Boards and executives want help with AI — but they need someone who's already accountable for the same risks in a regulated environment. That's the difference here.
AI guidance tends to come from one of two camps — consultants who know the frameworks, or technologists who've built the systems. The institutions I work with need someone who's done both — who can explain AI risk in terms that land with a board of directors, an NCUA examiner, and a core system vendor in the same week.
Embedded strategic technology leadership for institutions without a full-time CIO, or organizations that need senior judgment without a senior hire.
Security program leadership grounded in regulatory expectations — NCUA, FFIEC, and the frameworks examiners actually reference in findings.
Practical governance for institutions adopting AI tools — from chatbots in member services to automated decisioning in lending. NIST AI RMF 1.0 grounded.
Direct engagement with boards, audit committees, and executive leadership — translating technical AI and security risk into decisions and accountabilities.
Not every institution needs a retainer. Not every problem needs a project. Three models, each with a clear scope and outcome.
A defined number of hours per month for strategic guidance, board prep, and on-call judgment. Minimum 3-month engagement. Ideal for institutions in an active build or exam cycle.
Fixed scope, fixed deliverables — AI risk assessment, security program review, board education series, M&A diligence. Delivered in 4–12 weeks with a written output.
A single half-day or full-day session for your board or leadership team on AI risk, cybersecurity posture, or the technology decisions ahead of you. Prepared specifically for your institution.
The Cybersecurity Framework v2 is the primary lens for security program design, maturity assessment, and board reporting. Every engagement maps to its Govern, Identify, Protect, Detect, Respond, and Recover functions.
The NIST AI Risk Management Framework is how I structure AI governance work — MAP, MEASURE, MANAGE, GOVERN. I crosswalk it to CSF 2.0 for institutions that want a unified risk vocabulary.
Regulatory expectations don't always align with published frameworks. I track NCUA examination findings and FFIEC guidance so that governance work translates into exam-defensible positions, not just policy documents.
No pitch deck. No pre-work. A direct conversation about what you're trying to solve, your timeline, and whether there's a fit. I'll tell you if there isn't.
Within 5 business days, a short written proposal: scope, model (retainer / project / briefing), estimated hours or fee range, and expected outputs. No 40-page statement of work.
Simple agreement, clear accountabilities. Retainer engagements include a monthly standing call and async availability. Project engagements have defined milestones and check-ins.
I measure success by whether your team achieves its goals, your board asks better questions, or your exam position improves — not by hours billed or slide decks delivered.
The fastest way to know if this is the right fit is a direct conversation. No forms, no gatekeepers. Just pick a time and show up with the problem you're trying to solve.