Bouddi Book a conversation
Methodology · Governance Engagements

The Bouddi Governance Method.

Six phases. Built to be defended. Every AI Governance, Risk and Audit engagement runs on the same chassis - anchored to ISO/IEC 42001:2023, ISO 31000:2018, and APRA CPS 220, 230 and 234, co-delivered with risk, compliance and internal audit teams, and traceable from regulator question to evidence file.

Scope an engagement See the practice page
6
Phases - Scope, Diagnose, Design, Build, Embed, Assure
6–9
Months for full implementation, faster for shorter scopes
38
ISO/IEC 42001 Annex A controls cross-walked into deliverables
D1–D6
Anchored to the same maturity domains as the Strategy Method

Why this method exists

AI governance fails when the work isn't traceable.

By the time a regulator, an auditor or a board asks the awkward question, it is too late to construct the answer. AI governance only works when the trail of decisions - about scope, maturity, design choices, controls implementation, embedding and ongoing assurance - is available, sequenced and signed-off. The Bouddi Governance Method runs every engagement through six phases so that trail exists by design, not by reconstruction. The output stands up to APRA scrutiny, internal audit, and ISO/IEC 42001 certification readiness.

The six phases

Six phases. Each one ends with evidence the next phase consumes.

Phase 01
Scope & Inventory
4–8 weeks
Audit-grade AI footprint, MSP assessment, regulatory perimeter mapping, risk-tier classification.
Phase 02
Diagnose
2–4 weeks
Maturity baseline against D1–D6, gap analysis to ISO/IEC 42001 Annex A, APRA expectations and NIST AI RMF.
Phase 03
Design
4–8 weeks
AIMS architecture, risk framework, policy stack, decision rights and RACI, AI risk taxonomy.
Phase 04
Build
8–16 weeks
Controls implementation, intake process, vendor due diligence, model risk standards, evidence library schema.
Phase 05
Embed
4–8 weeks
Capability uplift curriculum, culture activation, stakeholder engagement plan, quarterly cadence pack.
Phase 06
Assure
Ongoing
Internal audit programme, external assurance walkthroughs, regulator engagement, transparency reporting.
Phase 01 · 4–8 weeks

Scope & Inventory.

Most AI governance engagements start by trying to write a policy. The Bouddi Governance Method starts by mapping the territory. An audit-grade AI footprint catalogues every AI system in the organisation - production, pilots, shadow estate - with the data classes touched, decision authority, risk tier and current governance state. The Bouddi Fit-and-Risk Matrix is applied at this stage to place each candidate process on Suitability × Governance Burden.

Phase 01 · Scope & Inventory

You cannot govern what you cannot see.

4–8 weeks · co-delivered

Audit-grade AI inventory with structured walkthroughs, owner sign-off per system, and validation against ISO/IEC 42001 Annex A.4 inventory requirements. APRA Material Service Provider assessment for AI-bearing vendors. Regulatory perimeter mapped (APRA, Privacy Act, consumer law, sector-specific). Risk-tier classification using the Fit-and-Risk Matrix.

Deliverables
  • Audit-grade AI System Inventory
  • MSP assessment for AI-bearing vendors
  • Regulatory perimeter map
  • Risk-tier classification (Tier 1–4)
  • Fit-and-Risk Matrix placement (calibrated)
Audiences
  • Chief Risk Officer
  • Chief Compliance Officer
  • Head of Internal Audit
  • System owners (each AI system)
  • Procurement (vendor AI)
Phase 02 · 2–4 weeks

Diagnose.

Maturity assessed across all six D1–D6 domains using calibrated rubrics. Gap analysis run against ISO/IEC 42001 Annex A controls and APRA expectations under CPS 220, 230 and 234. Where the regulatory perimeter extends offshore (NIST AI RMF, EU AI Act), the cross-walk is established at this stage. Output is a board-ready findings pack that names the gaps, their severity, and the remediation work the rest of the engagement will sequence.

Phase 02 · Diagnose

Maturity, named honestly. Gaps, named precisely.

2–4 weeks · co-delivered

D1–D6 maturity baseline scored against the Bouddi rubric. Annex A gap analysis with severity rating per control. APRA CPS 220/230/234 cross-walk. Australian regulatory gap analysis. Board findings pack.

Deliverables
  • D1–D6 maturity baseline scoring
  • D1–D6 maturity narrative
  • ISO/IEC 42001 Annex A gap analysis
  • Australian regulatory gap analysis
  • Diagnostic report (board-ready)
Audiences
  • Board (findings pack)
  • Audit Committee
  • Risk Committee
  • Executive committee
Phase 03 · 4–8 weeks

Design.

