. The committee reviews a dashboard view of the register at each meeting, with changes since the last review highlighted. When a new AI system is proposed for deployment, a risk assessment is a required step in the approval workflow before deployment is authorized.

This is the Register, Monitor, Intervene mandate in practice. Register: every AI system is documented. Monitor: risks are reviewed on a defined schedule. Intervene: when a risk exceeds the acceptance threshold or a treatment is overdue, the governance structure escalates and acts.

Getting from spreadsheet to defensible register

The transition does not require expensive software. It requires three things: a defined AI system inventory process, a consistent risk taxonomy applied across all entries, and a governance cadence that treats the register as a living document rather than a filing artifact. Many organizations accomplish this in Notion, Airtable, or a purpose-built GRC tool, depending on their existing technology environment and compliance requirements.

The most important shift is cultural, not technical. The AI risk register must be treated as an operational governance tool — reviewed at every committee meeting, updated when AI systems change, and referenced in every AI deployment decision. The moment it becomes a document that exists to satisfy auditors rather than to inform decisions, its value collapses.

Ready to act on this?

Book a free 60-minute discovery call

No pitch, no commitment — just an honest conversation about where your organization stands.

AUTH ? ? UNGOVERNED Shadow AI · Data Exposure · Compliance Risk
COMPLIANCE

Shadow AI: The Governance Risk Your Board Doesn't Know About

April 2026 7 min read By Eddie Taliaferro, CISA · CCISO · CIPM

Employees are using unauthorized AI tools at a rate that surprises most executives. Here's how to measure the exposure and close the gap.

LISTEN TO ARTICLE
Shadow AI: The Governance Risk Your Board Doesn't Know About
Ready 7 min read

What shadow AI is and why it proliferates

Shadow AI refers to the use of AI tools by employees without organizational knowledge, approval, or governance oversight. It is the AI equivalent of shadow IT — the unauthorized software and cloud services that proliferated in enterprises before IT governance caught up with user behavior. And like shadow IT before it, shadow AI is spreading faster than most organizations realize.

The proliferation is driven by the same forces that always drive shadow technology adoption: organizational AI governance processes are slow, approval cycles are long, and employees have immediate productivity needs. When a marketing manager can accomplish in twenty minutes with an AI writing tool what previously took two hours, the motivation to wait for IT approval is minimal — especially when the tool is free, accessible from a personal browser, and leaves no obvious trace in corporate systems.

The scale of the problem

Recent workforce surveys consistently find that a substantial majority of employees in knowledge-worker roles use AI tools that their employers have not formally approved. Estimates vary by sector and methodology, but figures above 60% are common in technology, professional services, and financial services. The rate is lower in heavily regulated industries like healthcare and financial services — not because employees are less inclined to use AI tools, but because data handling awareness is higher and the perceived risk of unauthorized tool use is more salient.

The more revealing data point is the gap between what employees report using and what their IT or security departments believe is in use. In most organizations, that gap is large. Executives routinely underestimate shadow AI prevalence by a factor of two or more.

Why it creates governance risk

Shadow AI creates risk across four dimensions. The first is data exposure. When employees use consumer AI tools for work tasks, they frequently input sensitive information: customer data, financial projections, legal documents, intellectual property, personally identifiable information. Many consumer AI platforms use user inputs to train their models unless users opt out — an opt-out that most employees are unaware of and have not exercised. The result is organizational data flowing into third-party AI systems with no data processing agreement, no security assessment, and no visibility to the organization's privacy or security teams.

The second dimension is output reliability. AI systems produce outputs that can be confidently wrong. Employees using unauthorized tools without governance oversight may act on those outputs without the verification processes that an approved, governed AI system would require. The errors are invisible until they cause harm.

The third dimension is regulatory exposure. Under GDPR, UK GDPR, HIPAA, and emerging AI-specific regulations, organizations are responsible for how personal data is processed — including processing by AI tools used by their employees, regardless of whether those tools were officially authorized. "We didn't know employees were using it" is not a defense that regulators accept.

The fourth dimension is the governance gap itself. An AI governance program that does not account for shadow AI is measuring the wrong population. Risk registers and use case inventories that capture only approved AI systems may represent a minority of the actual AI activity occurring in the organization.

