Dhārā II
Amātya Stream

AI-Augmented Governance

Amātya, counsel as instrument

AI is the instrument. Governance is the objective. Audit methodology for enterprise LLM deployments, model risk frameworks, and the minimum sufficient control set for organisations deploying AI in regulated environments.

AI Governance LLM Audit Model Risk NIST AI RMF Copilot Governance EU AI Act
Governance Engineering, Intelligence Layer

AI is the instrument. Governance is the objective. The sunlight enables the tree, the tree is the subject. Govern unmanaged and unmanageable risk exposure, not all risk. Minimum sufficient control set. Maturity is a direction of travel, are you improving or drifting?

In scope
AI maturity radar, direction of travel scoring
LLM audit methodology for enterprise deployments
Agent governance and trust boundary architecture
Prompt integrity and injection risk assessment
Model drift detection and output monitoring
Copilot and Copilot Studio governance in regulated environments
Unmanaged AI risk exposure mapping
CCMM applied to the intelligence layer
Enterprise AI deployment review methodology
GenAI attack and mitigation taxonomy
Outside this stream
Active AI threat hunting (Dhārā IV)
AI regulatory calendar and enforcement milestones (Dhārā VI)
AI tooling for audit automation (Dhārā I)
Capital exposure from AI investments (Dhārā V)
Who this is for
CISO · Model risk officer · IT auditor facing their first AI audit · Any leader whose organisation uses AI without knowing what they cannot see
Know whether your AI governance is improving or drifting. Govern the exposure that the framework has not named yet. Build the minimum control set that actually holds under examination.

Field Notes

4 entries
May 2026 Field Note

Whose hash, whose key, whose pin — supply chain is the sovereignty question

Trust primitives are technical artefacts. The governance question behind them is whose authority chain backstops each one. A three-question framework for self-hosted AI in regulated firms: whose hash, whose key, whose pin authority.

Read field note
May 2026 Field Note

Sovereign by default, hybrid at edges

A practitioner's case for self-hosted open-weights inference in regulated firms. The trust primitives that make it audit-defensible, and where hybrid still makes sense.

Read field note
Mar 2026 Field Note

AI in IT Audits: What Has Changed, What Has Not, and What Auditors Are Missing

What the AI-in-audit conversation gets right, and where it gets seductive. The audit fundamentals that do not change regardless of which model produced the evidence.

Read field note
Dec 2025 Field Note

A Guide to Auditing Generative AI

Audit methodology for Copilot, ChatGPT Enterprise, and Copilot Studio agents in regulated institutions. Control questions that standard IT audit methodology does not cover.

Read field note

All seven streams

I GRC Intelligence II AI-Augmented Governance III Economic Statecraft IV Resilience Engineering V Signal Sovereignty VI Regulatory Cartography VII Sovereign Judgment

Collaborate