The AI Management System (AIMS) architecture is drawn. The risk framework, policy stack, decision rights and RACI matrix are designed to fit the organisation's existing governance architecture - not bolted on. AI risk appetite and limits are agreed. The AI risk taxonomy is built. Phase 03 produces the design that the rest of the engagement implements.

Phase 03 · Design

The architecture, drawn before it's built.

4–8 weeks · co-delivered

AI strategy and ambition statement, responsible AI principles, risk appetite statement with limits, target operating model, AI risk taxonomy, 12-month roadmap, investment case, architecture and roadmap document. All cross-walked to ISO/IEC 42001 Annex A obligations.

Deliverables
  • AI strategy and ambition statement
  • Responsible AI principles
  • AI risk appetite statement and limits
  • Target operating model
  • AI risk taxonomy
  • Architecture and roadmap document
Audiences
  • Executive committee
  • Risk Committee
  • AI Governance Committee (incoming)
  • Architecture review board
Phase 04 · 8–16 weeks

Build.

The longest phase. Controls implementation across the AIMS - policy stack instantiated, intake process stood up, vendor due diligence operationalised, model risk standards published, AI control catalogue built, evidence library schema deployed, threat model documented, monitoring standard live. Each control traceable to its Annex A obligation and to the Phase 02 gap it closes.

Phase 04 · Build

38 Annex A controls. Built and evidenced.

8–16 weeks · co-delivered

AI governance policy head and standards (acceptable use, model risk, third-party AI, ethics and conduct). Governance committee charter. Use-case intake process. Model lifecycle and change management standards. Vendor AI due diligence pack. Incident response runbook. Algorithmic Impact Assessment template. Threat model. Data governance standard. Monitoring and explainability standards.

Deliverables
  • AI governance policy + standards stack
  • AI Governance Committee charter
  • Use-case intake process & register
  • Model lifecycle & change management
  • Vendor AI due diligence pack
  • AI risk register, control catalogue
  • Incident response runbook, threat model
  • Data governance, monitoring, explainability
Audiences
  • Risk and compliance teams
  • Internal audit
  • Procurement
  • Legal counsel
  • Technology architecture
  • Business owners (intake)
Phase 05 · 4–8 weeks

Embed.

Frameworks fail without people. Phase 05 builds the capability uplift curriculum, the culture activation plan and the stakeholder engagement model that make the AIMS stick. Quarterly cadence packs equip the AI Governance Committee to chair effectively. The aim is that the framework becomes how the organisation works - not a binder on a shelf.

Phase 05 · Embed

Culture, capability, cadence.

4–8 weeks · co-delivered

Capability uplift curriculum tailored to roles (board, executive, risk, compliance, business, technology). Culture activation plan with named champions. Stakeholder engagement plan. Quarterly cadence pack template for AI Governance Committee meetings.

Deliverables
  • Capability uplift curriculum
  • Culture activation plan
  • Stakeholder engagement plan
  • Quarterly cadence pack template
Audiences
  • People & Culture / HR
  • Communications function
  • AI Governance Committee
  • Whole organisation (curriculum)
Phase 06 · Ongoing

Assure.

The framework runs. Internal audit tests it, external assurance reviews it, regulators engage on it, and the annual AI transparency report tells the story to customers, the board and the public. Phase 06 is where the design pays off - every control evidenced, every decision traceable, every audit walkthrough rehearsed before the auditor walks in.

Phase 06 · Assure

The framework holds up. By design, not by reconstruction.

Ongoing

Internal audit programme with multi-year plan. External assurance walkthroughs (ISO/IEC 42001 certification readiness, where applicable). Regulator engagement plan with briefing materials. AI compliance register. Annual AI transparency report.

Deliverables
  • Internal audit programme
  • Multi-year audit plan
  • External assurance walkthroughs
  • Evidence library schema (live)
  • Regulator engagement plan
  • AI compliance register
  • Annual AI transparency report
Audiences
  • Internal audit
  • External auditors / certification body
  • APRA / sector regulators
  • Audit Committee
  • Board, customers, public (transparency)

The other half of the discipline

Governance makes investments defensible. Strategy decides which investments to make in the first place.

The Bouddi Governance Method delivers an audit-grade AI Management System - controls built, evidenced, and ready for assurance. The Bouddi Strategy Method runs upstream when the question is what to invest in: AI strategy, roadmap and procurement. Together, they give a single evidence discipline across both practices, anchored to the same D1–D6 maturity domains.

Scope a Governance engagement See the Strategy Method