Bouddi Book a diagnostic
Practice 02 · AI Governance, Risk & Audit

Evidence-grade AI governance for ANZ's regulated sectors.

Bouddi helps risk, compliance and audit leaders build AI governance that withstands regulator review, internal audit and the next material incident - anchored to ISO/IEC 42001:2023, ISO 31000:2018 and APRA CPS 220, 230 & 234.

Book a diagnostic See the methodology
1,359
ANZ organisations mapped on AI governance maturity
11
Regulated industries covered, from APRA-regulated banks to public health
38
ISO/IEC 42001 Annex A controls implemented and evidenced
6
Phase methodology from board mandate to certification readiness

Our approach

Built for the people who have to defend the work.

Most AI governance engagements are written for slides. Ours are written for auditors. Bouddi's governance practice is built around a single conviction: AI governance should produce evidence, not artefacts.

Who we work with

Chief Risk Officers, Heads of Compliance, Internal Audit, and Audit Committee Chairs at ASX-listed and APRA-regulated organisations across Australia and New Zealand - plus the boards and executives who sit above them.

Every artefact we deliver - your AI inventory, your Statement of Applicability, your control narratives - is designed to survive external assurance and stand up in front of a regulator.

And where you already have control libraries, audit frameworks, risk registers, ISMS documentation or policy stacks, we extend them rather than replace them - your existing work is the starting point. We only build from scratch where nothing exists.

  • 01
    Standards-anchored, not framework-dressed
    Every recommendation traces to a clause in ISO/IEC 42001:2023, ISO 31000:2018, or the relevant APRA CPS. No proprietary mystery. If you need to align to NIST AI RMF or the EU AI Act, we can do that too.
  • 02
    Evidence over artefacts
    We build the evidence library that auditors and regulators ask for - control narratives, sampling logs, exception registers - not just a policy on a SharePoint site.
  • 03
    Co-delivered with your second and third lines
    We don't drop a report and leave. Risk, compliance and internal audit work alongside us so the capability stays in your organisation.
  • 04
    Tied to your existing risk taxonomy
    AI risk slots into your enterprise risk framework - operational, conduct, model, third-party, technology - rather than living as an orphaned register.
  • 05
    Board-ready by default
    Every engagement produces an Audit Committee pack and a Board paper your Chair can take into a meeting unedited.
  • 06
    Built on your work, not over it
    Your existing control libraries, audit frameworks, risk registers, policy stacks and process maps are the starting point. We inherit, validate, extend and standards-anchor - we only build from scratch where nothing exists.

Engagements

Three engagements, one pathway to assurance.

Most clients enter at the diagnostic and move into roadmap or implementation once the gap picture is clear. Each tier produces signed-off, evidence-grade deliverables. Indicative pricing is available in the Prospective Clients area.

AI Governance Diagnostic

4–8 weeks · Phase 1
  • AI & algorithmic system inventory
  • Maturity assessment across D1–D6 domains
  • Gap analysis to ISO/IEC 42001 Annex A
  • APRA CPS 220 / 230 / 234 obligation map
  • Material Service Provider (MSP) assessment
  • Board-ready findings pack
Start a diagnostic

Diagnostic + Roadmap

10–14 weeks · Phases 1–2
  • Everything in the Diagnostic
  • AIMS design - scope, policy stack, RACI
  • Risk framework and classification model
  • Prioritised 12-month uplift roadmap
  • Effort and cost estimates per workstream
  • Board paper and Audit Committee briefing
Scope a roadmap

Full Implementation

6–9 months · Phases 1–6
  • End-to-end AIMS implementation
  • 38 Annex A controls built and evidenced
  • Vendor due diligence playbook
  • Incident response + BCP addendum
  • Internal audit dry-run & SoA
  • ISO/IEC 42001 certification readiness
Plan implementation
Board & Audit Committee facilitation
Confidential briefings on AI governance posture, regulator developments, material AI incidents and director liability exposure. Available as standalone engagements or alongside any tier.
Rate on request

The Bouddi Governance Method

Six phases. Six maturity domains. One certification pathway.

