P
Periculum
AI · Cyber · Risk
A BOUTIQUE ADVISORY FIRM · AI GOVERNANCE · CYBERSECURITY · RISK

Trust at scale.

Helping boards and growth-stage organizations govern AI, reduce risk, and build trust at scale.

A global practice rooted in Plano, Texas — with a dedicated Impact Practice for nonprofits, women- and minority-owned firms, and emerging founders.

Schedule a Briefing Take the 6-min Readiness Check
THE PROOF RAIL

What we bring to the table.

Five anchors that ground every Periculum engagement — operator-grade experience, deep technical expertise, and a methodology designed to compound. Follow the rail left to right.

OPERATOR EXPERIENCE | DEEP EXPERTISE | PROVEN RESULTS 01 02 03 04 05 20+ 20+ Years OPERATING EXPERIENCE 7 7 Verticals FIN · HEALTHCARE · TECH · ENERGY TELECOM · RETAIL · PUBLIC 50/100 Fortune 50/100 CLIENT BASE AI CYBER PRIVACY ESG GRC 5 Domains AI · CYBER · PRIVACY ESG · GRC 6A The 6A Compass SIGNATURE METHODOLOGY

Each anchor connects through one operating framework. Here is how it works.

↓ The 6A Compass
HOW WE WORK

The 6A Compass.

Six phases. One language. Built to compound long after the engagement ends.

A 01 A 02 A 03 A 04 A 05 A 06 ALIGN ASSESS ARCHITECT ACTIVATE ASSURE ADAPT 6A COMPASS
A CONTINUOUS LOOP — NOT A ONE-TIME PROJECT

The 6A Compass — six phases, one rhythm, designed to compound.

Explore the 6A Compass in Detail  →
BEFORE YOU SCOPE

Not sure where you stand? Take the 6-minute Readiness Check first.

Start the Readiness Check  →
CORE SERVICES

Five services. One approach.

Hire one. Compose several. Always delivered personally.

SERVICE 01

Strategic Advisory

  • Boardroom briefings
  • AI Governance Consulting (ISO 42001, NIST AI RMF, EU AI Act)
  • Cross-domain risk integration
  • Sustainability advisory

For boards, CEOs, and CROs setting direction.

Schedule a Briefing
SERVICE 02

Fractional CRO / CISO

  • Embedded executive leadership
  • Fractional CISO Services
  • Audit readiness ownership
  • Board & risk-committee reporting

For growth-stage and mid-market teams without a full-time hire.

Discuss Fractional
SERVICE 03

Program Build & Audit Readiness

  • ISO 42001 Readiness · NIST AI RMF · EU AI Act
  • SOC 2 Readiness · ISO 27001 · SOX ITGC
  • Privacy program (GDPR, CCPA, DPDP)
  • Sustainability reporting (GRI, CSRD, BRSR)

For operators executing — built, run, handed over.

Advisory preparation partner — not a certifying registrar. We get you audit-ready; we do not issue certificates.

Discuss Program Build
SERVICE 04

Platform GTM Advisory

  • Go-to-market for cyber, AI, and risk platforms
  • Regulatory positioning & alignment
  • Customer-trust narrative
  • Advisory board engagement

For platform founders entering enterprise and regulated markets.

Discuss GTM
SERVICE 05

Speaking, Education & Capability Programs

  • Guest speaking & board briefings
  • Executive workshops
  • SMB capability programs
  • Capstone & mentorship

For audiences and leadership teams building capability across the market.

Inquire about a Session
SELECTED OUTCOMES

Measurable proof, not promises.

Four results. Two decades of work.

59%

Risk & incidents reduced

Integrated risk + second-line oversight at hyperscaler scale.

$20M+

Compliance-driven revenue

Compliance repositioned as enterprise-adoption accelerator.

65%

Audit prep reduction

GRC automation + continuous-audit posture.

200+

Leaders trained & mentored

Cybersecurity · AI governance · sustainability.

IN HER OWN WORDS

Sixty seconds on the work.

Sai on governance, risk, and trust at scale. Short, direct, human.

Watch on YouTube →
Add 30–60s clip → videos/sai-intro.mp4
WHY PERICULUM

Five reasons leaders choose this work.

Lived experience. Real credentials. Measurable outcomes.

01

Credentialed across four risk domains

ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

02

Built it. Ran it. Now advising on it.

Risk programs at SIFI and hyperscaler scale. The work has been done.

03

Compliance as revenue, not cost

$20M+ enterprise revenue unlocked by repositioning compliance as an adoption accelerator.

04

A method that travels with you

The 6A Compass — so the work compounds after the engagement ends.

05

Integrated by design

AI, cyber, privacy, sustainability — under one taxonomy. Built to converge.

WHO WE HELP

Three rooms. One framework.

The 6A Compass speaks the same vocabulary in every room — the entry point differs.

For the boardroom

Boards & audit committees

Know where the organization stands before the next committee.

Take the Check →
For the C-suite

CEOs, CISOs, CROs & compliance leaders

Benchmark posture, surface gaps, prepare for audits and regulators.

Benchmark your posture →
For the founders' table

Growth-stage CEOs & AI / SaaS founders

Test whether your governance story holds up to enterprise buyers.

See if you're enterprise-ready →
HOW ENGAGEMENT STARTS

From self-check to delivery, in five clean steps.

There is no surprise step. There is no consultative theater. The path is the path.

01

Readiness Check

Six minutes. Branded PDF.

02

Briefing

30 min. Three next steps.

03

Assessment

Current state, target state, realistic path.

04

Roadmap

Milestones, ownership, 6A phase mapping.

05

Execution

Strategic, Fractional, Program Build, or GTM.

Take the 6A Readiness Check.

Eighteen questions. Six phases. A branded PDF scorecard with three prioritized next actions — straight to your inbox.

Start the Readiness Check  →

Step 1: Answer 18 quick questions  ·  Step 2: See your 6A scores instantly  ·  Step 3: Get the PDF report

Trust at scale
starts with one conversation.

A focused session on governance, risk exposure, and audit readiness.

Schedule a Briefing Read Insights
ABOUT

Risk is no longer contained — it is interconnected.

Cyber, AI, privacy, and ESG converge on the same outcomes: trust, resilience, enterprise value. Periculum brings them together — one governance model, one decision frame.

OUR APPROACH

Built to sharpen judgment — not produce reports.

Every engagement follows the 6A Compass — a continuous, six-phase rhythm. Align leadership on priorities and exposure. Assess risk across domains, not silos. Architect scalable governance and control structures. Activate policies and controls within day-to-day work. Assure outcomes through validation and audit readiness. Adapt as technology, regulation, and business conditions evolve.

MEET THE FOUNDER

Sailakshmi (Sai) Santhanakrishnan.

Empowering futures through diversity and innovation.

Founder & Principal Advisor, Periculum LLC

Sailakshmi "Sai" Santhanakrishnan is a passionate advocate at the crossroads of cybersecurity, Environmental Social and Governance (ESG) principles, and AI ethics. Her mission is deeply personal — to blend sustainability with innovation and shape a digital world that's secure and welcoming for everyone.

She serves as a Board Member of Empowering Women as Leaders (EWL) and is the proud co-founder of WeInspire.Guru, a mentorship platform for the next generation. Her work extends beyond advocacy — she is dedicated to enriching the technology landscape by promoting ethical AI use and equipping women and emerging leaders with the tools they need to succeed.

Her co-authored book, The CISO Mentor: Pragmatic Advice for Emerging Risk Management Leaders, reflects her commitment to guiding the next wave of risk practitioners with ethical leadership and strategic foresight. She also serves as a Board Member of Empowering Women as Leaders (EWL) and as an advisor to UNT's Advanced Environmental Research Institute (AERI). Across every engagement, Sai's conviction is simple: risk, when understood clearly, becomes a lever for better decisions — not a constraint on progress. And mentorship is not separate from the work. It is the work.

Senior leadership and advisory at Amazon, BNY Mellon, and The Hartford
Fortune 50 and 100 clients across seven industries
Head of ESG & Sustainability, Amazech · Co-founder, WeInspire.Guru
Board Member, Empowering Women as Leaders (EWL) · Advisor, UNT Advanced Environmental Research Institute (AERI)
Master's in CIS, Boston University · Executive MBA, Quantic School of Business and Technology · Cambridge ESG
ISO 42001 · CISM · CRISC · CDPSE · ISO 27001
Co-author, The CISO Mentor · 30+ guest speaking engagements · 25+ leaders mentored
Firm History

Periculum LLC has been Sai's independent advisory vehicle since August 2016. From 2016 to 2018, the firm served cybersecurity and risk clients directly. During her subsequent corporate leadership tenure, Periculum continued as a platform for pro bono advisory, academic engagements, and community work. With Sai's return to full-time independent practice, the firm now operates as a dedicated boutique advisory in AI governance, cybersecurity, and integrated risk.

OPERATOR HERITAGE

Where the work was built.

Two decades operating inside the room — at SIFI, Fortune 50/100, and hyperscaler-platform scale.

Amazon
Hyperscaler-platform scale
BNY Mellon
SIFI · Capital markets
The Hartford
Insurance · Risk
Amazech
ESG & Sustainability
EWL · WeInspire · AERI
Board · Co-founder · Advisor

Roles held in personal capacity; trademarks belong to their respective owners. No client engagement is implied.

OUR RESPONSIBILITY

Walking the talk.

Periculum advises on governance, risk, sustainability, AI ethics — and models them in its own practice.

E

Environmental

Remote-first by design. Digital-first deliverables. Hosting on infrastructure providers with public net-zero commitments. In-person travel only when the work meaningfully benefits from it.

S

Social

7% of Periculum's annual practice capacity is dedicated to the Impact Practice — pro bono and reduced-fee advisory for nonprofits, women-owned and minority-owned businesses, and emerging founders. Every organization signs the Pay-It-Forward Pledge, committing to enable one other within 12 months. We've found this turns the practice into a chain, not a charity.

Co-founder, WeInspire.Guru · Board Member, Empowering Women as Leaders (EWL) · Advisor, UNT AERI · 25+ leaders mentored.

G

Governance

Client confidentiality is absolute. Engagements proceed only where principles align. Published conflict-of-interest policy. Periculum has walked away from work that asked it to compromise on integrity — and will do so again.

AI

AI Ethics

Client material is never used to train external AI systems. AI assistance in internal work is governed by the same disciplines we advise on — human review, traceability, classification. Public content policy declared at llms.txt.