How to measure your organization's shadow AI exposure

Start with a workforce survey that asks directly about AI tool usage — not about approved tools, but about any AI tools used for work tasks in the past month. Design the survey to minimize social desirability bias by framing it as a capability assessment rather than a compliance audit. The gap between survey results and your approved AI inventory is your shadow AI exposure baseline.

Layer in network and endpoint data if your security infrastructure supports it. DNS query logs, web proxy data, and browser extension inventories can identify AI platform domains that are not in your approved tool list. This approach has better coverage than surveys but requires security team involvement and may require privacy notice updates depending on your jurisdiction.

Closing the gap without closing the door

The governance response to shadow AI is not prohibition — it is friction reduction combined with oversight. Employees use unauthorized tools because authorized tools are unavailable, slow to approve, or unknown. The most effective interventions address each of these causes directly.

Establish a fast-track AI tool review process that can assess and approve low-risk AI tools within two weeks. Publish an approved AI tools list that is easy to find and regularly updated. Create a lightweight self-service request process for new tool requests. And establish a safe-to-report culture where employees who have been using unauthorized tools can disclose without fear of disciplinary action — the disclosure itself is the governance outcome you want.

Shadow AI is a symptom of governance friction, not malicious intent. Organizations that address the friction will reduce the shadow — and gain visibility into the full scope of their AI use in the process.

Ready to act on this?

Book a free 60-minute discovery call

No pitch, no commitment — just an honest conversation about where your organization stands.

BOARD OVERSIGHT AI GOVERNANCE COMMITTEE REGISTER · MONITOR · INTERVENE LEGAL / PRIVACY SECURITY / GRC BUSINESS UNITS IT / ENGINEERING AI DPO / ADVISOR AI Governance Committee · Structure · Charter
GOVERNANCE

Building an AI Governance Committee That Actually Works

April 2026 6 min read By Eddie Taliaferro, CISA · CCISO · CIPM

The Register, Monitor, Intervene mandate — and how to structure a committee that doesn't become another compliance checkbox.

LISTEN TO ARTICLE
Building an AI Governance Committee That Actually Works
Ready 6 min read

Why most AI governance committees fail

The most common failure mode for AI governance committees is not lack of authority — it is lack of operational connection. A committee that meets quarterly to review a static risk report and approve policies that no one reads is a governance theater performance. It generates documentation. It does not generate governance.

The second most common failure mode is over-engineering. Organizations that attempt to build a twelve-member committee with a forty-page charter, six subcommittees, and a forty-five-day approval process for any AI tool will find that the business routes around them. Speed-to-market pressure is real. A governance structure that cannot respond in days — not months — will be circumvented, not reformed.

The committee structure that actually works is lean, operationally connected, and built around a simple mandate that every member can articulate and act on.

The Register, Monitor, Intervene mandate

Register. Monitor. Intervene. These three words define the operational mandate for an effective AI governance committee, and they are simple enough to survive translation across organizational levels — from board presentation to department head briefing to individual contributor onboarding.

Register means every AI system in use by the organization is documented in an AI use case register before it is deployed. No AI system operates in governance shadow. The register captures the system's purpose, owner, data inputs, risk classification, and approved use boundaries.

Monitor means the committee reviews the register on a defined cadence, tracks risk treatment progress, receives alerts on significant changes to AI systems or their risk profiles, and maintains visibility into the regulatory environment that affects each system.

Intervene means the committee has the authority and the operational pathway to pause, modify, or retire AI systems that exceed risk thresholds, violate policy, or trigger incident response. Authority without a mechanism to exercise it is not governance — it is aspiration.

The right committee structure

An effective AI governance committee for a mid-market organization typically has five to seven members. The chair should be a senior executive — ideally the Chief Risk Officer, Chief Legal Officer, or equivalent — with organizational authority to make binding decisions. Members should include representatives from legal and compliance, information security, the business unit with the highest AI deployment volume, IT or engineering, and either an independent AI governance advisor or a data privacy officer.

