Methodology
Four stages. Three exit points. No surprises.
Audit-before-build AI consulting for licensed professionals in regulated industries. Every engagement runs the same four stages: Audit, Design, Implement, Operate. Between each stage you decide whether to continue. Between each stage you already know what you’ve spent.
Audit before build. Always.
We don’t sell you tools and figure out where they fit. We map your workflows first, surface the 3 to 5 places where automation will most improve your economics or capacity, then assess whether your security baseline supports an AI deployment at all.
If the foundation doesn’t support it, the audit produces a roadmap for getting the foundation right. We won’t deploy AI on a broken security baseline. That choice protects you, not us.
The four stages, in detail.
1. Audit.
The audit stands on its own. We work with you to map your operational workflows, identify where automation will move your numbers, and assess your security and compliance baseline. The deliverable is a prioritized opportunity list with rough budgets, plus the security-baseline roadmap if there’s one. You walk away with the document and the choice of what to do next.
2. Design.
For each opportunity you decide to pursue, we design the specific solution and quote a firm price for implementation. This is also where the build-versus-configure decision gets made: does this require a custom service, or is the right move to safely configure an existing tool you can already license? The design cost is rolled into the Implement quote so you see one price per automation, not a layered consulting bill.
3. Implement.
We build (or configure) what was designed, deploy it into your environment, set up documentation and access controls, and run acceptance testing against the design spec. You sign off before we move to Operate.
4. Operate.
A monthly retainer covers maintenance of what’s running, adaptation as your workflows evolve, and the next round of automation when you’re ready for it. A separately-priced training package sits alongside it for staff onboarding, ongoing cyber-hygiene reinforcement, and any CLE-eligible content where it applies.
Where this applies.
Today the methodology runs in cyber-insurance brokerages. Qualifying prospects against carrier appetite. Pre-screening clients against the controls that get binders bound. Pulling intake load off agents so they can close more business.
Why fixed fee, not hourly.
We price each stage as a firm fixed fee. Hourly billing pays consultants to go slow; we’d rather get paid for getting it right the first time.
Each stage has a firm price quoted before work starts. No surprise change orders. If the scope changes materially during the work, we tell you and quote the increment before continuing. You always know what you’ve committed to.
What we won’t do.
We won’t deploy AI on a broken security baseline. If the audit shows your foundation isn’t ready, the deliverable becomes a roadmap for fixing the foundation, not a build quote.
We won’t sell you a tool you don’t need. If the right move is to safely configure something you already license, that’s what we’ll do. We don’t take affiliate revenue from AI vendors.
We won’t bill hourly. The incentive points the wrong way. Every stage is a firm fixed fee, quoted before work starts.
We won’t disappear after the build. Regulated work changes. The Operate retainer is what keeps the deployment safe as the rules evolve.
Questions buyers ask before they commit.
Is this hourly or fixed fee?
Fixed fee per stage, quoted before work starts. We don’t bill hourly. The audit has a firm price. The design quote includes the implementation price. The retainer is monthly.
What if I only want the audit?
That’s how it’s designed. The audit stands on its own. You get the prioritized opportunity list, rough budgets, and a security-baseline roadmap if your foundation needs one. Take that and go implement with someone else, or wait six months, or never do anything. We’ll send the deliverable either way.
Do you work with my existing IT or MSP?
Yes, and we prefer to. The audit names what the security baseline needs to look like before AI is safe to deploy. Your existing IT or MSP usually owns the remediation work. We coordinate; we don’t replace them. If they can’t do the work, we’ll say so and recommend a path.
How long is each stage?
Depends on scope, and we quote it in writing before each stage starts. We don’t publish standard durations because the audit’s job is to size the work honestly. Pretending every engagement fits a fixed timeline is the kind of marketing that creates broken deployments.
Why we stay after the build.
Most consultancies build, hand off, and leave. We stay because regulated work changes. Your carriers update their underwriting criteria. Your state bar publishes new AI rules. Your specialty’s HIPAA requirements get reinterpreted. The automation has to evolve with the rules or it stops being safe.
The retainer makes the methodology durable. If you want a one-off build and no ongoing relationship, we’re not the right fit, and we’ll tell you that on the discovery call.