The disciplines Periculum sells are not separate from the disciplines Periculum operates by. Both are the same answer: trust, made visible.

THE UNCHARTED PATH

A career built on values, not titles.

Sai's career arc is what the work is built on. It is also the reason Periculum exists.

UNCHARTED — IN HER OWN PRACTICE
"Your values are your compass."

Sailakshmi "Sai" Santhanakrishnan began her journey the way many in her community did — with the dream of becoming a doctor. When that path came with a price on her principles, she chose a different one. "I chose to follow my own compass. That one decision shaped everything that came after."

She pivoted to computer science — at a time when it was unfamiliar in her community — and built from scratch. No prestigious university name. No influential network. Just the courage to learn, solve, and ship. Over the years she led multicultural teams across continents, developed software for international clients, and grew her appreciation for cultural awareness as a vital professional skill.

As regulations around information systems intensified, Sai stepped into the intersection of technology, compliance, and risk — contributing to early governance, risk, and compliance platforms that later became industry standards. Her career took her through senior leadership and advisory roles at Fortune 100 cloud platforms, global financial institutions, and a Fortune 500 insurance carrier, and into consulting engagements serving Fortune 50 and 100 clients across financial services, healthcare, education, oil and gas, telecom, entertainment, and non-profits.

At the peak of her career — leading risk, compliance, and privacy for a major consumer AI platform — she made the courageous decision to step away when her values and the work she was being asked to do no longer aligned. "Success sometimes means knowing when to walk away. It's about staying grounded in your purpose."

That decision opened the path she now walks. More than a decade ago, she founded Periculum and co-founded the mentorship platform WeInspire.Guru — two long-standing commitments that still anchor her work today. WeInspire.Guru is her consistent forum for giving back to the next generation; Periculum is her path to keep venturing into uncharted territory — bringing sustainability and ESG credentials from Cambridge, mentoring young professionals in cybersecurity, supporting women in technology, and partnering with civic and educational institutions on sustainability and AI literacy.

"

There's no perfect roadmap. Your values are your compass. Trust your voice, your timing, your journey.

SAI SANTHANAKRISHNAN · GRACE SERIES

From her Grace Series talk, "Uncharted: Embracing the Journey to Your Own Success."

Watch the full talk →
CO-FOUNDER
WeInspire Guru

Mentorship platform for women in technology.

MENTOR
Next-Gen & Women in Tech

25+ leaders mentored across cybersecurity and AI risk.

GUEST SPEAKER
Schools & Colleges

Local school districts and university classrooms on AI literacy.

VOLUNTEER & ADVOCATE
Sustainability & Civic

Partnering with city governments on ESG initiatives.

Let's talk about your environment.

A board-level briefing tailored to your governance, audit, and AI exposure questions.

Schedule a Briefing
SERVICES

Five services. One trusted approach.

Hire one. Compose several. Every service runs on the 6A Compass — delivered personally.

SERVICE 01

Strategic Advisory

Board- and executive-level direction-setting on AI governance, cross-domain risk, and sustainability — for organizations defining strategy and navigating regulatory exposure.

What's included
  • Boardroom briefings & audit-committee pre-reads
  • AI Governance Consulting — ISO 42001, NIST AI RMF, EU AI Act
  • Cross-domain risk integration across cyber, AI, privacy, ESG
  • Sustainability advisory (GRI, CSRD, BRSR)
  • Regulatory positioning & risk appetite calibration
Best for

Boards, CEOs, CROs, and CISOs setting direction in regulated or AI-exposed environments.

Typical engagement

4–12 weeks · advisory retainer or fixed scope · 6A phases Align → Assess

Schedule a Strategic Briefing →
SERVICE 02

Fractional CRO / CISO

Embedded executive leadership for growth-stage and mid-market organizations that need senior risk and security ownership without a full-time hire.

What's included
  • Embedded executive risk & security leadership
  • Fractional CISO Services — strategy, controls, incident readiness
  • Audit readiness ownership across SOC 2, ISO 27001, and 42001
  • Board & risk-committee reporting
  • Talent uplift — hiring, mentoring, and team design
Best for

Series B+ companies, scaling platforms, and PE/portfolio operators between full-time executives.

Typical engagement

3–12 months · 2–4 days/month · 6A phases Align → Architect → Activate → Assure

Discuss a Fractional Engagement →
SERVICE 03

Program Build & Audit Readiness

Hands-on build of AI governance, GRC, and audit-readiness programs — designed, run, and handed over to your team.

What's included
  • ISO 42001 Readiness · NIST AI RMF · EU AI Act program build
  • SOC 2 Readiness · ISO 27001 · SOX ITGC · PCI DSS
  • Privacy program build (GDPR, CCPA, DPDP)
  • Sustainability reporting (GRI, CSRD, BRSR)
  • Policy, controls, evidence orchestration, and audit defense
Best for

Operators executing — pre-audit, regulated environments, and audit-fatigue remediation.

Typical engagement

8–24 weeks · fixed-scope or milestone-based · 6A phases Architect → Activate → Assure

Our role · Independence

Periculum is your advisory preparation partner — not the certifying registrar. We build the program, organize the evidence, and rehearse the audit so your team is ready. The certificate is issued by your independent ISO 42001 / ISO 27001 / SOC 2 auditor of choice, which we help you select.

Discuss a Program Build →
SERVICE 04

Platform GTM Advisory

Go-to-market guidance for cyber, AI, and risk-platform founders entering enterprise and regulated markets — built from the buyer's side of the table.

What's included
  • GTM strategy for cyber, AI, and risk platforms
  • Regulatory positioning & alignment with buyer mandates
  • Customer-trust narrative & assurance packaging
  • Advisory-board design and engagement
  • Buyer-side validation on roadmap and category fit
Best for

Founders and CROs at Series A–C platform companies entering enterprise sales motions.

Typical engagement

6–16 weeks · sprint or retainer · 6A phases Align → Adapt

Discuss a GTM Engagement →
SERVICE 05

Speaking, Education & Capability Programs

Guest speaking, executive workshops, and capability programs that bring AI governance, cyber, and risk fluency to the audiences and leadership teams that need it.

What's included
  • Guest speaking & board briefings
  • Executive workshops & offsites
  • SMB capability programs & cohort training
  • Capstone & mentorship engagements
  • Custom curriculum design for risk, AI, and ESG teams
Best for

Audiences, leadership teams, and SMBs building practical capability across AI, cyber, and risk.

Typical engagement

Single session to multi-month cohort · 6A phases Assess → Activate → Adapt

Inquire About a Session →
SERVICE 06 · IMPACT PRACTICE

Impact Practice & The Pay-It-Forward Pledge

Pro bono and reduced-fee advisory for nonprofits, women-owned and minority-owned businesses, and emerging founders. 7% of Periculum's annual practice capacity is reserved for this work — and every organization signs the Pay-It-Forward Pledge, committing to enable one other within 12 months.

What's offered
  • Quarterly Periculum Impact Cohort — 5-8 organizations, 4-6 weeks, group format on the 6A Compass
  • Reserved pro bono advisory slots — 1-2 days/month for direct one-on-one engagements
  • Free 6A Self-Check program — productized readiness assessment plus quarterly group office-hours
  • The Periculum Scholar Program — six-month structured mentorship for one or two early-career or young-founder leaders per year
Selection criterion

One promise: you commit to the Pay-It-Forward Pledge — enabling one other organization or individual within 12 months. Mission-alignment with AI governance, integrated risk, or community building is prioritized when applications exceed capacity.

Engagement model

Cohort: fixed low fee ($500-2,000) or grant-funded · Reserved slots: pro bono · Self-Check: free · Scholar Program: full pro bono. Apply via the Impact Practice page.

Learn About the Impact Practice →
Specialty · Technical AI Risk

Where Periculum goes deeper than generalist consulting.

Automated decisioning, regulated AI, and model accountability are the hottest scrutiny areas in financial services, healthcare, and platform AI. This is the work boards and CROs are losing sleep over — and where boutique technical depth beats generalist scale.

Explainability

SHAP & LIME for regulated decisions

Explainability frameworks for consumer lending, claims, and platform decisions — built so the artifact stands up to regulator and audit committee scrutiny.

Model Risk

SR 11-7 / OCC 2011-12 alignment

Model risk management programs aligned to Fed SR 11-7, OCC 2011-12, and emerging AI-specific guidance — for banks, fintechs, and consumer-credit platforms.

Bias Validation

Algorithmic fairness testing

Disparate-impact testing, fairness metrics, and remediation playbooks for credit, insurance, employment, and admissions — defensible under CFPB, ECOA, and state AI rules.

Agentic AI

Autonomous-agent guardrails

Control points, audit evidence, and human-in-the-loop boundaries for agentic AI in customer-facing and back-office workflows.

These capabilities run inside Service 01 (Strategic Advisory), Service 02 (Fractional CRO/CISO), and Service 03 (Program Build & Audit Readiness) — not sold separately.

NOT READY TO SCOPE YET?

Start with the Readiness Check.

Understand your AI governance, audit, and integrated risk maturity before scoping an engagement. Six minutes. Free. Personalized PDF.

Where should we start?

A focused 60–90 minute Strategic Briefing scopes the right entry point and surfaces follow-on work organically.

Schedule a Briefing
HOW WE WORK

The 6A Compass.

Six phases. One loop. Governance as a living practice — not a one-off report.

A 01 A 02 A 03 A 04 A 05 A 06 ALIGN ASSESS ARCHITECT ACTIVATE ASSURE ADAPT 6A COMPASS
A CONTINUOUS LOOP — NOT A ONE-TIME PROJECT
THE SIX PHASES

One language across functions. One rhythm across years.

Each phase carries its own deliverables and exit criteria. The work flows forward and folds back — so governance compounds.

01

Align Set the direction.

Translate enterprise strategy and risk appetite into a measurable governance posture. Surface leadership intent, calibrate ambition against regulatory and commercial reality, and define what "trust at scale" means for this organization — before any technical work begins.

02

Assess See the whole field.

Map current-state governance, controls, and gaps across cyber, AI, privacy, and sustainability — together, not in silos. Identify regulatory exposure, prioritize what actually matters, and build a baseline the team can defend in front of an audit committee.

03

Architect Design the system.

Build a unified control taxonomy, policy stack, and operating model that scales with AI adoption and regulatory expansion. One language across functions — so risk, security, privacy, and ESG teams can speak the same sentence to the board.