Each member should have a defined role, not just a seat. The legal and compliance representative owns regulatory monitoring and policy maintenance. The security representative owns AI vendor risk and system security controls. The business unit representative owns the use case register for their domain and serves as the intake point for new AI system requests. The IT or engineering representative owns technical controls and integration approvals.

Meeting cadence and operating rhythm

Monthly meetings work better than quarterly for organizations with active AI deployment programs. The agenda should follow a consistent structure: risk register review (what changed since last meeting and why), new AI system approvals (requests in queue, decisions made), regulatory update (what changed in the regulatory environment), and open items from prior meetings. Meetings should last sixty to ninety minutes. If they consistently run longer, the agenda is too broad or the register is not well-maintained between meetings.

Between meetings, the committee chair or a designated AI governance function should maintain the register, respond to time-sensitive approval requests, and monitor for regulatory or incident triggers that require an emergency meeting.

The charter design principle

The committee charter should be short enough to read in ten minutes and specific enough to answer three questions without ambiguity: What does this committee have the authority to decide? What decisions require escalation to the board? What triggers an emergency meeting? A charter that cannot answer these questions quickly will not be consulted when decisions need to be made quickly.

The charter should explicitly define the AI system approval process — the steps a new AI system must complete before deployment authorization, including risk classification, security review, legal review, and committee approval. This process is the committee's most operationally important function. Getting it right, and keeping it fast enough to be useful, is the design challenge that distinguishes effective AI governance from compliance theater.

Ready to act on this?

Book a free 60-minute discovery call

No pitch, no commitment — just an honest conversation about where your organization stands.

PHI DATA FLOW HIPAA ! HIPAA · Healthcare AI · Regulatory Compliance
REGULATORY

HIPAA and AI: What Healthcare Organizations Need to Know

March 2026 9 min read By Eddie Taliaferro, CISA · CCISO · CIPM

AI systems processing protected health information create obligations most healthcare organizations haven't mapped yet. A practical guide.

LISTEN TO ARTICLE
HIPAA and AI: What Healthcare Organizations Need to Know
Ready 9 min read

Why HIPAA and AI intersect in ways organizations underestimate

HIPAA was written before large-scale AI deployment in healthcare was a practical reality. The statute does not mention artificial intelligence. The implementing regulations — the Privacy Rule, Security Rule, and Breach Notification Rule — were designed for a world of electronic health records, not for a world in which AI systems analyze clinical notes, predict patient deterioration, match patients to clinical trials, and generate discharge summaries.

This regulatory gap creates two risks. The first is that healthcare organizations assume AI tools fall outside HIPAA's scope because the regulation does not explicitly address them. This assumption is incorrect. HIPAA's applicability is determined by what information the AI system processes and who uses it — not by what category of technology it is. The second risk is that organizations assume their AI vendor relationships are covered by their existing business associate agreement frameworks without reviewing whether those agreements address AI-specific risks. They often do not.

When an AI system is subject to HIPAA

An AI system is subject to HIPAA when it creates, receives, maintains, or transmits protected health information on behalf of a covered entity. This includes clinical decision support tools that analyze patient records, AI-assisted diagnostic systems, patient communication platforms using AI, revenue cycle AI tools that process claims data, and any AI system that ingests, generates, or stores data that includes individually identifiable health information.

The covered entity remains the accountable party under HIPAA regardless of whether the AI system is developed internally or purchased from a vendor. When a healthcare organization deploys a third-party AI tool that processes PHI, the vendor becomes a business associate and must execute a business associate agreement that covers the AI-specific uses of that data.

The business associate agreement gap

Standard BAA templates were not designed with AI in mind. Most existing BAAs address data access, breach notification, and basic security requirements — they do not address whether the vendor uses PHI to train AI models, what happens to PHI-derived insights after the contract ends, whether the AI system's outputs may be used for purposes beyond the contracted service, or what oversight mechanisms the vendor has for AI system accuracy and bias.

Healthcare organizations that have deployed AI tools under standard BAAs should review those agreements against these questions. The most consequential gap in most existing BAAs is the absence of any provision addressing model training: whether the vendor may use PHI inputs to improve their AI model, and if so, on what terms. Several major AI vendors have faced regulatory scrutiny precisely on this question.

