A boutique AI governance and compliance consultancy. Audits and certification readiness, regulatory advisory, and programmes for boards and teams, primarily across the UK, Poland, Ireland and the wider EU, with GCC reach.
Start a conversation See the programmesIndependent audits of AI systems and governance, with board-ready findings and a clear remediation path. Gap analysis, documentation, and pre-audit preparation for ISO 27001 and ISO 42001, taking you to the door of certification ready to pass.
AI governance and regulatory compliance across the EU AI Act, NIS2 and national implementations, UK frameworks, and GCC requirements. One coherent structure, evidence that travels across jurisdictions.
Programmes for boards and supervisory boards, and AI training for organisations that build, ship, or operate AI. Every session produces a documented record of competence.
Every engagement begins with a conversation and ends with something you can use, defend, and build on. The path between is structured, transparent, and shaped around where you actually are.
We start by understanding your situation: the AI you use, build, or sell, the markets you operate in, and the pressure you are under, whether from regulators, investors, buyers, or your own board. This first conversation tells us both whether and how we can help.
We define the work precisely: what we will assess or build, what we need from you, the timeline, and the deliverables. You receive a clear written proposal before anything begins. No open-ended retainers by default, no ambiguity about what you are getting.
We carry out the engagement: audit, classification, documentation, framework design, or whatever the scope defines. We work closely with your teams where needed, and independently where that serves you better, with regular checkpoints so you are never wondering where things stand.
You receive work that is board-ready: clear findings, the documentation itself, and a prioritised path forward, presented to your team rather than left in an inbox. From there, some clients move to a retained advisory relationship for ongoing governance; others take what we have built and run with it. Both are by design.
Helping organisations unleash their AI. Governance is how.
AI is no longer something organisations simply use. It is something they build, embed in their products, and sell. Whether you deploy AI tools internally, ship AI-powered services to customers, or sign enterprise contracts to deliver AI at scale, you are now accountable for how those systems behave. The question is no longer whether AI is part of your business. It is whether you can explain, control, and stand behind how it works.
AI governance is the structure that makes that possible. Not a policy document filed away. A working framework that defines who is accountable, how decisions are made, what data flows where, and how risk is caught before it becomes exposure. Done well, governance is not a brake on AI. It is what lets you move faster with confidence: govern to grow.
We help organisations move from scattered, reactive AI use to a governance structure they can actually operate and defend. The work is practical, not theoretical:
Every engagement is structured around seven core dimensions of responsible AI. Together they turn abstract principles into something an organisation can actually operate:
AI governance is the structure that determines how an organisation designs, owns, monitors, and stands behind its AI systems. It defines who is accountable, how decisions are made, what data flows where, and how risk is caught before it becomes exposure. It is not a single policy document or a one-off training session. It is a working framework embedded into how the organisation operates.
No. Compliance proves you meet the rules that apply to you at a given moment. Governance is the wider structure that decides how AI is designed, owned, and corrected over time, so that compliance holds true as systems, teams, and regulations change. Compliance is essential, but on its own it is a snapshot. Governance is what keeps it true.
In most organisations, no single person is, and that is the problem. Technology sits with IT, data with the DPO, compliance with Legal, outcomes with the business. Each team owns a piece; no one owns the whole. Effective AI governance resolves this by naming a single accountable owner for each AI system: its risks, its documentation, its obligations, and its consequences.
No. Done well, governance is what lets you move faster with confidence. Without a clear structure, every new AI deployment carries unmanaged risk, every regulator query becomes a fire to fight, and every investor or buyer question exposes a gap. Governance built in from the start removes that friction and makes responsible scale possible. This is the principle behind everything we do: govern to grow.
Helping organisations unleash their AI. Proof is how.
Governance sets the structure. Compliance is where you prove it works, in documents a regulator, an auditor, or an enterprise client will actually accept. This is the evidence layer. When a regulator asks how your AI makes decisions, when an investor's due diligence team asks for your governance documentation, when an enterprise buyer makes certification a condition of signing, compliance is what you put on the table. We build it so that it holds.
Any organisation that provides or deploys an AI system whose output is used in the EU, regardless of where the organisation is based. Obligations depend on your role in the value chain (provider, deployer, importer, or distributor) and on how your system is classified by risk. The heaviest obligations fall on high-risk systems, which include AI used in employment, education, credit and insurance, essential services, and critical infrastructure.
Often, yes. The EU AI Act applies based on where your AI system operates and who it affects, not where your company is incorporated. A UK-registered company is in scope the moment its system makes or influences decisions about people in the EU. We help UK organisations identify EU exposure early, before an EU-facing product forces a costly retrofit.
A deployer pack is the complete set of documents an organisation must have in place before deploying an AI system lawfully. Depending on the jurisdiction and the system, it can include a Data Processing Agreement (DPA), an international transfer agreement, a Data Protection Impact Assessment (DPIA), a human oversight record, an AI literacy record, and a complaints procedure. A single missing document can block go-live, so the pack is built and signed as a whole.
It depends on what you build and who you sell to. ISO 27001 covers information security and is widely expected across markets. ISO 42001 is the dedicated standard for AI management systems. Neither is a legal requirement, but both are increasingly how organisations demonstrate trust to enterprise buyers and investors. Because the standards share a common structure, pursuing them together is more efficient than doing each in isolation.
Longer than most organisations expect. A full set of deployer documentation for a high-risk system typically takes months, not weeks, once you account for the agreements that must be drafted, reviewed, and signed between parties. Compliance built early is design. Built late, under deadline pressure, it becomes a far more expensive reconstruction.
