# INITOL

> Enterprise IT Governance, Risk & Compliance (GRC) advisory firm founded in 2012.
> Partner-led engagements across SOC 2, ISO 27001, NIST CSF, FedRAMP, HIPAA,
> CMMC, HITRUST, PCI-DSS, GDPR, CCPA, and NIST 800-53.

INITOL designs and operationalizes enterprise GRC programs for regulated organizations.
Every engagement is staffed by a named partner from kickoff through audit close.

## Pages

- Home (https://initol.netlify.app/): Firm overview, capabilities, outcomes, methodology, frameworks.
- Services (https://initol.netlify.app/services): Six GRC disciplines, engagement shapes, deliverables.
- AI Governance (https://initol.netlify.app/ai-governance): Specialty practice for AI inventory, policy, model governance, NIST AI RMF, ISO/IEC 42001, and EU AI Act compliance.
- Industries (https://initol.netlify.app/industries): Financial services, healthcare, government, technology, manufacturing.
- Resources (https://initol.netlify.app/resources): Framework guides, playbooks, executive briefings by INITOL partners.
- About (https://initol.netlify.app/about): Mission, principles, leadership team, firm history since 2012.
- Contact (https://initol.netlify.app/contact): Book a 30-minute assessment. Response within one business day.

## Services

- GRC Program Design: Stand up or rebuild a governance program from scratch or after a stalled audit.
- Cybersecurity Governance: Zero-trust architecture review, secure SDLC, cloud control assurance.
- Identity & Data Governance: IAM rationalization, data classification, GDPR/CCPA/HIPAA privacy programs.
- Business Resilience: Incident response playbooks, BCP/DR exercises, operational resilience.
- Third-Party Risk: Vendor lifecycle, supply-chain due diligence, subprocessor governance.
- Audit Readiness & Assurance: SOC 2, ISO 27001, FedRAMP, HITRUST readiness sprints and auditor support.

## AI Governance (Specialty Practice)

URL: https://initol.netlify.app/ai-governance

Partner-led AI governance advisory across three frameworks:
- NIST AI RMF: AI risk profiles, board reporting, and control roadmaps.
- ISO/IEC 42001: AI management system design and certification support.
- EU AI Act: System classification, conformity assessment, and vendor contract flow-down.

Five capabilities: AI inventory & risk assessment, AI policy framework, model governance, third-party AI risk, AI incident response.

AI program lifecycle: Discover → Classify → Govern → Assure.

Engagement models:
- AI Risk Snapshot: 3–4 weeks, $35K–$65K
- AI Governance Build: 10–12 weeks, $95K–$175K
- Embedded AI Advisory: ongoing, $15K–$28K/month

### AI Governance FAQ

Q: Where should we start if we have no AI governance program today?
A: Start with an AI Risk Snapshot — a 3–4 week engagement that produces a complete inventory of AI systems in use, a risk-tier classification, and a board-ready summary.

Q: Does the EU AI Act apply to US-based companies?
A: Yes, if you place AI systems on the EU market or if your AI outputs affect people in the EU. US SaaS, healthcare, and financial firms with EU exposure need classification roadmaps.

Q: How does AI governance relate to our existing SOC 2 or ISO 27001 program?
A: Existing control libraries cover roughly 40–60% of AI governance requirements. INITOL maps overlapping controls once and builds unified evidence workflows.

Q: Do you evaluate specific AI models or platforms?
A: INITOL governs the program, not the technology. Requirements for model registry, testing gates, and vendor contracts — engineering selects models against those requirements.

### AI Governance Resources

- The AI Governance Stack: NIST AI RMF, ISO 42001, EU AI Act in One Picture (https://initol.netlify.app/resources#ai-governance-stack)
- Shadow AI: Inventorying Models Your Engineers Already Shipped (https://initol.netlify.app/resources#shadow-ai)
- From SOC 2 to ISO 42001: How Existing Programs Extend to AI (https://initol.netlify.app/resources#soc2-to-42001)

## Engagement models

- Readiness Sprint: 4–6 weeks, $45K–$85K — single-framework audit prep with a hard deadline.
- Program Build: 12–16 weeks, $120K–$220K — full GRC program stand-up across one or two frameworks.
- Embedded Advisory: ongoing, $18K–$35K/month — partner through audit cycles and board reporting.

## Frameworks

SOC 2, ISO 27001, NIST CSF, NIST 800-53, CIS Top 18, HITRUST, PCI-DSS, GDPR, CCPA, FedRAMP, HIPAA, CMMC, NIST AI RMF, ISO/IEC 42001, EU AI Act

## Offices

- New York, NY (Midtown Manhattan)
- Washington, DC (Capitol Hill)
- London, UK (City of London)

## Contact

- General inquiries: partnerships@initol.com
- Insights and briefings: insights@initol.com
- AI governance assessments: partnerships@initol.com