AI Evidence Readiness Diagnostic · A Cichocki Advisory engagement

Can one AI workflow survive a 24-hour audit request?

Pick one AI-assisted workflow already in production or about to launch. In one working session, we map it from policy requirement to runtime control to audit-grade evidence — then identify the five gaps your team should close first.

What
One workflow
Format
90–120 min + memo
Fee
$5,000 fixed
Sprint credit
100% if you proceed
Start the Diagnostic fit check
This is the intake for the paid $5,000 Diagnostic — not the free AI readiness assessment. Five-minute fit check · we reply within one business day · no software required · please don’t include confidential or regulated data in the form.

Can your team pass the 24-hour AI evidence test?

Pick one AI-assisted decision from yesterday. Within 24 hours, can your team produce: the workflow, the model and provider, the user or system that invoked it, the data class touched, the applicable policy, the control outcome, the exception path, and the evidence package an external auditor would receive?

If not, the issue is probably not more policy. It is the missing operating layer between policy and production.

The Diagnostic surfaces that operating layer for one workflow you choose, fast.

The exchange

What you bring. What you leave with.

You bring

  • One AI-assisted workflow already in production or about to launch
  • One policy or risk requirement that applies to it (NIST AI RMF, ISO/IEC 42001, EU AI Act, internal policy, or audit framework)
  • One evidence artifact: a log sample, a current control record, or the closest thing you have

You leave with

  • One-page Policy → Control → Evidence map for the chosen workflow
  • Top 5 missing evidence artifacts, ranked by audit exposure
  • Owner and control gap summary by name and role
  • A written recommendation: Sprint fit, lighter advisory fit, or not ready yet
What $5,000 buys

What the fee covers. What it doesn’t.

Included

  • Pre-session review of one workflow description and one evidence artifact
  • One 90–120 minute executive working session (Zoom or Teams)
  • Up to four client attendees
  • Synthesis of the Policy → Control → Evidence map
  • Top 5 evidence gaps, ranked by audit exposure
  • Written recommendation delivered within five business days

Not included

  • Legal advice or counsel-of-record opinions
  • Certification or audit opinion (ISO 42001, SOC 2, etc.)
  • Production system access, data extraction, or penetration testing
  • Multi-workflow inventory or full AI estate review
  • Implementation, remediation, or hands-on engineering
  • NDA execution before fit-check (we sign a mutual NDA after fit-check, before sensitive review)

The fee covers expert pattern recognition, prep, synthesis, and a decision-grade artifact — not a discovery call dressed up in a fancy name. Need any of the “not included” items? They’re Sprint scope, not Diagnostic scope.

Sample output (redacted)

The artifact you walk away with

Example workflow: AI-assisted customer support response. Your version is workflow-specific and one page. The example below is illustrative.

Policy requirement Runtime control Evidence artifact Owner Gap
Customer data may not be used to train external models Egress filter on outbound API calls; deny on customer-classified PII policy_id + outcome + data_class in event stream Platform engineering lead Filter exists. Outcome not logged with policy_id. Audit cannot reconstruct.
High-risk AI decisions require human review Approval queue; config-driven by risk tier Approval record with timestamp, reviewer, decision Business unit AI owner Approval queue exists in Slack. Evidence is reconstructed manually each audit.
Model and version must be traceable per output Gateway logs model, provider, version per call Audit log line with trace_id CISO / platform owner Logs exist. policy_id not joined; reconstruction needs SQL.

“Audit-grade” means structured enough to support an audit, board, customer-risk, or compliance conversation — not that we issue an audit opinion, legal opinion, or certification.

When buyers come here

Common triggers.

External pressure

  • The board asked how AI systems are governed
  • A customer security review asked for AI controls
  • A vendor-risk review exposed undocumented AI use
  • An auditor or regulator started asking about AI

Internal gap

  • Legal approved an AI policy, but engineering can’t prove enforcement
  • A team is using LLMs in production but logs don’t show policy outcomes
  • You’re preparing for NIST AI RMF, ISO/IEC 42001, EU AI Act, or SOC 2 alignment
  • You inherited AI governance and want to know where the holes are

If two or more of these are true, you’re in the right place.