04

Activate Embed it in the work.

Operationalize controls into day-to-day workflows. Integrate with engineering, procurement, legal, and product pipelines so governance lives where the work happens — not in a binder reviewed once a quarter.

05

Assure Validate. Defend.

Independent validation, audit support, customer assurance, and board reporting — the moment governance becomes commercial leverage and trust becomes provable. Audit-ready, always, by design rather than by sprint.

06

Adapt Stay current.

Refresh the program against new regulations, AI capabilities, and business shifts. Close the loop back to Align — so the next cycle starts from a stronger baseline than the last. The work compounds.

YOUR NEXT STEP

Turn the 6A Compass into a readiness snapshot.

The Readiness Check converts the 6A framework into a practical scorecard across Align, Assess, Architect, Activate, Assure, and Adapt — eighteen questions, a per-phase score, three prioritized actions, and a branded PDF you can take to your next leadership meeting.

Take the 6A Readiness Check  →

Operationalize the 6A in your environment.

Schedule a Briefing
INSIGHTS

Clarity on AI, risk, and governance.

Executive briefs, deep-dives, and boardroom-ready posts on the intersection of AI, cyber, privacy, and ESG.

Current Mandates · 2026 Regulatory Clock
Take the Readiness Check →
EU AI Act
High-risk obligations live · GPAI rules in force.
Texas TRAIGA
State-level AI governance compliance window.
SEC Cyber 8-K
Four-day disclosure of material cyber incidents.
ISO 42001
First-mover certifications now closing.
CSRD & SEC Climate
Mandatory sustainability disclosure rolling out.
AI GOVERNANCE

ISO 42001 Readiness — Beyond the Theory

The five disciplines that determine whether a 42001 program survives its first audit — and creates lasting confidence for boards, customers, and regulators.

Read article  →
CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level.

Read article  →
BOARD BRIEFINGS

What the Audit Committee Should Ask About AI

A three-question pre-read directors can use in their next quarterly cycle — focused not on the risks everyone is talking about, but on the structural ones that quietly compound.

Read article  →
AUDIT READINESS & GRC

SOC 2 + AI: Where the New Control Gaps Live

The control objectives auditors are beginning to ask about — before regulators do — and why traditional controls were never designed for systems that generate outcomes instead of executing logic.

Read article  →
AI GOVERNANCE

The EU AI Act for U.S. Boards

Five obligations — and one major financial exposure — that reach U.S. companies even when they do not sell into Europe.

Read article  →
CROSS-DOMAIN RISK

Vendor Due Diligence Is Now AI Due Diligence

Why third-party AI ecosystems are becoming a board-level risk conversation — and what changes when procurement stops buying software and starts governing intelligence.

Read article  →
READINESS CHECK · 6A COMPASS

AI Governance & Integrated Risk Readiness.

Built on the 6A Compass. Eighteen questions, six minutes. Returns per-phase scores, three next actions, and a branded PDF.

HOW IT WORKS

Eighteen questions. Six minutes. One useful report.

Answer 18 questions across the six phases of the 6A Compass. Each question takes 15-20 seconds. You'll receive a per-phase readiness score, a maturity level, and three prioritized actions to focus on first. Then download a clean PDF report you can review with your CRO, CISO, or audit committee.

01 Answer 18 questions
Across the six 6A phases — Align, Assess, Architect, Activate, Assure, Adapt
02 See your readiness
Per-phase scores, overall maturity level, and prioritized recommendations
03 Download the report
A branded PDF with your score, gaps, and next actions you can share internally
Begin the Check  →

Your responses stay in your browser. We do not store, transmit, or analyze your answers unless you choose to share your email at the end for an optional follow-up briefing. This check is directional — for a tailored assessment, schedule a briefing.

← All Insights
AI GOVERNANCE

AI Governance: ISO 42001 Readiness — Beyond the Theory

The five disciplines that determine whether a 42001 program survives its first audit — and creates lasting confidence for boards, customers, and regulators.

Sailakshmi "Sai" Santhanakrishnan
FOUNDER, PERICULUM LLC  ·  7 MIN READ  ·  MAY 2026

Organizations rarely struggle with AI governance because they lack frameworks.

Most already have policies, standards, cyber teams, privacy teams, and governance processes. What they often lack is something far more practical: evidence that all of those moving pieces work together in a way that creates confidence.

Confidence for leadership. Confidence for customers. Confidence for regulators. Confidence for auditors.

This is where many organizations misunderstand ISO/IEC 42001. They approach it as another compliance exercise — another set of controls to implement, another binder to assemble. In reality, ISO/IEC 42001 is less about documentation and more about demonstrating an operating discipline for governing AI responsibly.

Organizations do not become audit-ready because they completed a checklist. They become audit-ready because they establish consistent implementation behaviors.

Those behaviors show that AI systems are understood, monitored, accountable, and aligned to business outcomes. In practice, they are also what create confidence in an organization's direction — and what auditors look for as evidence.

Five disciplines, drawn from real audit cycles and real program builds, separate the organizations whose 42001 programs survive from those that stall.

1. Start with purpose before models

AI initiatives often begin with excitement around technology. The stronger organizations begin somewhere else — with a question:

What problem are we trying to solve, and why is AI the right answer?

ISO 42001 emphasizes alignment between AI systems and organizational objectives. Mature organizations therefore define each AI system in terms of:

  • Business purpose
  • Expected operational value
  • Intended outcomes
  • Risk tolerance
  • Why AI is the appropriate solution

AI without purpose becomes experimentation. AI with purpose becomes strategy.

2. Build trust in data

Every AI system inherits the strengths and weaknesses of its data. The model is only as defensible as the data it learned from — and 42001 auditors know it.

From an ISO 42001 perspective, organizations should understand and demonstrate:

  • Data lineage and origin
  • Consent and usage rights
  • Sensitive data controls
  • Data quality validation
  • Data minimization practices

This is not simply about compliance. It answers a larger question that boards, customers, and regulators are all converging on: "Can leadership trust the foundation behind the decisions being made?"

3. Create transparency around decisions

Trust grows when people understand how decisions are made. ISO 42001 expects organizations to identify and manage risks associated with AI systems — including unintended outcomes and potential bias.

In practical terms, that translates into a small number of high-value activities:

  • Understanding model assumptions
  • Identifying limitations
  • Evaluating bias risk
  • Creating explainability artifacts
  • Defining human decision points

The goal is not explaining every mathematical calculation. The goal is ensuring that outcomes can be understood, defended, and overridden when the situation calls for it.

4. Operationalize governance, not documentation

Many organizations write governance. Far fewer operationalize it.

ISO 42001 follows a management-system approach focused on repeatability and continuous improvement. The standard is less interested in whether you have a policy and more interested in whether that policy shows up in the work — every cycle, every release, every escalation.

That means governance has to become part of day-to-day operations:

  • Clear ownership and accountability
  • Testing and validation built into release cycles
  • Change management that reaches AI components
  • Version control of models, data, and prompts
  • Periodic reassessment of risk and impact
Auditors rarely gain confidence from policies alone. They gain confidence from repeatable evidence.

5. Monitor continuously and expect change

AI systems are living systems. Data shifts. Models drift. Risks evolve. A 42001 program designed around a single point in time begins decaying the moment it is signed.

ISO 42001 readiness therefore requires organizations to demonstrate ongoing oversight through:

  • Continuous monitoring
  • Threshold-based alerts
  • Drift detection
  • Human escalation paths
  • AI-specific incident response

The strongest organizations integrate these activities into existing cyber, operational-risk, and governance functions — rather than creating disconnected AI processes that compete for attention. AI governance is most defensible when it lives inside the risk operating system the organization already runs.

THE PERICULUM PERSPECTIVE

ISO/IEC 42001 readiness is not about creating more governance. It is about creating confidence.

Confidence that leadership understands what AI systems are doing. Confidence that risks are visible and managed. Confidence that innovation can scale responsibly.

Because ultimately, organizations do not become audit-ready through theory.

They become audit-ready through disciplined execution.

ABOUT THE AUTHOR

Sailakshmi "Sai" Santhanakrishnan

Founder of Periculum LLC, a boutique advisory firm in AI governance, cybersecurity, and integrated risk. Two decades building and running risk programs at SIFI scale and at hyperscaler cloud-platform scale. Credentialed across four risk domains — ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

Read Sai's full bio  →
CONTINUE READING

Related insights.

CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level.

Read article  →
AI GOVERNANCE

The EU AI Act for U.S. Boards

Five obligations — and one major financial exposure — that reach U.S. companies even when they do not sell into Europe.

Read article  →
AUDIT READINESS & GRC

SOC 2 + AI: Where the New Control Gaps Live

The control objectives auditors are beginning to ask about — before regulators do.

Read article  →

Want to discuss your 42001 path?

A focused 60–90 minute session to assess where you are, where the audit is, and how to bridge the two — without theory.

Discuss a Program Build  → Read More Insights

Or take the 6-minute Readiness Check for a directional snapshot before scheduling.

← All Insights
AI GOVERNANCE

The EU AI Act for U.S. Boards

Five obligations — and one major financial exposure — that reach U.S. companies even when they do not sell into Europe.

Sailakshmi "Sai" Santhanakrishnan
FOUNDER, PERICULUM LLC  ·  9 MIN READ  ·  MAY 2026

Many U.S. organizations still assume the EU AI Act applies only to companies operating in Europe.

"We do not have European offices." "We do not market in Europe." "Our customers are domestic."

That assumption may create a blind spot.

The most important governance shift introduced by the EU AI Act is not geography. It is accountability.

Historically, organizations focused on where technology was developed or where customers existed. AI governance introduces a different question:

Where are AI outputs being used — and can the organization explain, defend, and govern those outcomes?

For boards, this is not simply a regulatory discussion. It is a business risk discussion. It is a trust discussion. Because AI systems increasingly influence customer interactions, operational decisions, employee outcomes, financial decisions, and business processes.

The strongest organizations will not respond by treating this as another compliance exercise. They will respond by building stronger operational discipline around AI.

Below are five governance obligations — and one major financial exposure — that boards should understand.

1. AI literacy is becoming an organizational requirement

Organizations cannot govern systems people do not understand. The EU AI Act introduces expectations around AI literacy, requiring organizations to establish an appropriate level of understanding among people interacting with AI systems.

Boards should ask:

  • Who is building or using AI?
  • What training exists?
  • Do employees understand risks and limitations?
  • Are responsibilities clearly defined?