The Bouddi Governance Method is the engagement methodology behind every governance deliverable. Phases sequence the work; D1–D6 maturity domains measure where you are and where you need to be. The full methodology - phases, deliverables per phase, named audiences and the bridge to the Strategy practice - lives at The Bouddi Governance Method.

Phase 01
Scope & Inventory
4–8 weeks
In-scope sub-domains, AI inventory, scoping decisions and rationale, MSP assessment.
Phase 02
Diagnose
6–10 weeks
D1–D6 maturity baseline, Annex A gap analysis, regulatory gap, board-ready findings pack.
Phase 03
Design
8–12 weeks
AI strategy, risk framework, target operating model, 12-month roadmap, investment case.
Phase 04
Build
6–10 weeks
Policy stack, 38 Annex A controls, registers, templates, evidence library.
Phase 05
Embed
4–6 weeks
Operating cadence, board and committee reporting, capability uplift, BAU integration.
Phase 06
Assure
4–8 weeks
Internal audit programme, Statement of Applicability, external assurance readiness.

D1–D6 Maturity Domains

Each domain is scored 1 (Unaware) to 5 (Leading). Movement across domains drives the roadmap.

D1
Strategy & Ethics
AI strategy and ambition, responsible AI principles, board-level oversight, AI risk appetite, stakeholder engagement.
D2
Governance & Controls
AI policy framework, decision rights and accountability, three-lines model, AI risk taxonomy, committee structure.
D3
People & Skills
AI literacy across the workforce, specialist AI and AI-risk roles, training pathways, culture, performance management.
D4
Process & Lifecycle
AI use-case intake, model lifecycle, change management, third-party and vendor AI risk, incident response.
D5
Technology & Data
Data quality and lineage, MLOps platform, security of AI systems, monitoring (drift, performance, fairness), explainability.
D6
Assurance & Regulatory
Internal audit, external assurance readiness, regulatory engagement, compliance with binding and voluntary standards, public disclosure.
Want to see what these deliverables actually look like? Sample artefacts - D1–D6 maturity baseline, Annex A gap analysis, 12-month roadmap, AI contract clauses - are available in our prospect portal.
Open the prospect portal

Insights

Field notes from regulated AI deployments.

Short, standards-anchored briefings written for risk, audit and board audiences. No vendor pitches, no AI evangelism - just what's working and what's failing on the ground in ANZ.

APRA · CPS 230

What "critical operations" actually means when the operation is an AI model.

A working interpretation of CPS 230's tolerance levels and Material Service Provider obligations when a model - not a vendor - sits inside a critical operation. With worked examples across credit decisioning and claims triage.

8 min read · Coming soon
ISO/IEC 42001

Mapping Annex A to your existing risk taxonomy without doubling the register.

Annex A's 38 controls overlap heavily with ISO 27001, NIST AI RMF and your enterprise risk framework. A practical crosswalk that lets you absorb 42001 into the controls you already test, instead of running parallel registers.

11 min read · Coming soon
Audit Committee

The five questions an Audit Committee will ask about your AI inventory.

What ACs are actually asking in 2026 - completeness, classification rationale, vendor concentration, incident readiness, and director-level accountability - and how to answer each with evidence rather than narrative.

6 min read · Coming soon
Need to make the AI investment decision before it gets governed?
Our Strategy, Roadmap and Procurement practice handles the upstream work - discovering customer business processes, defining the AI thesis, sequencing the build, and procuring the platforms and vendors that the governance work will eventually wrap.
See strategy practice

Engage

Start with a confidential conversation.

The first 30 minutes are no-obligation and covered by NDA on request. We'll discuss your current AI footprint, your regulatory perimeter, and where a diagnostic would land you in 4–8 weeks.

Request a conversation Compare engagements