AI governance can't live only in policy documents. Mach Lilies helps companies implement practical controls: system inventories, risk classifications, human oversight, evaluation records, vendor reviews and audit-ready evidence — the assurance that keeps AI defensible as it scales. Mach speed. Lily craft.
Governance that lives in a PDF protects no one. Assurance has to be implemented and evidenced.
As AI moves into real workflows, leaders and regulators want the same thing: confidence that AI systems are inventoried, risk-assessed, overseen by humans where it matters, and backed by evidence. Mach Lilies turns AI policy into working controls — practical, proportionate, and built into how your teams actually operate. We focus on assurance you can show an auditor, not a framework you file and forget.
Practical, proportionate controls that make AI adoption defensible — implemented, not just documented.
A living register of the AI systems and agents in use — what they do, the data they touch, and who is accountable.
A pragmatic risk rating for each AI use case, so oversight and controls are proportionate to the stakes.
Clear, usable policies for how AI may and may not be used — written to be followed, not filed.
Where a person must stay in the loop, how they approve, and how exceptions escalate.
Structured review of third-party AI tools and providers — data handling, training use, security and reliability.
The records that prove your controls work: evaluations, approvals, incidents and reviews, ready for audit.
Four movements that turn AI policy into controls you can operate — and evidence you can show.
Find and register the AI systems and agents already operating across the business.
Tier each use case so controls and oversight match the actual stakes.
Put human oversight, policies and evaluation records into day-to-day operation.
Maintain audit-ready evidence and run ongoing assurance reviews as AI use grows.
For risk, compliance and leadership teams that need AI adoption to be safe, defensible and proportionate.
Controls built into how teams work — not a framework that sits on a shelf.
Oversight matched to risk, so low-stakes uses aren't strangled and high-stakes ones aren't exposed.
Everything is recorded, so you can show an auditor what works and why.
We work to recognised security and AI-governance practices, including ISO 27001-aligned controls.
Assurance you can show an auditor — inventories, risk tiers, oversight, and evidence that holds up.
AI assurance is the set of practical controls and evidence that give an organisation — and its auditors and regulators — confidence that AI systems are known, risk-assessed, overseen and behaving as intended. It spans system inventories, risk classification, usage policies, human oversight, evaluations and audit evidence.
No. A policy states intent; assurance proves it. We help you write usable policies, but the value is in implementing the controls and producing the evidence that shows they actually work in day-to-day operation.
We don't make regulatory guarantees, and you should be wary of anyone who does. We implement practical, proportionate controls aligned to recognised standards and frameworks, and we structure evidence so your compliance and legal teams can demonstrate diligence.
AgentOps governs AI agents at the technical level — permissions, logs, evaluations and incident response. AI assurance sits above it at the organisational level — inventory, risk classification, policy, oversight and audit evidence. They reinforce each other, and we deliver both.
Yes. Vendor AI due diligence is a core part of assurance — we review how third-party tools handle your data, whether they train on it, and their security and reliability posture, so you can adopt them with eyes open.
Usually an implementation engagement to stand up the inventory, risk model and controls, followed by periodic assurance reviews — for example quarterly — as your AI footprint grows.
Tell us where AI is being used or planned, and your risk and compliance concerns. We reply to every serious enquiry within one business day.