Technology maturity without human understanding creates governance gaps.

Why this matters to leadership AI risk often originates from people, not models. The most mature organizations invest in human readiness before they scale technology.
Reference: Article 4 — AI Literacy

2. Data governance and bias management move upstream

AI systems inherit strengths and weaknesses from their data. For systems operating in regulated or high-impact environments, organizations increasingly need visibility into:

  • Data origins
  • Data quality
  • Representativeness assumptions
  • Sensitive data handling
  • Bias mitigation approaches

Boards should understand a simple causality: poor governance upstream creates downstream risk. What begins as a technical issue frequently becomes a legal, operational, or reputational issue.

Why this matters to leadership Trust in AI starts with trust in data.
Reference: Article 10 — Data Governance Requirements

3. Traceability is becoming a core governance capability

As AI systems influence decisions, organizations increasingly need evidence explaining how those outcomes occurred. Leadership should be able to answer:

  • Why did the model produce this output?
  • What factors influenced the decision?
  • Can the result be recreated?
  • Can the organization defend the outcome?

Trust becomes difficult to sustain when decisions cannot be explained. Strong governance increasingly depends on evidence.

Why this matters to leadership Auditors rarely certify trust. They certify evidence.
Reference: Article 12 — Logging and Record-Keeping Requirements

4. Third-party contracts will drive compliance downstream

Many organizations focus on systems they build. Boards should focus equally on systems they buy.

Global organizations increasingly expect AI vendors to provide:

  • Technical documentation
  • Governance evidence
  • Risk disclosures
  • Contractual assurances
  • Liability language

AI risk increasingly resembles cybersecurity risk. Organizations inherit exposure through ecosystems and vendor relationships.

Why this matters to leadership Your vendors may become part of your governance boundary.

5. Transparency is becoming an architectural requirement

As AI-generated content becomes increasingly embedded into products and customer experiences, organizations should establish clear disclosure practices. This may include:

  • AI-generated content identification
  • User notifications
  • Watermarking approaches
  • Metadata tagging
  • Transparency mechanisms

The strongest organizations build transparency into architecture rather than adding it later.

Why this matters to leadership Transparency creates confidence. Confidence creates trust.
Reference: Article 50 — Transparency Obligations
Many boards mistakenly assume the EU AI Act follows a similar enforcement model as GDPR. It does not.

Understanding the financial exposure: EU AI Act vs GDPR

While GDPR primarily focused on protecting personal information, the EU AI Act expands accountability into how AI systems behave and how organizations govern them.

How the two regimes compare
Metric GDPR EU AI Act
Maximum fine €20M or 4% global annual turnover €35M or 7% global annual turnover
Standard compliance violations €10M or 2% €15M or 3%
False or misleading information Administrative penalties Up to €7.5M or 1%
SME & startup treatment Context-based scaling Reduced thresholds under defined provisions
Primary trigger Processing personal data within EU scope AI systems within EU AI Act scope
Reference: Article 99 — Administrative Fines and Penalties

What boards should do now

Boards do not need to become AI engineers. They need visibility. A practical starting point:

01

Inventory

Identify AI systems currently used across the organization.

02

Classify

Determine ownership, purpose, and risk level.

03

Assess

Evaluate data quality, controls, and third-party dependencies.

04

Monitor

Establish ongoing oversight as systems and risks evolve.

05

Integrate

Align AI governance with cybersecurity, privacy, and enterprise risk functions.

THE PERICULUM PERSPECTIVE

The EU AI Act matters not because it is European. It matters because it signals where AI accountability is heading globally.

Organizations that treat AI governance as a legal exercise may struggle. Organizations that treat it as an operating discipline build something more valuable: confidence.

Confidence for leadership. Confidence for customers. Confidence for regulators. Confidence that innovation can scale responsibly.

ABOUT THE AUTHOR

Sailakshmi "Sai" Santhanakrishnan

Founder of Periculum LLC, a boutique advisory firm in AI governance, cybersecurity, and integrated risk. Two decades building and running risk programs at SIFI scale and at hyperscaler cloud-platform scale. Credentialed across four risk domains — ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

Read Sai's full bio  →
CONTINUE READING

Related insights.

AI GOVERNANCE

ISO 42001 Readiness — Beyond the Theory

The five disciplines that determine whether a 42001 program survives its first audit.

Read article  →
CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level.

Read article  →
AUDIT READINESS & GRC

SOC 2 + AI: Where the New Control Gaps Live

The control objectives auditors are beginning to ask about — before regulators do.

Read article  →

Bring this to your board agenda.

A focused briefing on where the EU AI Act actually reaches your organization — and the five-step inventory that gives boards the visibility they need.

Schedule a Strategic Briefing  → Read More Insights

Or take the 6-minute Readiness Check for a directional snapshot before scheduling.

← All Insights
CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level — and the question audit committees should ask before approving the next AI program.

Sailakshmi "Sai" Santhanakrishnan
FOUNDER, PERICULUM LLC  ·  10 MIN READ  ·  MAY 2026

AI risk is no longer only a technology risk.

It is a cyber risk. It is a privacy risk. It is an operational risk. And increasingly, it is an ESG risk.

That is why audit committees can no longer afford to review AI, cybersecurity, and ESG as separate conversations. When these risks are managed in silos, the organization does not reduce risk — it redistributes it.

A model may create business value but increase energy consumption. A cyber control may protect data but fail to address bias in how the data is used. An ESG report may disclose emissions but miss the operational impact of AI compute. An AI system may improve efficiency but create reputational harm if it makes decisions people cannot explain, challenge, or trust.

The issue is not that organizations lack controls. The issue is that controls are often fragmented.

AI governance needs cyber discipline. Cybersecurity needs business and human context. ESG needs credible data, traceability, and operational evidence. Together, they form a connected risk system.

AI, cyber, and ESG are now intertwined

AI depends on data, infrastructure, models, vendors, and human oversight. Cybersecurity protects the data, systems, identities, and intellectual property that AI depends on. ESG evaluates the broader impact of those systems — environmental cost, social consequences, governance accountability, and stakeholder trust.

This creates a direct connection: AI consumes resources. Cyber protects the environment in which AI operates. ESG measures the broader impact of both.

NIST describes trustworthy AI through characteristics such as validity, security, resilience, accountability, transparency, explainability, privacy enhancement, and fairness with harmful bias managed. Those characteristics already show why AI cannot be governed separately from cyber, privacy, and ethics.

The environmental impact: AI compute is now an ESG issue

AI is not weightless. It runs on data centers, cloud infrastructure, chips, cooling systems, electricity, and water. As adoption grows, the environmental footprint of compute becomes part of the organization's sustainability story.

The International Energy Agency projects that in a high-growth AI scenario, global data center electricity demand could exceed 1,700 TWh by 2035 — reaching around 4.4% of global electricity demand.

Boards should begin asking:

  • Are AI workloads being measured as part of energy and emissions reporting?
  • Are cloud and data center providers part of ESG supplier assessments?
  • Are AI projects evaluated for both business value and compute cost?
  • Are sustainability teams included before AI programs scale?

ESG reporting frameworks increasingly expect organizations to explain environmental, social, and economic impacts. GRI positions its standards as a global language for reporting those impacts. AI compute, therefore, is not just an IT cost — it is becoming an ESG data point.

The social impact: AI can reveal gaps or reinforce them

AI can help organizations identify underserved communities, customer segments, workforce gaps, accessibility needs, and areas where services are not reaching people effectively. Used well, AI surfaces social opportunity. Used poorly, AI reinforces bias.

That is why human judgment must remain at the center of AI governance. AI may detect a pattern. But humans must determine whether that pattern is ethical, fair, useful, and aligned to organizational values.

Why this matters to leadership A model can recommend. A person must remain accountable. Human-in-the-loop governance matters most not as a checkbox — but as a decision safeguard.

The cyber impact: AI expands the attack surface

AI also changes the cybersecurity conversation. Organizations must now protect:

  • Training data
  • Prompts
  • Model outputs
  • APIs and model weights
  • User interactions and sensitive business context
  • Vendor-integrated AI tools

AI creates new risks — prompt injection, data leakage, model misuse, hallucinated outputs, shadow AI, intellectual property exposure. But these risks are not completely detached from existing practice. They build on known disciplines: secure development lifecycle, identity and access management, data classification, privacy controls, logging and monitoring, third-party risk management, change control, and incident response.

ISO/IEC 42001 reinforces this management-system view by requiring organizations to establish, implement, maintain, and continually improve an AI management system.

The challenge is not inventing governance from scratch. It is adapting proven governance to AI-speed risk.

Why siloed governance magnifies risk

When AI, cyber, and ESG teams operate separately, risk begins to propagate. The AI team may optimize for speed. The cyber team may optimize for control. The ESG team may optimize for disclosure. The business may optimize for adoption.

But no one owns the combined outcome. That is where risk grows.

  • A biased AI model can become a social risk.
  • A poorly governed AI vendor can become a cyber risk.
  • A high-compute AI use case can become an environmental reporting risk.
  • A rushed AI deployment can become a brand and trust risk.
  • A poorly monitored model can become an audit issue.

The risk does not stay in its original category. It moves.

Why a single control taxonomy matters

Audit committees need a unified view. Not three dashboards. Not three risk registers. Not three disconnected control sets.

A single control taxonomy allows organizations to map common controls across AI, cyber, privacy, ESG, and enterprise risk. The same control, looked at through three different lenses, reduces risk on every front.

One control. Three risk dimensions.
Control Area AI Risk Cyber Risk ESG / Governance Impact
Data classification Approved data use Sensitive data protection Privacy and ethical use
Logging & traceability Explainability evidence Incident investigation Audit readiness
Vendor risk Third-party AI models Supply-chain exposure Responsible sourcing
Access control Model-misuse prevention Identity protection Governance accountability
Monitoring Drift and unsafe outputs Threat detection Continuous oversight
Human review Ethical judgment Escalation control Social responsibility

This is the differentiator at the audit committee level. A single taxonomy helps leadership see how one control reduces multiple risks — and it prevents duplicate work, conflicting priorities, and fragmented reporting.

The cost of unintentional AI

Not every AI use case deserves to scale. Some AI initiatives fail because they are not tied to a real business problem. Others fail because the cost of compute, governance, data quality, vendor dependency, or change management outweighs the value created.

