Governance & guardrails
AI compliance consulting
AI compliance consulting is help working out which AI rules actually apply to your company and what to do about them, before a regulator, an auditor, or an enterprise customer asks. That's the work we do, and unlike most firms selling it, we'll tell you what it costs first.
What we cover
The point is a defensible answer to "are we compliant, and can we prove it," not a binder nobody reads:
- an inventory of every AI system and vendor tool, and which rules touch each one
- risk tiering that maps your systems to the EU AI Act's categories and a NIST-style rating
- the policies, access rules, and data boundaries the applicable rules require
- human oversight and documentation for anything high-impact
- a gap report and a first-90-days plan, in priority order
The US regulatory reality
The field is a patchwork, and most pages ranking for this term are written for EU startups worried about GDPR. If you're a US company, three things actually shape your exposure: the EU AI Act if any system or its output reaches the EU market, US state law (Colorado's AI Act takes effect 1 Jan 2027 after being rewritten, and other states have their own), and the sector rules you already answer to. We sort which of these apply to which of your systems, and we cite the primary sources rather than name-dropping them. The full comparison is in our AI compliance framework crosswalk.
How the engagement runs
We start small on purpose. The first step is a fixed-scope assessment: we inventory what you're running, tier it, and hand you a gap report with a plan. The assessment is $20,000 to $80,000 over 3–6 weeks; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. Remediation and ongoing governance work follow only when the report shows they're worth it. If a policy and an approved-tools list are all you need, that's what it says.
Who does the work
The senior people at Tillerbridge are Nick Major, an engineer, and Isaac Major, an operator. The person on the first call is the person doing the work. Backgrounds are on the about page. We're not a law firm and we're not a certification body; we do the practical readiness work, your counsel owns the legal calls, and an accredited body handles any certificate.
Questions people ask
- What does AI compliance consulting cover?
- Working out which rules apply to your AI (the EU AI Act where it reaches you, US state laws like Colorado's, and your existing sector rules such as HIPAA, SOX, or GLBA), then closing the gap between those rules and what you actually run: policies, controls, documentation, and human oversight. We map the work to a named framework like the NIST AI RMF or ISO/IEC 42001 so it holds up when someone checks.
- How much does AI compliance consulting cost?
- Our fixed-scope assessment is $20,000 to $80,000 over 3–6 weeks; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. For context, published boutique ranges for a comparable governance maturity assessment run $25,000–$75,000. Remediation and ongoing work are scoped after that, only if the assessment shows they're worth paying for.
- Do US companies need to worry about the EU AI Act?
- Only if an AI system or its output touches the EU market; then the Act reaches you even from outside the EU. If you're purely domestic, US state law and your sector's existing rules are the reference points, and classifying your systems against the Act's risk tiers is still a useful exercise. Which regimes apply to which of your systems is exactly what the assessment settles. We laid out all three side by side in our AI compliance framework crosswalk.
- How is this different from AI governance consulting?
- Compliance consulting starts from the rules and works back to your systems: which regulations bind you and what you must be able to show. Governance consulting starts from your systems and builds the standing controls and review process. They overlap heavily, and most companies need both; we usually settle which you need more of during the assessment.
- Are you a law firm?
- No. We're not lawyers and this isn't legal advice. We do the practical compliance-readiness work (inventory, risk tiering, controls, documentation) and we're happy to work alongside your counsel, who owns the legal calls. Where a question is genuinely legal, we say so and point you to them.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.