The minimum necessary principle and AI systems

HIPAA's minimum necessary standard requires covered entities to make reasonable efforts to limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose. Applied to AI systems, this principle raises questions that most AI procurement processes do not currently address. Does the AI system require access to the full patient record, or only specific data elements? Can the system be configured to operate on de-identified or pseudonymized data? Does the system's access scope expand over time as its functionality is used for additional purposes?

AI systems frequently require access to broader data sets during training and fine-tuning than they require during inference. Organizations should understand and document the data access requirements for each phase of an AI system's lifecycle — not just its production operation.

AI-specific risks under the Security Rule

The HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI. AI systems create several Security Rule considerations that legacy security frameworks were not designed to address.

Model inversion and membership inference attacks can extract information about training data from AI models — including whether specific individuals were included in a training set. Adversarial inputs can cause AI systems to produce incorrect outputs in ways that may affect patient safety and that may not be detectable without specific monitoring. AI system outputs that inform clinical decisions carry availability and integrity obligations that go beyond standard data backup and access control requirements.

The risk analysis required under the Security Rule should explicitly assess AI-specific threats and vulnerabilities. Most risk analyses completed before 2023 will not have done so adequately.

Where to start

Begin with an inventory of every AI system — including third-party tools — that processes, accesses, or generates PHI. For each system, assess whether an adequate BAA is in place and whether that BAA addresses AI-specific risks including model training use of PHI. Review the minimum necessary compliance posture for each system's data access scope. And ensure that your HIPAA risk analysis addresses AI-specific threats and that your incident response procedures cover AI system failures and outputs that may constitute breaches.

The intersection of HIPAA and AI is an area where regulatory guidance is actively developing. OCR has signaled increased enforcement attention to AI in healthcare, and the HHS AI Strategy published in 2024 establishes clear expectations for AI governance in healthcare organizations. The organizations that move now to close the HIPAA-AI gap will be in a substantially stronger position when enforcement attention increases — as it will.

Ready to act on this?

Book a free 60-minute discovery call

No pitch, no commitment — just an honest conversation about where your organization stands.

Legal

Privacy Policy

Last updated: June 2026

Clavant AI Governance, LLC ("Clavant," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you visit clavant.com or engage with our services.

1. Information We Collect

Information you provide directly. When you submit our contact form, download a resource, or book a discovery call, we collect your name, work email address, organization name, and any information you include in your message.

Automatically collected information. When you visit our website, we may collect standard log data including your IP address, browser type, pages visited, and time spent on the site. We do not use tracking cookies or third-party analytics platforms.

Calendly. If you book a discovery call through our Calendly integration, your scheduling information is collected and processed by Calendly, Inc. under their own privacy policy.

2. How We Use Your Information

We use the information we collect to:

  • Respond to inquiries and schedule discovery calls
  • Deliver requested resources and materials
  • Send relevant AI governance updates where you have opted in
  • Improve our website and service offerings
  • Comply with applicable legal obligations

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area or United Kingdom, our legal basis for processing your personal data is your consent (where provided), the performance of a contract or pre-contractual steps at your request, and our legitimate interests in operating and improving our business. You may withdraw consent at any time by contacting us at hello@clavant.com.

4. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this policy and comply with legal obligations. Contact and inquiry data is generally retained for three years from the date of last contact unless a longer period is required by law or you request deletion.

5. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict our processing
  • Withdraw consent at any time
  • Lodge a complaint with a data protection authority

To exercise any of these rights, please contact us at hello@clavant.com. We will respond within 30 days.

6. Security

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. No method of transmission over the internet is completely secure and we cannot guarantee absolute security.

7. Third-Party Links

Our website may contain links to third-party websites including Calendly. We are not responsible for the privacy practices of those sites and encourage you to review their policies before providing any personal information.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised effective date. Your continued use of our website following any changes constitutes your acceptance of the updated policy.

