Step 03 · Summit · 90 Days

The Cyber Operating System for AI Companies

Deploy an enterprise-grade cybersecurity program in 90 days that continuously proves your AI company is secure, compliant, and ready for enterprise customers—without hiring a security team.

Clear your next enterprise security review, or we keep working free.
Founder-delivered · three engagements at a time · $950 Blueprint fee credited in full.

CONTROL CENTRE LIVE AI AGENTS POLICIES CONTROLS EVIDENCE OWNERS FRAMEWORKS

Six signals. One place to answer from.

A binder decays. A system compounds.

Most readiness work produces documents that are accurate on the day they are signed and wrong within a quarter. Summit is built on the opposite bet: automate the evidence, and the posture maintains itself.

What a typical readiness engagement leaves you

  • A policy pack written to a template, which nobody on your team wrote and nobody reads.
  • A spreadsheet inventory that was accurate the week it was built.
  • Evidence gathered by hand, re-gathered by hand every time a customer asks.
  • A dependency on the consultant, because only they know how it fits together.
  • A number of days billed, with the outcome left as your problem.

What Summit leaves you at day 90

  • Approved policies under proper change control, with drift from them detected in real time and raised to the named owner.
  • A live AI system inventory with named owners, updated as part of how you ship.
  • Evidence collection running automatically, so the next questionnaire is a lookup, not a project.
  • Your team operating it. We designed the handover from day one.
  • A guaranteed outcome. If you don't clear the review, we don't stop.

Everything included

Six components. Each one is something your team keeps and operates after day 90.

01

A real AI system inventory, built with your team

Every AI system, agent, model, and third-party integration you are actually running, catalogued with its purpose, data sources, permissions, and a named human owner. Built alongside your engineers, not handed to them, so they can maintain it.

02

Controls mapped to ISO 42001 and NIST CSF 2.0

Your controls mapped against the frameworks enterprise buyers and auditors actually ask about, with what is in place, what is partial, and what is missing stated plainly. No aspirational entries.

03

Written policies, under change control

Policy and procedure documents drafted from your control mapping rather than a template, then reviewed and formally approved by a named owner. They change by approval, with a version history and a rationale an auditor can follow. Nothing rewrites them silently.

04

Controls instrumentation with real-time drift detection

The controls are wired into your environment so their status is observable rather than asserted. When the live state of a control diverges from what your approved policy says it does, that is a drift event: caught in real time, raised to the accountable owner, and logged. They then either remediate the control or take a policy change through approval. The gap never sits there silently, and the audit trail shows who knew what and when.

05

Automated evidence collection

Evidence gathers itself on a schedule instead of being reassembled by a panicking engineer the week a deal is closing. This is the component that makes the whole thing a living system rather than a snapshot.

06

AIFortess Assessor, deployed and configured

Our AI-assisted readiness platform stood up in your environment, configured to your systems, with your team trained to run it. If you would rather we build into your existing GRC stack instead, we will. See how Assessor works →

The ninety days

Three phases. You know what exists at the end of each one, so you always know whether it's working.

Days 01–30 · Map

Find what's actually running

We inventory every AI system, agent, and integration in production, including the ones nobody registered. Each gets a purpose, a data map, a permission scope, and a named owner.

You end phase one with: a complete, owned AI system inventory and a prioritised risk register.
Days 31–60 · Instrument

Wire the controls in

Controls mapped to ISO 42001 and NIST CSF, policies drafted from those mappings and taken through approval, and the instrumentation built so control status is observable. Assessor deployed and configured against your systems.

You end phase two with: mapped controls, live policies, and instrumentation reporting real status.
Days 61–90 · Prove

Make it run without us

Evidence collection automated and running on schedule. Your team trained to operate the system. We pressure-test it against real enterprise security questionnaires before you have to.

You end phase three with: automated evidence, a trained team, and a posture that survives contact with a buyer.

The guarantee

Stated in full, with the conditions, because a guarantee you have to hunt for in a contract is not a guarantee.

You will clear your next enterprise customer security review. If you don't, we keep working at no additional cost until you do.

That covers the things that actually block deals: customer security questionnaires, vendor security assessments, and investor diligence reviews. We stand behind it because we control the inputs. The inventory, the control mapping, the policies, and the evidence are all things we build with you.

What it does not cover: accredited certification audits. AIFortess is not a certification body, and anyone who guarantees you a certificate is either misunderstanding the process or misleading you. We get you audit-ready. The certificate is issued by an accredited body on their judgement, not ours.

What we need from you to hold it

  • A named internal owner with committed time each week. One accountable person on your side. This is the single biggest predictor of whether a Summit succeeds.
  • A response window of five business days on our information requests and document reviews.
  • Access to the systems, documentation, and stakeholders we need to build the inventory and instrument the controls.
  • Implementation of the prioritised remediation items. We will tell you what to fix and help you fix it, but we cannot guarantee an outcome you decline to act on.

Who Summit is for

We run three at a time. That means turning down work that isn't a fit, which is better for both of us.

A good fit

  • You have AI agents or LLM features in production and enterprise customers asking about them.
  • A deal, a renewal, or a funding round is genuinely gated on your security posture.
  • You can name one person internally who will own this and give it real hours.
  • You want the capability in-house afterwards, not a permanent consultant.
  • You've run the Compass Assessment and know roughly where you're weak.

Not a fit

  • You want documents to file rather than a system to operate.
  • Nobody internally has time to own it. Summit will fail and we would both rather find out now.
  • You need an accredited certification audit. That is a different provider.
  • You have a dedicated GRC team and platform already running well.
  • You need it done in three weeks. Ninety days is the honest number.
Three engagements at a time

Summit starts with the Ascend Blueprint

We don't scope Summit blind, and we don't quote it from a form. Every Summit is scoped from an Ascend Blueprint, the 90-minute working session where we turn your Compass results into a prioritised 30-day plan. That session tells us both whether Summit is the right call and what it should actually cover.

Compass Ascend Blueprint Summit

Summit is priced per engagement, because a 40-person company with three agents and a 180-person company with forty are not the same job. You get the number after the Blueprint, when we both know the scope. The $950 Blueprint fee is credited in full against it.

Reasonable questions

Why isn't the price on this page?

Because a fixed number would be wrong for most of the people reading it. Scope depends on how many AI systems you're running, how much documentation already exists, and what your buyers are asking for. The Blueprint is where that gets established. If you want a rough band before booking, email hello@aifortess.com and describe your setup.

Can I just buy Summit directly?

No, and that's deliberate. Scoping a 90-day engagement from a web form produces a bad scope and a bad outcome. The Blueprint is 90 minutes and $950, it's credited back in full, and you leave with a usable 30-day plan whether or not you go on to Summit.

What if we don't want Assessor deployed?

Then we build the instrumentation into your existing stack instead. Assessor makes it faster and it's what we know best, but Summit is the outcome, not the tool. Companies with GRC tooling they're already committed to get the same guarantee.

What happens at day 91?

It's yours and your team runs it. That's the point of automating the evidence collection rather than doing it for you. Most clients keep us on a light retainer for audit season and for reviewing new AI systems before they ship, but that's optional and it's a separate conversation.

Who actually does the work?

Rohit, the founder. Summit is founder-delivered, which is why we only run three at a time. You are not handed to an associate after the sale. See his background →

We already failed a security review. Is it too late?

No, and that's a common starting point. A failed review usually comes with a written list of what was missing, which is a genuinely useful input. Bring it to the Blueprint.