The result is often:

  • Abandoned AI pilots
  • Rising cloud and compute costs
  • Poor adoption
  • Lack of user trust
  • Regulatory exposure
  • Reputational damage
  • Audit findings
  • Shadow AI growth

AI should not be deployed because it is trending. It should be deployed because it is intentional, tested, governed, and measurable.

What audit committees should ask

Audit committees do not need to become AI engineers. They need to ask integrated risk questions.

  • Do we have one inventory of AI systems, vendors, data sources, and business owners?
  • Are AI controls mapped to cyber, privacy, ESG, and enterprise risk frameworks?
  • Are we measuring AI compute and environmental impact?
  • Are we assessing bias and social impact before deployment?
  • Are human decision points clearly defined?
  • Are AI systems monitored after launch?
  • Can management explain which AI use cases should not proceed?
THE PERICULUM PERSPECTIVE

AI governance cannot sit alone.

AI depends on cyber controls. Cyber depends on trusted data and responsible use. ESG depends on measurable impact and credible governance.

When managed separately, these risks multiply. When managed together, they create a stronger operating model.

The future of governance is not more frameworks. It is better integration. At the audit committee level, the organizations that win will be the ones that can show one connected view of risk, control, impact, and business value.

ABOUT THE AUTHOR

Sailakshmi "Sai" Santhanakrishnan

Founder of Periculum LLC, a boutique advisory firm in AI governance, cybersecurity, and integrated risk. Two decades building and running risk programs at SIFI scale and at hyperscaler cloud-platform scale. Credentialed across four risk domains — ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

Read Sai's full bio  →
CONTINUE READING

Related insights.

AI GOVERNANCE

ISO 42001 Readiness — Beyond the Theory

The five disciplines that determine whether a 42001 program survives its first audit.

Read article  →
AI GOVERNANCE

The EU AI Act for U.S. Boards

Five obligations — and one major financial exposure — that reach U.S. companies even when they do not sell into Europe.

Read article  →
AUDIT READINESS & GRC

SOC 2 + AI: Where the New Control Gaps Live

The control objectives auditors are beginning to ask about — before regulators do.

Read article  →

Build one connected view of risk.

A focused session on integrating AI, cyber, privacy, and ESG into a single control taxonomy — sized to your audit committee's questions and your operating cadence.

Schedule a Strategic Briefing  → Read More Insights

Or take the 6-minute Readiness Check for a directional snapshot before scheduling.

← All Insights
CROSS-DOMAIN RISK

Vendor Due Diligence Is Now AI Due Diligence

Why third-party AI ecosystems are becoming a board-level risk conversation — and what changes when procurement stops buying software and starts governing intelligence.

Sailakshmi "Sai" Santhanakrishnan
FOUNDER, PERICULUM LLC  ·  11 MIN READ  ·  MAY 2026

Organizations rarely build AI ecosystems alone.

AI today does not operate as a single application sitting inside a company boundary. It increasingly operates as an ecosystem — cloud providers, foundational models, APIs, specialized tools, data providers, and external services working together.

A single AI assistant may rely on:

  • Cloud infrastructure for compute
  • Large language models for intelligence
  • External APIs for functionality
  • Specialized datasets for context
  • Communication platforms for user interaction
  • Identity systems for access control

All before a customer sees a single response.

Historically, vendor due diligence focused on familiar questions: Is the vendor financially stable? Do they meet security requirements? Can they meet service expectations? Are contractual protections in place?

Those questions still matter. But they are no longer enough.

Organizations are no longer simply purchasing software. They are increasingly consuming systems that learn, evolve, process information, influence decisions, and continuously change over time.

The question leadership increasingly needs to ask becomes:

What risk are we inheriting through our AI ecosystem?

Because tomorrow's largest AI risk may not come from the models you build. It may come from the vendors you integrate.

Why third-party integration is now structural

Organizations integrate with third-party AI providers because building an entire AI ecosystem internally is rarely practical. Third-party vendors provide advantages that organizations cannot easily replicate.

Data enrichment. AI systems need specialized and diverse information — financial feeds, healthcare datasets, geographic information, industry-specific content, external knowledge systems.

Infrastructure scaling. Training and operating AI requires significant compute — cloud infrastructure, GPUs and accelerators, managed AI services, external compute providers.

Specialized capabilities. Rather than building every function internally, organizations integrate voice services, payment systems, identity providers, translation engines, and generative AI APIs.

Speed to market. Third-party integrations reduce years of development into months or weeks.

The advantage is speed. The tradeoff is dependency.

AI ecosystems create inherited risk

Third-party vendors bring more than functionality. They bring risk — and that risk arrives quietly, embedded in the contracts and APIs the organization has already accepted.

  • Data leakage — sensitive or proprietary information processed outside organizational boundaries.
  • Model poisoning — corrupted, manipulated, or biased data influencing outcomes.
  • Intellectual property exposure — enterprise knowledge, prompts, or proprietary information being used outside intended purposes.
  • Service disruption — vendor outages directly affecting AI operations.
  • API drift — vendor software changes unexpectedly altering system behavior.
  • Hidden bias — pre-trained models introducing unintended outcomes.
Organizations can outsource services. They cannot outsource accountability.

Five accountabilities leadership still owns

Regulatory exposure. If a third party mishandles information or violates regulatory requirements, the organization often remains accountable.

Reputational risk. Customers rarely distinguish between a vendor failure and a company failure. They remember the brand.

Vendor lock-in. Dependence on proprietary architectures may create significant cost and operational barriers later.

Hidden technical debt. Rapid integrations often create long-term maintenance complexity that surfaces years after the contract is signed.

Blind spots and complacency. Large vendor names do not automatically equal low risk. Trust without verification creates exposure.

Procurement is becoming a technology risk function

Traditional procurement assumed software behaved as a relatively static product. AI changes that assumption.

AI systems continuously evolve — models change, APIs change, risk changes, pricing changes, regulations change. Annual reviews can no longer keep pace.

The question is no longer:

"Can we buy this?"

It increasingly becomes:

"Can we govern this?"

That shift creates new realities for procurement leaders:

  • Longer review cycles
  • Skills gaps as procurement absorbs AI and security literacy
  • Continuous oversight requirements that don't end at the signature
  • Increased collaboration across procurement, security, legal, and risk teams
  • Less predictable usage-based cost models

The risk that moves across domains

AI vendor risk is not only a procurement issue. It sits at the intersection of multiple risk domains.

  • AI — model integrity, explainability, bias management
  • Cyber — data security, identity, expanded attack surfaces, third-party access
  • Privacy — data use, retention, consent management
  • ESG — responsible AI, ethical use, transparency, stakeholder trust
  • Enterprise risk — operational resilience, financial exposure, regulatory risk, business continuity

When these areas operate independently, risk propagates. A biased AI model becomes a social risk. A compromised vendor becomes a cyber risk. A hidden model dependency becomes an operational risk. A poorly governed AI system becomes a trust problem.

The risk does not stay in its original category. It moves.

Emerging considerations leadership should watch

AI governance and vendor risk management continue to evolve. Not every practice below is an established industry standard today — but each is becoming an increasingly relevant consideration for organizations building mature AI ecosystems.

01 · AI Bills of Materials (AI BOM) Leading organizations are beginning to seek greater visibility into foundation models, training data lineage, open-source dependencies, downstream providers, and model versions. The objective is not additional documentation — it is visibility. Organizations cannot manage what they cannot see.
02 · AI-specific contract considerations Traditional software contracts often do not fully address AI scenarios. Organizations increasingly evaluate data ownership rights, training restrictions, audit rights, notification requirements for model changes, and portability rights.
03 · Shared accountability for AI outcomes Organizations increasingly discuss how accountability should be shared between enterprises and vendors around output accuracy, intellectual-property risk, harmful outputs, reliability expectations, and liability boundaries. Approaches continue to evolve.
04 · Continuous monitoring beyond annual assessments Annual assessments remain common and still serve an important role. But organizations increasingly supplement those reviews with security posture monitoring, vendor change tracking, API monitoring, compliance updates, and service monitoring. The shift is from periodic trust to continuous trust verification.
05 · Data usage and training restrictions Organizations increasingly seek visibility into prompt retention practices, fine-tuning ownership, training restrictions, data deletion rights, and downstream data usage. The objective is not limiting innovation — it is maintaining control over enterprise information.
THE PERICULUM PERSPECTIVE

Organizations used to purchase software. Increasingly, they purchase intelligence.

Intelligence evolves. It learns. It changes. It creates decisions and outcomes.

That means vendor due diligence increasingly becomes AI due diligence.

Because the next significant AI risk may not originate from the systems you build. It may originate from the ecosystems you inherit.

ABOUT THE AUTHOR

Sailakshmi "Sai" Santhanakrishnan

Founder of Periculum LLC, a boutique advisory firm in AI governance, cybersecurity, and integrated risk. Two decades building and running risk programs at SIFI scale and at hyperscaler cloud-platform scale. Credentialed across four risk domains — ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

Read Sai's full bio  →
CONTINUE READING

Related insights.

CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level.

Read article  →
AI GOVERNANCE

ISO 42001 Readiness — Beyond the Theory

The five disciplines that determine whether a 42001 program survives its first audit.

Read article  →
AI GOVERNANCE

The EU AI Act for U.S. Boards

Five obligations — and one major financial exposure — that reach U.S. companies even when they do not sell into Europe.

Read article  →

Make AI due diligence part of the contract.

A focused session on what AI vendor risk looks like in your environment — and the contract language, monitoring posture, and AI-BOM visibility you'll need before the next renewal.

Schedule a Strategic Briefing  → Read More Insights

Or take the 6-minute Readiness Check for a directional snapshot before scheduling.

← All Insights
AUDIT READINESS & GRC

SOC 2 + AI: Where the New Control Gaps Live

The control objectives auditors are beginning to ask about — before regulators do — and why traditional controls were never designed for systems that generate outcomes instead of executing logic.

Sailakshmi "Sai" Santhanakrishnan
FOUNDER, PERICULUM LLC  ·  10 MIN READ  ·  MAY 2026

Organizations do not suddenly become riskier because they adopted AI.

The challenge is that the controls most organizations rely on — including those backing SOC 2, ISO 27001, and IT general controls — were designed for a different technology world. They assumed stable applications, predictable behavior, defined users, known data flows, and controlled environments. They worked because the systems beneath them stayed still long enough to be measured.

The stack didn't stay still. It moved through generation after generation:

On-premise → Cloud → APIs → Microservices → AI → Agentic systems

Controls evolved with each generation. But AI introduced something different. Applications used to execute logic. AI increasingly generates outcomes — and outcomes can change over time.

