Dhārā II
Amātya Stream

AI-Augmented Governance

Amātya, counsel as instrument

AI is the instrument. Governance is the objective. Audit methodology for enterprise LLM deployments, model risk frameworks, and the minimum sufficient control set for organisations deploying AI in regulated environments.

AI Governance LLM Audit Model Risk NIST AI RMF Copilot Governance EU AI Act
Governance Engineering, Intelligence Layer

AI is the instrument. Governance is the objective. The sunlight enables the tree, the tree is the subject. Govern unmanaged and unmanageable risk exposure, not all risk. Minimum sufficient control set. Maturity is a direction of travel, are you improving or drifting?

In scope
AI maturity radar, direction of travel scoring
LLM audit methodology for enterprise deployments
Agent governance and trust boundary architecture
Prompt integrity and injection risk assessment
Model drift detection and output monitoring
Copilot and Copilot Studio governance in regulated environments
Unmanaged AI risk exposure mapping
CCMM applied to the intelligence layer
Enterprise AI deployment review methodology
GenAI attack and mitigation taxonomy
Outside this stream
Active AI threat hunting (Dhārā IV)
AI regulatory calendar and enforcement milestones (Dhārā VI)
AI tooling for audit automation (Dhārā I)
Capital exposure from AI investments (Dhārā V)
Who this is for
CISO · Model risk officer · IT auditor facing their first AI audit · Any leader whose organisation uses AI without knowing what they cannot see
Know whether your AI governance is improving or drifting. Govern the exposure that the framework has not named yet. Build the minimum control set that actually holds under examination.

Field Notes

7 entries
Jun 2026 Field Note

Proof with an expiry date

Regulated records can outlive the cryptography that proves them. Crypto-agility is the architectural property that lets a firm migrate primitives without re-attesting the world. An audit-defensible read of the post-quantum transition: the honest technical distance, converging guidance deadlines, the sovereignty question, and what an auditor can actually ask for today.

Read field note
May 2026 Field Note

The root of trust

Hardware attestation for self-hosted AI in regulated firms. Everything above it is contingent.

Read field note
May 2026 Field Note

Two hundred and fifty documents

Open-weight models solve one supply chain problem. They do not solve training-data provenance. The 250-document poisoning result exposes the real gap: corpus integrity, RAG provenance, and prompt injection. The data layers are the attack surface your governance programme is not watching.

Read field note
May 2026 Field Note

Whose hash, whose key, whose pin: supply chain is the sovereignty question

Trust primitives are technical artefacts. The governance question behind them is whose authority chain backstops each one. Whose hash, whose key, whose pin authority: a supply-chain decision framework for self-hosted AI in regulated firms.

Read field note
May 2026 Field Note

Sovereign by default, hybrid at edges

A practitioner's case for self-hosted open-weights inference in regulated firms, the trust primitives that make it audit-defensible, and where hybrid still makes sense.

Read field note
Mar 2026 Field Note

AI in IT Audits: What Has Changed, What Has Not, and What Auditors Are Missing

What the AI-in-audit conversation gets right, where it gets seductive, and which audit fundamentals do not change regardless of which model produced the evidence.

Read field note
Dec 2025 Field Note

A Guide to Auditing Generative AI

Audit methodology for Copilot, ChatGPT Enterprise, and Copilot Studio agents in regulated institutions, including the prompt-integrity and output-monitoring gaps.

Read field note

All seven streams

I GRC Intelligence II AI-Augmented Governance III Economic Statecraft IV Resilience Engineering V Signal Sovereignty VI Regulatory Cartography VII Sovereign Judgment

Collaborate