Skip to content
IC Inline Code
Book a discovery call

Now serving Australian SMEs and mid-market

The named accountable person for your organisation's AI and information risk.

Boards are now asking which AI tools your staff use, whether you would pass an APRA review, and who would respond to an AI incident. Most organisations cannot answer with confidence. We close that gap, and we sign the answer.

Book a discovery call Take the maturity assessment

We deliver against

NIST AI RMF 1.0 ISO/IEC 42001:2023 APRA CPS 234 APRA CPS 230 Australian Privacy Principles OWASP Top 10 for LLMs MITRE ATLAS ASD Essential Eight

The shift

The question your board is now asking.

"AI governance is no longer an emerging risk. It is a current obligation — under the Privacy Act, ISO 42001, and, for APRA-regulated entities, CPS 230 and CPS 234."

Boards at Australian SMEs and regulated mid-market organisations are asking three questions that did not exist eighteen months ago.

  1. 01 Which AI tools are our staff using, and have we approved them?
  2. 02 If a regulator reviewed our AI controls tomorrow, would we pass?
  3. 03 If an AI incident occurred this week, who would respond, and how?

AI tooling has been adopted faster than the governance to manage it. Microsoft 365 Copilot, ChatGPT Enterprise, Claude, and GitHub Copilot are now sitting alongside personal accounts on staff devices. The frameworks built for traditional information risk were not written for generative systems.

Delivery speed

0 days

From kickoff to board-ready posture report

Frameworks

0

NIST · ISO · APRA · OWASP · MITRE · ASD · APP · EU AI Act

Pricing

Fixed fee

No open-ended scoping. No surprise invoices.

How we work

Three engagement models. One accountable practice.

Most clients enter through the assessment, convert to the fractional role, and add enablement work as their AI footprint grows. Each engagement compounds the next.

Durable revenue

Fractional AI and Information Risk Officer

Named individual accountable to the board for AI and information risk. Quarterly reporting, policy maintenance, vendor reviews, incident response. Twelve-month engagement.

From AUD 8,000 / month

Learn more

Entry product · AI

AI Governance Posture Assessment

Two-week, fixed-price posture report mapped to NIST AI RMF, ISO 42001, APRA CPS 234 and CPS 230. Board-ready findings and a prioritised remediation roadmap.

AUD 15,000 to 25,000 fixed fee

Learn more

Defensive baseline

Security Posture Assessment

Two-week, fixed-price information security assessment mapped to ISO 27001, NIST CSF 2.0, APRA CPS 234, and ASD Essential Eight maturity levels. Board-ready findings.

AUD 18,000 to 30,000 fixed fee

Learn more

Offensive security

Penetration Testing

Manual penetration testing — web app, API, cloud, internal network, and red team. Delivered hands-on by a certified offensive practitioner. CVSS-rated findings, free retest.

AUD 12,000 to 90,000 by engagement

Learn more

Implementation

AI Automation Enablement

Safe deployment of Copilot, ChatGPT Enterprise, Claude, and custom AI workflows. Admin configuration, DLP, retention, audit, and internal agent build out.

Scoped to engagement

Learn more

Why Inline Code

Operators, not framework dumpers.

Most AI governance work today is policy theatre. Long documents, no operational change. We do the opposite. Our practice is led by certified offensive and defensive security practitioners who have stood up and operated controls.

Australian regulator literacy

APRA prudential standards, the Privacy Act, and ASD guidance as native context, not appended sections.

Productised, fixed-fee delivery

You know cost and timeline before you sign. We do not run open-ended discovery engagements.

Vendor neutral

No reseller arrangements, no product commissions. Tool recommendations are tied to control objectives.

Right-sized for mid-market

Controls a forty-person risk team can actually operate, not controls written for tier-one banks.

Continuity beyond engagement

Findings convert into a retainer that operates the controls we recommend, so reports do not sit on shelves.

Named accountability

A practitioner, not a logo. The person who scoped your engagement is the person who delivers it.

Process

From first call to signed governance posture in five steps.

01

Discovery call

Thirty minutes. Confirm fit, scope, and timing. No obligation.

02

Statement of work

Fixed-fee SOW issued within two business days of the discovery call.

03

Engagement kickoff

Within two weeks of signature. Stakeholder alignment, evidence collection.

04

Delivery

Ten business days for the assessment. Ongoing for the fractional role.

05

Decision

Findings briefing. Continuation into retainer or enablement work as required.

Free tool

AI Governance Maturity Self-Assessment

Twelve questions across the four NIST AI RMF functions. Takes four minutes. You receive an automated maturity scorecard and a personalised PDF report by email. No sales call required.

Start the assessment

Common questions

Buyer questions we hear most.

Direct answers to what risk, security, and board buyers ask in the first thirty minutes.

How is the assessment different from what a Big 4 firm would deliver?
Three differences. Fixed price scoped at engagement, not a six-figure project that grows. Ten business days end to end, not three months. The same senior practitioner who scopes the work delivers it, no graduate teams. The deliverable is operationally useful, not a slide deck designed for procurement.
We already have a CISO. Why would we need a fractional AI risk officer?
For most mid-market firms, the CISO is fully loaded on traditional information security. AI governance requires distinct framework literacy (NIST AI RMF, ISO 42001, OWASP LLM, MITRE ATLAS) and a different vendor and use case discovery process. The fractional role complements your CISO; it does not replace them.
Do you have professional indemnity insurance?
Yes, the engagement is delivered under an Australian-issued professional indemnity policy. Limit and terms are disclosed on the statement of work. Required for fractional officer engagements with regulated entities.
How does the assessment to retainer conversion work?
There is no obligation to convert. Approximately forty to fifty percent of assessments lead to a retainer because the findings surface enough material work to justify it. If the assessment shows your posture is already strong, we say so and exit cleanly.
Can you work with our legal counsel on contract review?
Yes. We are not lawyers and do not provide legal advice. Where formal legal review is required (regulator correspondence, contract drafting, statutory interpretation), we flag it and continue producing the technical artifact in parallel. Many engagements run alongside Gilbert + Tobin, MinterEllison, or Mills Oakley.
What happens if we have an AI incident during the engagement?
Retainer clients have direct access to incident response support. We help you triage, contain, communicate, and document. Playbooks for prompt injection, AI data exfiltration, model misuse, vendor outage, and shadow AI discovery are pre-positioned.

Have a different question? Send it through and we will reply within one business day.

Get started

Bring AI risk under board oversight in two weeks.

A thirty-minute discovery call costs nothing. We confirm fit, scope, and timing, then issue a fixed-fee statement of work within two business days.

Book a discovery call Free maturity assessment