This creates control gaps that organizations are only beginning to understand.

The control environment changed faster than the controls

Traditional applications followed a relatively predictable path:

Input → Processing → Output

AI behaves differently:

Input → Context → Model → External systems → Memory → Learning → Output → Feedback

A single interaction may touch internal data, third-party APIs, foundation models, vendor systems, identity services, human approvals, and external knowledge sources. Organizations are operating inside interconnected ecosystems rather than isolated systems — and the attack surface expands accordingly.

The new attack surface, mapped to AI's risk layers

Historically, security focused on networks, servers, devices, and applications. The NIST AI Risk Management Framework (AI RMF 1.0) and ISO/IEC 42001 both describe new layers AI introduces — and traditional controls were never designed to manage them simultaneously.

  • Data risks — sensitive information exposure, training-data contamination, unauthorized data use.
  • Model risks — prompt injection, model manipulation, hallucinated outputs.
  • Identity risks — non-human identities, agent permissions, automated actions.
  • Third-party risks — foundation models, APIs, external datasets, AI vendors.
  • Human risks — shadow AI, misuse, overtrust in AI outputs.

Auditors see these layers too. And they are asking different questions to verify that controls reach each one — not by inventing new criteria, but by re-interpreting the ones they already have.

Why auditors are beginning to ask different questions

SOC 2 itself did not change. The AICPA's Trust Services Criteria remain focused on Security, Availability, Processing Integrity, Confidentiality, and Privacy. What is changing is the interpretation of evidence supporting those objectives.

Auditors increasingly ask:

  • Data lineage — where did training and operational data originate?
  • AI inventory — where does AI exist across the environment?
  • Human oversight — who approves sensitive AI actions?
  • Explainability — can decisions be recreated and defended?
  • Third-party AI risk — what external models and services are integrated?
  • Monitoring — how do you detect drift or unexpected behavior?
  • Identity management — what permissions do AI agents possess?
These are not new Trust Service Criteria. They are new expressions of existing principles.

Agentic systems shift the audit question

Traditional applications waited for users to act. Agentic systems increasingly initiate actions — triggering workflows, calling APIs, generating content, making recommendations, taking actions automatically.

The audit question shifts from:

"Who accessed the system?"

to:

"Which agent acted, why did it act, and under what authority?"

This is both a security and a governance challenge — and one most identity, access-management, and audit-trail systems were not built to answer. Standards bodies are catching up (NIST has begun work on agentic AI under the AI RMF), but the gap is live now — and operational pressures are widening it.

Cost pressure quietly creates risk

Organizations are balancing AI investment, infrastructure cost, regulatory expectations, limited resources, and skills shortages — while running legacy infrastructure, cloud environments, AI platforms, and vendor ecosystems in parallel, and supporting a workforce with very different levels of AI fluency.

Under pressure, shortcuts emerge: reduced oversight, rapid deployment, unmanaged AI tools, incomplete testing, shadow AI.

Why this matters to leadership The challenge is rarely malicious intent. It is operational reality — and operational reality is where audit findings begin.

If the gap is operational, so is the response

The answer is not new frameworks. Most of the foundational disciplines already exist — security architecture, identity management, privacy controls, secure development lifecycle, logging and monitoring, change management, third-party risk management, governance processes.

The challenge is extending proven controls into AI environments. A useful starting point is four diagnostic questions:

  • Do we know where AI exists across the environment?
  • Do we know what data it uses — and where that data came from?
  • Do we know what external systems it touches?
  • Do we know who remains accountable when an AI system makes a decision?
THE PERICULUM PERSPECTIVE

AI did not eliminate traditional controls. It exposed assumptions hidden inside them.

SOC 2 was designed around trust. AI simply expands what trust now requires.

Because tomorrow's control gaps may not come from systems failing. They may come from systems behaving exactly as designed — but in ways no one anticipated.

ABOUT THE AUTHOR

Sailakshmi "Sai" Santhanakrishnan

Founder of Periculum LLC, a boutique advisory firm in AI governance, cybersecurity, and integrated risk. Two decades building and running risk programs at SIFI scale and at hyperscaler cloud-platform scale. Credentialed across four risk domains — ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

Read Sai's full bio  →
CONTINUE READING

Related insights.

AI GOVERNANCE

ISO 42001 Readiness — Beyond the Theory

The five disciplines that determine whether a 42001 program survives its first audit.

Read article  →
CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level.

Read article  →
CROSS-DOMAIN RISK

Vendor Due Diligence Is Now AI Due Diligence

Why third-party AI ecosystems are becoming a board-level risk conversation.

Read article  →

Find the gaps before the auditor does.

A focused session on extending your existing SOC 2, ISO 27001, and ITGC controls into AI environments — without rebuilding what already works.

Discuss a Program Build  → Read More Insights

Or take the 6-minute Readiness Check for a directional snapshot before scheduling.

← All Insights
BOARD BRIEFINGS

What the Audit Committee Should Ask About AI

A three-question pre-read directors can use in their next quarterly cycle — focused not on the risks everyone is talking about, but on the structural ones that quietly compound.

Sailakshmi "Sai" Santhanakrishnan
FOUNDER, PERICULUM LLC  ·  11 MIN READ  ·  MAY 2026

AI governance is moving beyond innovation oversight.

Audit committees are no longer being asked to simply understand emerging technology risks. They are increasingly expected to evaluate whether AI programs are financially resilient, operationally governable, and sustainable under real-world conditions.

Most organizations already discuss the familiar AI concerns — bias, copyright and IP exposure, hallucinations, cybersecurity threats, operational drift, regulatory uncertainty. Those risks matter. But they are not the deeper issue.

The larger challenge is structural.

As AI moves from isolated pilots into core business operations, organizations become dependent on systems they may not fully understand, fully audit, or fully control. The audit committee's responsibility shifts with it.

The conversation moves from:

"Are we experimenting with AI safely?"

to:

"Can this organization remain operationally and financially resilient as AI becomes embedded in the business?"

Three systemic domains audit committees should focus on

Beyond individual AI risks, three foundational areas determine whether AI creates sustainable enterprise value — or becomes operational debt. These map cleanly to existing frameworks the committee already uses: COSO's enterprise risk management framework, the AICPA's emerging guidance on AI in financial reporting, and the IIA's evolving audit-of-AI practice guidance.

  • Value realization and capital exposure — is the investment defensible?
  • Integrity of control environments — can decisions be explained and defended?
  • Third-party and infrastructure dependency — what does the organization actually control?

1. Value realization and capital impairment risk

Many organizations are investing heavily in AI infrastructure, licenses, integrations, and transformation programs. Few can consistently quantify long-term business value.

Audit committees should begin treating AI as both a strategic investment and a potentially impairable enterprise asset.

Are we funding innovation or accumulating technical debt? AI evolves rapidly. Infrastructure, models, and vendor ecosystems may become obsolete far faster than traditional enterprise systems.
Can management demonstrate measurable business value? Defined KPIs, cost-reduction evidence, productivity gains, revenue expansion, risk-reduction outcomes. Without measurable value tracking, AI investments become difficult to defend at quarter-close.
What is the financial exposure if major AI initiatives fail? Asset impairments, write-downs, increased operating costs, abandoned transformation programs — the exposure becomes material at scale, and the disclosure obligations follow.

2. Integrity of internal controls and financial reporting

AI is increasingly entering financial operations directly — forecasting, journal entries, reconciliations, financial analysis, reporting workflows, even disclosure drafting. This changes the control environment in ways traditional SOC 2 and ITGC frameworks were never designed for.

Where does AI influence judgment-based decisions? Traditional controls assumed predictable applications and deterministic outcomes. AI systems generate probabilistic outputs — and that distinction matters at quarter-close and in management representation letters.
What controls exist around explainability and human validation? Human review checkpoints, logging and traceability, override mechanisms, version control, evidence preservation. The challenge is not whether AI is accurate — it is whether decisions can be defended.
Can internal audit effectively audit AI? Many internal audit functions were built around ERP systems, access controls, transaction testing, and static applications. AI introduces dynamic behavior, evolving outputs, model drift, third-party dependencies, and non-deterministic logic. The IIA has begun publishing guidance specifically on auditing AI controls — audit capabilities must evolve with it.

3. Third-party dependency and infrastructure concentration risk

Most organizations do not build AI ecosystems independently. They rely on cloud providers, foundation models, SaaS vendors, APIs, external datasets, and AI infrastructure providers. This creates inherited operational exposure that the audit committee owns even when the organization didn't choose it.

Silent AI adoption is already happening. Many SaaS vendors now embed generative AI directly into existing platforms — often without organizations fully understanding what models are being used, where data flows, what information is retained, or how outputs are generated.
Compute concentration creates systemic dependency. AI infrastructure is concentrated across a small number of providers. Organizations become dependent on GPU availability, cloud compute pricing, vendor model access, API availability, and the geopolitical and regulatory shifts that affect them.
Interoperability is becoming operational risk. Organizations operate across interconnected ecosystems of legacy systems, cloud platforms, APIs, agentic workflows, AI copilots, and third-party automation. The risk is no longer only application failure — it is ecosystem instability.
AI resilience increasingly depends on infrastructure resilience.

Three questions management must be ready to answer

When reporting into the audit committee, management should be able to answer three questions clearly and structurally — not in the language of innovation, but in the language of governance.

  • Who owns executive accountability for AI risk and value? Audit committees should expect clear governance ownership, defined accountability, cross-functional oversight, and alignment between AI risk and enterprise risk. AI governance spread across disconnected teams creates blind spots.
  • How do we validate and audit AI-driven decisions? Explainability, traceability, human oversight, logging, testing and monitoring, override controls. The committee should understand how the organization challenges AI outputs before they become business decisions.
  • What happens if a core AI system fails? Realistic continuity planning — fallback operating models, recovery procedures, rollback capabilities, alternative workflows, Recovery Time Objectives. Can the business continue operating if critical AI systems fail, drift, or become unavailable?
THE PERICULUM PERSPECTIVE

The audit committee challenge is no longer simply AI oversight. It is organizational resilience in an AI-dependent world.

AI systems do not operate independently. They operate across vendors, infrastructure, cloud ecosystems, data pipelines, and human decisions.

The organizations that mature fastest will not necessarily be the ones deploying the most AI. They will be the ones that can still explain, govern, audit, and recover from it when conditions change.

