Sovereignty, from policy
to practice.
We work with organisations that have made governance or sovereignty commitments and now need someone to verify, technically, not just on paper, that their systems deliver them.
The gap in this market is not more governance frameworks. It's people who can sit inside a technical architecture decision and say: this implementation will satisfy this regulatory requirement, because the attestation chain maps to this specific control. That's what we do.
AI Governance Advisory
Strategy and implementation support for AI risk management, regulatory alignment, and governance framework design, from board briefings to technical controls.
Board-level briefings · Compliance gap analyses
EU AI Act readiness · Internal audit support
Digital Sovereignty
Assessing and strengthening organisational control over data, infrastructure, AI systems, and vendor relationships, with particular focus on critical and public sector environments.
Control frameworks · Procurement guidance
Confidential computing architecture
Open Source Security
DevSecOps strategy, software supply chain security, SBOM implementation, and OpenSSF adoption for organisations where the software supply chain is a material risk.
SBOM tooling selection and implementation
OpenSSF Scorecard baseline · Training
Technical Due Diligence
Security and governance review for M&A, investment decisions, or procurement, covering AI systems, software supply chains, and security posture.
Remediation priority lists
Vendor assessment frameworks
Where we work.
We focus on environments where security and governance failures have real consequences: regulated industries, public sector, and critical national infrastructure.
Retained Advisory
Ongoing relationship with agreed scope. Suitable for organisations building capability or navigating a multi-year programme.
Project-Based
Defined scope, timeline, and deliverables. Suitable for assessments, audits, framework design, and due diligence.
Workshops & Training
Half-day or full-day sessions for technical or executive teams. Topics include AI governance, supply chain security, and digital sovereignty.
Speaking
Keynotes, panels, and technical presentations for conferences, policy forums, and industry events.
Anonymised. Details changed to protect client confidentiality.
DORA operational resilience gap assessment
A UK-regulated financial institution needed to understand their exposure under DORA's ICT risk requirements before their first supervisory review. They had compliance documentation but no technical validation of whether their AI and cloud systems actually delivered the resilience they claimed.
AI Act readiness for high-risk system deployment
A public sector body procuring an AI decision-support system needed to determine whether the vendor's conformity claims held up technically. The system was classified as high-risk under Annex III and their procurement team lacked the technical capacity to evaluate the technical documentation.
Supply chain security baseline for CRA compliance
A software company shipping to enterprise customers in the EU needed to implement SBOM generation and software supply chain controls ahead of the Cyber Resilience Act's requirements. Their engineering team understood DevSecOps but had no experience mapping controls to regulatory obligations.
"The CLOUD Act does not care where your data centre is. It cares where your provider is incorporated."
Code, Chips and Control - Ch.7, Data Jurisdiction