AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs · AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs ·
PRODUCTS / RUNG 03
Scoped priced after a short call · based on size and complexity
Typically 1 to 2 weeks

AI Governance Health Check

An independent, evidence-based review of how your organisation actually uses AI, measured against its policies, obligations and controls. Structured across ten governance dimensions and grounded in ISO/IEC 42001, the NIST AI Risk Management Framework and the EU AI Act. Plain findings you can show a board, a client or a regulator.

Every paid engagement at Nimble AI is fixed-price once scoped, with no open-ended day rates. We scope it with you on a short call before invoicing.

What we check

Ten dimensions.
Real evidence.

Our assessment covers the ten governance dimensions that matter: accountability, fairness, transparency, human oversight, data governance, privacy, security, safety and robustness, third-party communication, and continual improvement. Each is scored from 0 to 3 against real evidence. The ten governance dimensions are assessed across the nine evidence areas below.

AI inventory and shadow AI

What good looks like

Every AI system in active use is identified and logged, including tools that staff are using without IT or management sign-off.

Policy coverage vs actual practice

What good looks like

Written policies exist, are current, and match what the organisation actually does. Staff know where to find them and follow them.

Data protection and privacy

What good looks like

AI systems that process personal data have been assessed for UK GDPR compliance, with Data Protection Impact Assessments in place for high-risk processing.

Human oversight and decision accountability

What good looks like

Every AI-influenced decision has an identifiable owner, a review mechanism, and a record of what was decided and on what basis.

Staff training and AI literacy

What good looks like

Staff using AI tools understand what they can and cannot do, the risks of careless use, and where to go when something goes wrong.

Third-party and vendor controls

What good looks like

AI tools and vendors acquired from third parties have been assessed before deployment, and your exposure to their data-handling practices is understood and managed.

Incident and escalation routes

What good looks like

Your organisation has a clear process for when AI systems produce unexpected, harmful or unacceptable outputs: who to tell, how to escalate, and how to halt or override.

Leadership accountability and board oversight

What good looks like

Responsibility for AI governance is assigned in writing at senior level, with regular, structured visibility over the organisation's AI estate and its risks.

Fairness and bias risk

What good looks like

AI-assisted decisions affecting people have been checked for bias against protected characteristics under the Equality Act 2010, and the organisation can evidence that check was done.

Our methodology is built on ISO/IEC 42001, the NIST AI Risk Management Framework and the EU AI Act, and covers the ground consulted on in DSIT's AI Management Essentials work. Each dimension is scored from 0 to 3 against real evidence: not a checklist, not a self-assessment, and not calibrated to the most flattering interpretation.

Process

How it works

A structured engagement from scoping call to written findings. Typically 1 to 2 weeks from engagement.

01

Scoping call

We confirm what your organisation uses AI for, the team members to involve, and which dimensions to prioritise given your sector and risk profile.

02

Evidence gathering

We review existing policies and documentation, walk through the AI systems in use, and hold short conversations with the people who design, run and use them.

03

Assessment against the framework

Each of the ten governance dimensions is scored from 0 to 3 against real evidence, calibrated across our work with comparable UK businesses.

04

Written findings

Findings are documented, risk-rated and ordered by priority. The maturity heatmap is built from the evidence, showing your strongest and most exposed dimensions side by side.

05

Remediation roadmap

A prioritised action plan with effort estimates: what to fix, in what order, and how much work each item is. Proportionate to your size and resources.

06

Debrief session

We walk through every finding with you, answer questions, and agree on next steps. You leave with a clear picture of where you stand and what to do about it.

Deliverables

What you receive

Six concrete outputs: everything you need to understand where you stand, prioritise what to fix, and show a board, a client or a regulator that you have done this properly.

01

RAG-rated findings report

A complete assessment across all ten governance dimensions. Each finding is red, amber or green rated for at-a-glance priority, with the full detail scored 0 to 3 against the evidence rubric.

02

Maturity heatmap

A visual snapshot of your governance maturity: which dimensions are solid, which are partially in place, and where the highest-leverage gaps sit.

03

Prioritised remediation plan

What to fix, in what order, with effort estimates: a proportionate action plan your team can actually follow.

04

Board-ready executive summary

A concise summary suitable for board, leadership or external review: your governance position, the key risks, and the recommended next steps.

05

Debrief session

A live walkthrough of every finding so you leave the engagement knowing exactly what was found and what to do next.

06

ISO/IEC 42001 pathway

A clear pathway toward ISO/IEC 42001 alignment, if certification is your end goal.

Get started

Two ways in

Whether you are starting fresh or already have findings to act on, there is a direct path to the right next step.

Path A · Not sure where you stand yet

Start with the free AI Governance Scorecard

Fifteen questions, ten minutes, no sales call. You receive a RAG-rated score across the ten governance dimensions, a plain-English view of which UK rules and benchmarks are likely to apply to you, and a recommended next step. The health check is the natural next rung once you have your score and want an independent review.

Take the free scorecard
Path B · Already have findings, or know your gaps

Book a scoping call directly

If you have already received audit findings from a regulator or insurer, completed an internal review, or simply know where your governance gaps are and want expert help closing them, book a scoping call directly. No need to start with the free tool if you are past that stage: we will confirm the right engagement, scope it to your situation, and get straight to work.

Book a scoping call
Not sure which rung you need?

Start with the free scorecard

Fifteen questions, ten minutes, no sales call. You will come away with a RAG-rated score across the ten governance dimensions, a plain-English view of which UK rules and benchmarks apply to your business, and a clear recommended next step.

Already have findings and know you need outside help? Book a scoping call and we will get straight to work.