9. Contact

Clavant AI Governance, LLC
Eddie Taliaferro, Data Protection Officer
hello@clavant.com
Flint, Michigan, United States
Legal

Terms of Service

Last updated: June 2026

These Terms of Service govern your use of the Clavant AI Governance, LLC website at clavant.com and any services provided by Clavant AI Governance, LLC ("Clavant," "we," "us," or "our"). By accessing our Site or engaging our services, you agree to these Terms.

1. Use of the Site

You may use our Site for lawful purposes only. You agree not to use the Site in any way that violates applicable laws or regulations, infringes on the rights of others, or interferes with the operation of the Site. We reserve the right to restrict or terminate access at our discretion without notice for conduct we believe violates these Terms.

2. Intellectual Property

All content on this Site including text, graphics, logos, articles, checklists, templates, and other materials is the property of Clavant AI Governance, LLC and is protected by applicable copyright and intellectual property laws. You may not reproduce, distribute, modify, or create derivative works from any content without our prior written permission. Personal, non-commercial reference use is permitted provided attribution is maintained.

3. Professional Services

Engagement of Clavant's professional services is governed by a separate Master Services Agreement and Statement of Work executed between Clavant and the client. These Terms do not constitute or modify any professional services agreement.

The content on this Site is provided for informational purposes only and does not constitute legal, regulatory, or professional advice. You should not act on any information on this Site without seeking appropriate professional counsel for your specific situation.

4. Downloadable Resources

Resources available for download including the AI Governance Readiness Checklist and related materials are provided for your personal and organizational use only. You may not resell, redistribute, or represent these materials as your own work. Clavant retains all intellectual property rights in downloadable resources.

5. Disclaimers

No warranty. This Site and its content are provided "as is" without warranty of any kind, express or implied. We do not warrant that the Site will be uninterrupted, error-free, or free of viruses or other harmful components.

No professional advice. Nothing on this Site constitutes legal, regulatory, compliance, or financial advice. Framework references and informational content are provided for general educational purposes only. Formal advisory services require a signed services agreement.

6. Limitation of Liability

To the fullest extent permitted by applicable law, Clavant AI Governance, LLC shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of your use of or inability to use this Site or its content. Our total liability for any claim arising from your use of this Site shall not exceed one hundred dollars ($100).

7. Governing Law

These Terms are governed by the laws of the State of Michigan without regard to its conflict of law provisions. Any disputes arising under these Terms shall be subject to the exclusive jurisdiction of the state and federal courts located in Genesee County, Michigan.

8. Changes to These Terms

We reserve the right to update these Terms at any time. Updated Terms will be posted on this page with a revised effective date. Your continued use of the Site following any changes constitutes your acceptance of the updated Terms.

9. Contact

Clavant AI Governance, LLC
hello@clavant.com
Flint, Michigan, United States

Note: These Terms of Service are provided for general informational purposes. Clavant recommends review by a licensed Michigan attorney before relying on these terms for formal legal compliance purposes.

Get a Quote

Build your Statement
of Work

Know what you need? Configure your engagement in 3 minutes and get a draft SOW instantly — ready to discuss on your discovery call.

1
SERVICE
2
SCOPE
3
DETAILS

Which service do you need?

Select one or more services. You can combine multiple engagements into a single SOW.

Fractional AI DPO
Ongoing governance oversight — monthly retainer
From $10K/mo
AI Governance Program Buildout
End-to-end AIMS implementation — fixed-fee project
$75K–$150K
AI Readiness Assessment
Gap analysis with board-ready report — 4 to 6 weeks
$15K–$40K
Board & Executive Advisory
AI risk briefings for board and executive leadership
From $7.5K/session
EU AI Act Compliance
High-risk classification, conformity assessment, documentation
Scope on request
AI Vendor Risk Assessment
42-question framework across 7 risk domains per vendor
$8K–$25K/vendor
What you get
1
Draft SOW on screen instantly
Scope, deliverables, timeline, and pricing tailored to your inputs.
2
Download as PDF
Save and share your draft SOW with your team or leadership.
3
Discovery call to finalize
We follow up within 1 business day to refine scope and move to signature.
DRAFT ONLY  ·  NOT A BINDING AGREEMENT  ·  SUBJECT TO REVIEW
Not sure which service you need?

Start with a free discovery call. We will help you identify the right engagement for your situation.