Fit

Who this is for. Who it isn't.

Best fit

  • Boards or executive teams with AI adoption already underway
  • CISOs and GCs facing audit, regulatory, or vendor-risk pressure
  • CIOs and CTOs enabling AI without losing control of shadow systems
  • Companies with policy approved but weak runtime evidence
  • Teams preparing for NIST AI RMF, ISO/IEC 42001, or EU AI Act alignment

Not a fit

  • Teams looking for a generic AI policy template
  • Companies without an executive sponsor for the work
  • Buyers seeking legal advice without counsel involvement
  • Organizations not ready to surface gaps between policy and production
  • Single-workflow software demos or vendor pitches
Process

What happens after the fit check.

1

You fill out the fit check (5 min)

Five short questions about your role, the workflow, and the trigger for this conversation.

2

We reply within one business day

If we are aligned, you get scheduling options and a one-page prep brief on what to bring. If we aren't, you get a short note pointing you toward the most useful next artifact.

3

The session: 90 to 120 minutes (video)

We map the chosen workflow live: policy line by policy line, control point by control point, evidence artifact by evidence artifact. You see exactly where the gaps sit.

4

Memo within five business days

The one-page map, the top five gaps, owner/control summary, and a written recommendation. Yours regardless of whether we work together further.

Who runs the session

About Jan Cichocki

Jan Cichocki is the founder of Cichocki Advisory and ThreadSync. The Diagnostic is run personally by Jan — not handed off to an associate.

His perspective is informed by 20+ years across financial systems, enterprise technology, governance, and operating-model design — and by ThreadSync, the runtime platform whose audit-grade logging and LLM Gateway shape how he thinks about evidence in production.

His advisory work focuses on the operating layer underneath the deck: the policy line, the control owner, the runtime enforcement point, and the evidence artifact that proves what happened. The Diagnostic is the smallest engagement that surfaces all four for a workflow you care about.

Honest scope

What the Diagnostic is not.

Not legal advice Not an ISO 42001 certification audit Not a generic policy template Not a software demo Not a vendor pitch Not a sales call in disguise

Typically handled as a fixed-scope advisory engagement; no software purchase required, no NDA in advance unless you prefer.

Friction

Frequently asked.

Do we need ThreadSync to do the Diagnostic?

No. The Diagnostic is a stand-alone advisory engagement. ThreadSync provides a runtime perspective Jan draws on, but no software purchase is required and no platform commitment is involved.

Is this a paid path into ThreadSync?

No. The Diagnostic is implementation-neutral. If the recommendation is “fix your existing logs / workflow / GRC process,” that’s the recommendation. Jan will name the cleanest path even if it has nothing to do with any product he’s associated with.

Is this legal advice?

No. This is operating-model advisory. Counsel should participate when policy interpretation is in scope. We help you map and structure; we do not opine on legal questions.

What if we are not ready for a Sprint?

The Diagnostic recommendation may be Sprint fit, lighter advisory fit, or not ready yet. In any case you keep the one-page Policy → Control → Evidence map and the gap list. The artifact is yours.

Can we skip the Diagnostic and go straight to a Sprint?

Yes, if Sprint fit is already clear from the discovery conversation. Your Sprint kickoff absorbs the diagnostic work as Phase 1.

What happens if we proceed to a Sprint after 60 days?

The Sprint credit applies only when the engagement is signed within 60 days of the Diagnostic session. After 60 days, the credit expires. The diagnostic artifacts remain yours regardless.

Will you sign an NDA before the session?

Yes. A short mutual NDA is standard. We can use yours or send ours within 24 hours of the fit check completing.

Is the $5,000 fee negotiable?

No. The Diagnostic is fixed-scope and fixed-fee on purpose. The Sprint credit is the right way to reduce net cost when you proceed to the larger engagement.

Who should attend the session?

The executive sponsor (often CISO, GC, or CIO/CTO). Optional: one platform-engineering owner who knows the runtime, and counsel if policy interpretation is in scope.

Ready to map one workflow?

Five-minute fit check. We reply within one business day. The session is yours within two weeks.

Start the Diagnostic fit check
Start the Diagnostic fit check →