ABOUT THE AUTHOR

Sailakshmi "Sai" Santhanakrishnan

Founder of Periculum LLC, a boutique advisory firm in AI governance, cybersecurity, and integrated risk. Two decades building and running risk programs at SIFI scale and at hyperscaler cloud-platform scale. Credentialed across four risk domains — ISO 42001 · CISM · CRISC · CDPSE · ISO 27001 · Cambridge ESG.

Read Sai's full bio  →
CONTINUE READING

Related insights.

AUDIT READINESS & GRC

SOC 2 + AI: Where the New Control Gaps Live

The control objectives auditors are beginning to ask about — before regulators do.

Read article  →
CROSS-DOMAIN RISK

Risk Without Silos: Integrating AI, Cyber, and ESG

Why a single control taxonomy is becoming the differentiator at the audit committee level.

Read article  →
CROSS-DOMAIN RISK

Vendor Due Diligence Is Now AI Due Diligence

Why third-party AI ecosystems are becoming a board-level risk conversation.

Read article  →

Bring this to your next audit committee.

A focused briefing on the three domains the committee should evaluate — and the three questions management must be ready to answer — sized to your quarterly cadence.

Schedule a Strategic Briefing  → Read More Insights

Or take the 6-minute Readiness Check for a directional snapshot before scheduling.

← Home
POLICY

Privacy Policy

How Periculum LLC collects, uses, and protects information when you visit periculum.us. Written in plain English, intentionally short. The firm that advises on integrated privacy should not need 12,000 words to explain its own.

Periculum LLC
LAST UPDATED  ·  MAY 2026

What we collect

We collect three kinds of information, each only when you choose to provide it.

Contact-form submissions. When you complete the contact form, we receive your name, email address, company, role, optional phone number, the topic you selected, and your message. We use this only to respond to your inquiry and to schedule any follow-up conversation you request.

Newsletter signups. When you subscribe to The Periculum Brief, we receive your email address. We use it only to send the newsletter. You can unsubscribe at any time from any email we send.

Anonymous site analytics. We use privacy-first analytics (Plausible Analytics, EU-hosted, no cookies, no personal identifiers) to understand which pages are read, which articles resonate, and how the site performs. The analytics do not identify individual visitors, do not use cookies, and do not share data with advertising networks.

We do not use behavioral advertising, third-party trackers, or pixel-based remarketing. We do not sell or share personal information with marketers.

How we use what we collect

  • To respond to direct inquiries
  • To send the newsletter to subscribers who have opted in
  • To understand which content is useful (anonymous aggregate)
  • To meet legal obligations if any are imposed on us

We do not use the information for any other purpose without your explicit consent.

Third parties we rely on

This website is built on a small number of service providers, each governed by their own privacy practices:

  • Netlify — hosts the website (USA, EU presence)
  • Plausible Analytics — anonymous site analytics (EU-hosted, no cookies)
  • Calendly — when you click "Schedule a Briefing" and book, your interaction is governed by Calendly's policy
  • Microsoft 365 — email service for connect@periculum.us
  • Google Fonts — fonts loaded from Google's CDN
  • YouTube — the embedded video is hosted on YouTube; YouTube's privacy practices apply when you watch it

How long we keep it

  • Contact-form submissions: kept as long as needed to handle your inquiry, normally 24 months unless an active engagement is in place
  • Newsletter subscribers: kept until you unsubscribe
  • Site analytics: aggregate-only, kept indefinitely (no individual record exists)

Your rights

Under GDPR (if you are in the EU), CCPA (if you are in California), and similar regimes you have the right to know what we hold about you, to ask us to correct anything inaccurate, to ask us to delete what we hold, and to ask us not to use your information.

Email connect@periculum.us to make any of these requests. We will respond within 30 days at no charge.

How we secure it

Information collected via the contact form is delivered to email through Netlify Forms, transmitted over HTTPS, and stored in Microsoft 365 with multi-factor authentication enforced on the principal's account. Plausible analytics is hosted in the EU with no third-party access. Newsletter platform access is restricted to the principal.

Children

This site is intended for business audiences. We do not knowingly collect information from anyone under 16.

Updates to this policy

If this policy changes materially, we will update the "Last updated" date at the top and, where appropriate, notify newsletter subscribers.

Contact

Sailakshmi (Sai) Santhanakrishnan
Founder, Periculum LLC
connect@periculum.us
Plano, Texas, USA

This policy is written in plain English. Our intent is that it should mean what it says.

Other policies.

Terms of Use Acceptable Use & License
← Home
POLICY

Terms of Use

These terms apply to your use of periculum.us. By using the site you agree to them. They are deliberately short.

Periculum LLC
LAST UPDATED  ·  MAY 2026

The site is informational

The articles, frameworks, and views published on periculum.us are general thought leadership. They are not legal, financial, audit, regulatory, or fiduciary advice. Reading the site does not create an advisor–client relationship between you and Periculum LLC.

If you want advisory guidance on your specific situation, contact us directly. Engagements proceed only under signed engagement letters with defined scope, confidentiality, and deliverables.

Content ownership

All content on periculum.us — articles, illustrations, frameworks, the 6A Compass methodology, the Periculum lockup and brand marks — is owned by Periculum LLC. We retain all rights not expressly granted in our Acceptable Use & Content License.

You may quote our published articles with attribution and a link back to the source URL. You may not republish full articles, repackage them commercially without permission, or remove attribution.

Use of our content by large language models is governed separately by our AI policy at /llms.txt.

Things you agree not to do

When you use this site, you agree not to:

  • Attempt to access non-public areas of the site or hosting infrastructure
  • Scrape or systematically collect content other than through legitimate means (RSS, search engines, llms.txt-compliant AI crawlers)
  • Submit false information through the contact form
  • Use this site to send unsolicited commercial messages, harass, or impersonate anyone
  • Interfere with the site's operation through automated requests, denial-of-service, or similar means

We reserve the right to limit or revoke access from any source that engages in the above.

Liability

The site is provided as-is. To the extent permitted by law, Periculum LLC is not liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of the site or reliance on the content. Where law requires us to retain some liability, our total liability for any claim is limited to USD $100.

Jurisdiction

These terms are governed by the laws of the State of Texas, USA. Any dispute arising under or related to these terms or your use of the site will be brought in the state or federal courts located in Collin County, Texas.

Updates to these terms

If we update these terms materially, we will update the "Last updated" date and, where appropriate, post a notice on the site for a reasonable period.

Contact

Periculum LLC
connect@periculum.us
Plano, Texas, USA

Other policies.

Privacy Acceptable Use & License
← Home
POLICY

Acceptable Use & Content License

How the content published on periculum.us may be used by individuals, organizations, and AI systems. Complements the Terms of Use and the AI-specific policy at /llms.txt.

Periculum LLC
LAST UPDATED  ·  MAY 2026

What this page governs

This page governs use of Periculum's published thought-leadership content — Insights articles, the 6A Compass framework descriptions, the integrated control taxonomy, the EU AI Act board obligations summary, audit committee questions, and similar substantive content on periculum.us.

It does not govern:

  • Periculum's brand marks (logo, wordmark, tagline) — protected separately
  • Client deliverables — confidential by engagement letter
  • Internal or unpublished material — confidential by default
  • Our website source code — see Terms of Use

What you may do

You may, at no cost and without asking us first:

  • Quote any portion of our published articles in your own writing, with attribution to Periculum LLC and a link back to the source URL
  • Cite our frameworks (6A Compass, the integrated control taxonomy, the audit-committee three-questions) in your own work with attribution
  • Share the URL to any published article via email, social media, internal newsletters, board pre-reads, and similar
  • Print any article for internal use within your organization
  • Reference our work in training materials, courses, and capability programs — with attribution
  • Translate an article into another language for personal or internal organizational reading (please email about formal redistribution)

Standard attribution: "Periculum LLC — periculum.us" or "Periculum LLC, [article title], periculum.us."

What requires our consent

Please email connect@periculum.us before:

  • Republishing a full article on another publication, blog, or platform
  • Repackaging our content into a commercial training program, course, or tool you sell
  • Translating an article for public republication
  • Using the 6A Compass framework as the operating system of a competing advisory practice
  • Incorporating our content into a paid newsletter or podcast as more than a quotation
  • Producing AI-derived work where our content was a meaningful source

Permission is usually granted promptly and at no cost where attribution is preserved.

What is not permitted

  • Republishing full articles without attribution
  • Removing the Periculum attribution from any quoted or excerpted material
  • Misrepresenting your own work as ours, or ours as someone else's
  • Using our content to train AI systems that cannot attribute their outputs to Periculum
  • Using our brand marks (logo, wordmark) without a written license — even where the content underneath is permitted

Brand marks (not licensed here)

The Periculum lockup, P-monogram, "Periculum" wordmark, "Trust at scale." tagline, and "AI · CYBER · RISK" eyebrow are trademarks of Periculum LLC. Use in any commercial context, partner co-branding, or "as featured in" treatment requires a written license.

AI systems

Use of our content by large language models is governed by /llms.txt. In summary: respectful AI crawlers are welcomed to read and cite our content; commercial repackaging without attribution is not.

Content license (formal summary)

In legal terms, the published content on periculum.us is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) for non-commercial uses with attribution, except where this page or our Terms of Use state more permissive terms.

For commercial uses, contact us. We are generally generous with permission.

Contact

Sailakshmi (Sai) Santhanakrishnan
Founder, Periculum LLC
connect@periculum.us
Plano, Texas, USA

Other policies.

Privacy Terms of Use
IMPACT PRACTICE · 7% PRACTICE CAPACITY

The work that compounds.

7% of annual capacity. Pro bono and reduced-fee advisory for nonprofits, women- and minority-owned firms, and emerging founders. Every recipient signs the Pay-It-Forward Pledge — to enable one other within 12 months. A chain, not a charity.

THE PLEDGE

The Pay-It-Forward Pledge.

One promise turns this from a charity into a system. Every organization that receives Periculum's support agrees to pass it on.

"By accepting support from the Periculum Impact Practice, our organization commits to enabling one other organization or individual within 12 months."

This may take any of these forms:

  • Mentoring a peer organization in a similar stage of growth
  • Sharing what you've learned (artifacts, frameworks, lessons) with another nonprofit, founder, or small business
  • Contributing time to a community capability program or speaking event
  • Introducing a Periculum Impact Practice candidate from your network

We don't enforce. We trust. At 12 months, we'll check in to celebrate what you've done — and to invite you to publish your story alongside ours if you wish.