Two distinct practices, one standard of proof: every session produces a documented record of competence. Delivered in English or Polish, on site and online, primarily across the UK, Poland, Ireland and the wider EU, with delivery in the GCC on request.
Advisory for boards and supervisory boards, delivered as sessions. New cyber laws across Europe place duties directly on boards, and the EU AI Act requires AI competence from those who oversee AI. We pair the two: two duties, one session, one documented record.
Directors' duties under the new cyber regimes: Poland's KSC Act in force, Ireland's Bill in progress, the UK's CSRB on its way. Obligations, timelines, personal exposure.
AI competence required of those who oversee AI, made practical: the AI inventory, shadow AI (including the board's own), agentic systems and the audit problem.
Cyber duties and AI governance together: board and executive at one table, one accountability map, a twelve-month plan.
For groups operating across several countries: where national implementations diverge, and how one structure satisfies them all.
Sessions teach; the simulation tests. A moderated tabletop on a realistic scenario: cyber, or purely AI (a deepfake of the CEO, an agent acting beyond its authority).
Quarterly sessions, regulatory briefings, updated documentation, and access between sessions. A recurring statutory duty turned into a recurring readiness review.
Companion services: scoping assessment · board governance pack · AI use review · 24/72 incident playbook · regulator readiness review · new director onboarding (1:1). Full programme descriptions available on request: office@annaaugust.com.
AI training for AI companies, startups, and organisations deploying or managing AI at scale. If your teams build, ship, or operate AI, the EU AI Act already expects them to be competent in it: Article 4 makes AI literacy an obligation, not an aspiration.
Role-based AI literacy for the people who work with AI daily: what the systems do, where the risk sits, and what the law expects of them. Designed for the organisation, with a documented record of competence.
For startups and scale-ups whose product is AI: governance, documentation, and compliance practice that survives investor due diligence and enterprise procurement.
For teams rolling out AI internally: human oversight in practice, escalation paths, incident awareness, and the records that prove all of it.
Training built around your systems, your sector, and the regulations that apply to you, not a generic curriculum with your logo on the first slide.
Anna August is the founder of Anna August Advisory. She holds a PhD and spent nearly two decades in some of the most demanding regulated environments, from medical devices and healthcare to education, ESG, aviation, and enterprise technology, consistently as the person responsible for making complex, data-driven systems worthy of trust: by regulators, by users, and by the boards who signed off on them.
That experience, sharpened by an earlier academic career of research and lecturing, is what the advisory is built on. She is the creator of the Seven Core Ethical Pillars framework, and writes the practitioner newsletter Notes from the Human Side. She delivers board programmes personally.
An AI governance consultancy helps organisations build the structure that determines how their AI is designed, owned, monitored, and defended: who is accountable, how decisions are made, how risk is managed, and how compliance is proven across the regulations that apply. Anna August Advisory is an AI governance and compliance consultancy serving organisations primarily across the UK, Poland, Ireland and the wider EU, with GCC reach, with a methodology built on the Seven Core Ethical Pillars.
If your organisation uses, builds, or sells AI and cannot clearly name who is accountable for it, the answer is usually yes. Most organisations are not ungoverned; they are under-governed, moving faster than their structures can hold. An AI governance consultant brings the framework, the regulatory knowledge, and the outside perspective to close that gap before a regulator, an investor, or an incident exposes it.
Anna August Advisory is a boutique consultancy specialising in AI governance, compliance, and ethics. We help organisations design, document, and defend how they use, build, and sell AI. Our work spans AI governance frameworks, regulatory compliance, audits, board programmes, and organisational training, all built on a proprietary methodology, the Seven Core Ethical Pillars.
Primarily the UK, Poland, Ireland, and the wider European Union, with engagements in the Gulf Cooperation Council (GCC). This cross-jurisdictional reach is a core part of what we offer: organisations operating across these markets face overlapping and sometimes conflicting requirements, and we structure governance and compliance so that one coherent framework holds across all of them.
Compliance proves you meet the rules that apply to you at a given moment. Governance is the wider structure that decides how AI is designed, owned, monitored, and corrected over time, so that compliance holds true as systems, teams, and regulations change. Compliance is essential, but on its own it is a snapshot. Governance is what keeps it true. We work across both.
We work with organisations that use, build, or sell AI: from established companies bringing order to AI that has already spread through their operations, to startups and scale-ups designing governance into their product from the start. Our clients span regulated sectors, cross-border businesses, and organisations raising funding, where scrutiny from regulators, buyers, and investors arrives fastest.
The Seven Core Ethical Pillars is the proprietary framework behind all of our work: human oversight, technical robustness and safety, data privacy, transparency, fairness, social impact, and accountability. It turns abstract principles into something an organisation can actually operate, and it maps directly onto the EU AI Act, UK guidance, ISO 42001 and ISO 27001, and GCC frameworks, so one structure produces evidence you can reuse across jurisdictions.
Anna August is the founder of Anna August Advisory. She holds a PhD and brings nearly two decades of experience in highly regulated environments, including medical devices, healthcare, sustainability, and enterprise technology, to the challenge of AI governance. She is the creator of the Seven Core Ethical Pillars framework, writes the practitioner newsletter Notes from the Human Side, and contributes to leading international conversations on AI governance.
Whether you are facing a deadline, a due diligence request, or a board that has started asking questions, the first step is the same.
office@annaaugust.com LinkedIn