FOUR WAYS TO PARTICIPATE

What the Impact Practice offers.

Four offerings sized to the 7% — real work, not symbolic.

PROGRAM 01

The Impact Cohort

  • 5-8 organizations per quarter
  • 4-6 week structured program
  • 6A Compass curriculum adapted for organizations without dedicated risk teams
  • Group format with peer learning

Fixed low fee: $500-2,000 per organization or grant-funded.

PROGRAM 02

Reserved Pro Bono Slots

  • 1-2 days per month set aside
  • One-on-one advisory engagements
  • Specific scope (e.g., AI governance starter, board pre-read, audit-readiness review)
  • Direct delivery by the principal

No fee. Application-based.

PROGRAM 03

Free 6A Self-Check

  • The same Readiness Check available to all visitors
  • Plus invitation to a quarterly group office-hours session
  • For organizations who want guidance but aren't ready for an engagement
  • Low-friction entry point

Free. Available year-round.

PROGRAM 04

The Periculum Scholar Program

  • Six-month structured advisory mentorship
  • One or two early-career or young-founder leaders selected annually
  • Direct work with the principal
  • Full pro bono, application-based

For emerging leaders who can pay it forward to many others over a career.

7%
of annual practice capacity

~105 hours per year, ~26 hours per quarter. Roughly 16-20 organizations served annually through the four programs above. Each one signs the Pledge. Over five years, the chain grows.

FROM THE WORK

Where this comes from.

The Impact Practice is the formalization of work Sai has been doing for more than a decade — through WeInspire.Guru, EWL, AERI, and direct mentorship of 25+ leaders to date.

Photo coming soon.

Mentorship in action. A moment from the mentorship work Sai has carried forward through WeInspire.Guru, EWL, and AERI.

Photo coming soon.

Community work, named. EWL board meetings, AERI advisory, women-in-cybersecurity events, ESG summit appearances — the visible thread of a decade of giving the time before it became a service line.

REFERENCES

Voices from the work.

Below are reference statements — currently drafted placeholders, to be replaced as real quotes are received from mentors, peers, and past pro bono recipients. Each is structured so it can be substituted with a signed quote and attribution.

"Sai brings boardroom rigor to community impact, and community values to the boardroom. Both worlds benefit from her insistence that one cannot be done without the other."

EWL Mentor / Board Colleague

"What's distinctive about working with Sai isn't only her depth — it's her willingness to apply the same discipline she brings to Fortune 100 risk programs to the work of helping a nonprofit founder find their footing. The combination is rare."

AERI Advisory / Academic Partner

"Sai mentored me through a transition I wasn't sure I could survive. What I noticed wasn't her credentials — it was that she listens, she asks the question I would not have asked myself, and she holds me to the answer."

Mentorship Recipient

"The work Sai has carried forward through WeInspire.Guru and her board service has compounded — not for her benefit, but for the leaders she's quietly enabled. The Impact Practice formalizes what she's been doing without a service line for a decade."

WeInspire.Guru Co-founder / Colleague

Are you a mentor, colleague, or recipient of past pro bono work? Email connect@periculum.us to share a reference statement for publication.

APPLY

Apply to the Impact Practice.

If your organization is mission-aligned and your team can commit to the Pay-It-Forward Pledge, we'd be glad to hear from you. We respond to every application within two weeks.

0 / 1000
0 / 2000

Applications route to connect@periculum.us. We respond within two weeks. By submitting you agree to our Privacy Policy.

The work that compounds.

Periculum's Impact Practice is the formalization of a decade of work that came before the firm did. Trust at scale — including the trust to pass it forward.

Start with the Readiness Check  → Schedule a Briefing
FREQUENTLY ASKED QUESTIONS

Common questions, direct answers.

The answers below are the kind we'd give in the first five minutes of any briefing — pricing, structure, response time, and how the firm operates day to day.

PRICING

What does an engagement cost?

Briefings start complimentary. Pricing is customized to your specific scope, environment, and timeline. The ranges below are indicative — drawn from prior client engagements and shared so you can size whether the conversation makes sense for your team.

  • Strategic Advisory: $10K–$40K  ·  4–12 weeks
  • Fractional CRO / CISO: $8K–$18K per month  ·  3–12 months
  • Program Build & Audit Readiness: $25K–$200K  ·  8–24 weeks
  • Platform GTM Advisory: $15K–$80K  ·  6–16 weeks

These are indicative ranges based on prior engagements — not a published rate card. Final scope and price are agreed in writing after the Briefing. Reduced-fee and pro bono terms apply through the Impact Practice.

COMMITMENT

How are engagements structured? Can I pause or exit?

Every engagement carries explicit milestones, exit criteria, and a defined endpoint — nothing rolls indefinitely. Project engagements (Strategic, Program Build, GTM) close on agreed deliverables. Fractional retainers renew quarterly with mutual review. You can pause, scope down, or exit at any milestone — every term is written into the MSA before work begins.

READINESS CHECK

What happens after I take the Readiness Check?

Your branded PDF downloads immediately. A copy of your scores routes to connect@periculum.us. Sai personally responds within 1–2 business days with thoughts on your weakest 6A phases — and which engagement (Strategic, Program Build, Fractional, or GTM) fits the gaps you've surfaced. No automation, no marketing list.

CONFIDENTIALITY

Is the Readiness Check confidential?

Your answers stay in your browser unless you choose to enter your email at the end. The PDF is generated locally on your device. Email submissions are processed by Netlify Forms and routed to connect@periculum.us — never shared, sold, or added to a marketing list. See our Privacy Policy for the full posture.

LOCATION

Where are you based and do you travel?

Plano, Texas. Remote-first by design — most engagements run remotely, which keeps the work close to where decisions actually happen. In-person convenes when it materially benefits the work (board meetings, audit committee pre-reads, executive offsites).

FIT

Who do you typically work with?

Boards and audit committees at Fortune 50/100 companies. Growth-stage CEOs and founders. CROs, CISOs, and security leaders. Compliance and audit leaders. AI and SaaS platform founders entering enterprise markets. The Impact Practice extends to nonprofits, women-owned and minority-owned businesses, and emerging founders.

INDEPENDENCE

Are you a certifying body or auditor?

No. Periculum is your advisory preparation partner — we build the program, organize the evidence, and rehearse the audit so your team is ready. The certificate is issued by your independent ISO 42001 / ISO 27001 / SOC 2 auditor of choice, which we help you select. We do not audit our own work.

RESPONSE

How quickly will I hear back?

Within one business day for Contact form messages. Within 1–2 business days for Readiness Check submissions. Within two weeks for Impact Practice applications. Sai personally responds to every inquiry — there is no inbox triage and no automated funnel.

Have a question that isn't here?

Reach out — we read every inquiry personally and will answer within one business day.

SPEAKING

Guest speaking, board briefings, and panels.

AI governance, integrated risk, audit readiness, digital trust — for boards, C-suites, conferences, podcasts.

Recent stages — ESG & Sustainability Strategy summits, women-in-technology forums, and the Grace Series.

Guest Speaking

30–60 minute guest sessions on AI governance, the EU AI Act, and integrated risk for industry conferences, corporate summits, and professional forums.

Board & Executive Briefings

60–90 minute focused sessions for boards, audit committees, and executive teams — tailored to your environment.

Panels & Podcasts

Panels and podcast features on AI governance, ESG-cyber-risk intersection, and the future of digital trust.

PREFERRED TOPICS

Six talks. Trending topics. Tailored to your audience.

Each session below is a working framework Sai has delivered in guest talks, board briefings, panels, and capability sessions. Every talk can be customized — length, depth, audience register, and case studies all adapt to the room.

  • AI Governance, Done RightISO/IEC 42001 readiness without the theory.
  • The AI Regulation PlaybookEU AI Act & NIST AI RMF for real decisions.
  • Risk Without SilosIntegrating AI, cyber, and ESG into one strategy.
  • Cyber Risk in the BoardroomWhat directors should really be asking.
  • Audit-Ready, AlwaysSOC 2, ISO 27001, SOX — built to hold up under scrutiny.
  • Control Without FrictionUsing risk to accelerate innovation, not slow it down.
UPCOMING ENGAGEMENTS

Coming soon.

Sai's 2026 calendar of panels, board briefings, and capability sessions is being finalized.

TBD

Engagements being scheduled.

Confirmed panels, board briefings, and capability sessions will appear here as the 2026 calendar comes together. Topics span AI governance, integrated risk, audit readiness, Texas TRAIGA, EU AI Act, and agentic AI.

Invite Sai to Your Event →

Engagement details are typically confirmed 30 days in advance.

Bring this conversation to your audience.

Inquire about Speaking
CONTACT

Let's start the conversation.

Tell me about your environment, your timeline, and what you'd like to walk out with. Typical response: one business day.

Not ready to book? Just say hello — no obligation. Conversation is the work.

PREFER A STRUCTURED VIEW FIRST?

Complete the 6A Readiness Check first, then include your score when you reach out. Conversations are sharper and more qualified when we both start from the same scorecard.

For inquiries about advisory engagements, briefings, speaking, or media:

EMAIL
connect@periculum.us
PHONE
+1 860-869-8182
LOCATION
Plano, Texas
0 / 3000

Your message routes to connect@periculum.us. We never share, sell, or add you to a marketing list.

SCHEDULE · STRATEGIC ADVISORY

Schedule a Strategic Briefing

A focused session on governance, risk exposure, and audit readiness.

30-Minute Strategic Briefing

Confidential. Tailored to your environment. Walk away with three concrete next steps.

Duration
30 minutes
Format
Video call
Cost
Complimentary intro
Open Calendly  →

Opens calendly.com/saissk-periculumllc/30min in a new tab.

BEFORE YOUR BRIEFING

Take the 6A Readiness Check beforehand and we'll use your scorecard to focus the conversation — fewer minutes spent on context, more on the actions that matter for your environment.

Take the Readiness Check first →
COMMON QUESTIONS BEFORE YOU BOOK

Cost? Briefings are complimentary. Pricing for paid engagements is customized to your scope — indicative ranges are listed on the full FAQ page.

Commitment? Every engagement carries explicit milestones and exit criteria. You can pause, scope down, or exit at any milestone.

Response time? Within one business day for every inquiry. Sai personally — no automation.

Read all eight FAQs →

Looking around first?

← Periculum Home Services About Sai Insights