AI & Data Companies

AI and data companies face risks that standard control sets often miss: prompt injection, sensitive information disclosure, model and data poisoning, supply-chain vulnerabilities, and excessive agent autonomy.

Our approach: Standard EU DORA readiness first. AI and data-specific hardening second. The advisory modules below are optional enhancements on top of mandatory controls.

Standard Controls vs. AI/Data Enhancements

Standard EU DORA Readiness

Mandatory controls required for compliance:

  • Logical access and privileged access
  • Change management
  • Incident response
  • Risk management
  • Vendor management
  • Backup and availability
  • Logging and monitoring
  • Confidentiality and privacy (where applicable)

View all control domains →

AI/Data Advisory Enhancements

Optional modules justified by AI-risk frameworks:

  • Data lineage and training data governance
  • Prompt/response telemetry
  • RAG and retrieval governance
  • Model/provider vendor review
  • Agent approval gates
  • AI-assisted SDLC controls
  • Warehouse and analytics governance

Advisory Modules

Each module adds specific controls and documentation practices to address risks unique to AI and data-intensive products.

AI-Assisted SDLC Controls

DORA Art. 9(4)(e) change management and Art. 8 ICT security policies extend to AI-assisted development practices in financial services.

What This Module Adds

  • AI development change management aligned with DORA ICT change procedures
  • Security review requirements for AI-generated financial services code
  • ICT risk assessment for AI coding tools as third-party ICT services

Human Review & Agent Gates

DORA's management body responsibility (Art. 5) requires meaningful oversight of automated systems, especially AI agents making decisions affecting financial operations.

What This Module Adds

  • Human oversight gates for AI systems in trading, lending, and compliance functions
  • Escalation procedures for AI anomalies impacting critical financial services
  • Regulatory reporting considerations for AI-driven decisions

Model Provider Vendor Risk

DORA Chapter V third-party ICT risk management applies to AI model providers as ICT third-party service providers, including register, contractual, and concentration risk obligations.

What This Module Adds

  • AI model providers included in ICT third-party register with service descriptions and data flows
  • Concentration risk assessment for dependency on single AI model providers
  • Contractual AI-specific provisions covering model versioning, data handling, and service continuity
  • TLPT scope extended to include AI systems supporting critical functions

Prompt & Response Logging

DORA Art. 17–23 incident detection and classification require monitoring capabilities that extend to AI system interactions for anomaly detection and audit trails.

What This Module Adds

  • AI interaction monitoring integrated with ICT incident detection mechanisms
  • Anomaly detection in AI outputs for early identification of ICT-related incidents
  • Audit trail for AI system interactions supporting regulatory examination

RAG & Vector Store Controls

DORA ICT asset management (Art. 8) and data protection requirements apply to vector stores and retrieval-augmented generation systems in financial AI deployments.

What This Module Adds

  • Vector stores registered in ICT asset inventory with dependency mapping
  • Data residency controls for financial data embeddings aligned with DORA data location requirements
  • Resilience testing for RAG systems supporting critical financial functions

Training & Inference Data Governance

DORA's ICT risk management framework (Art. 5–16) covers data integrity and security requirements that extend to AI training data governance in financial services.

What This Module Adds

  • Financial data training governance with data lineage and quality controls
  • Model validation procedures aligned with regulatory compliance requirements
  • Data lineage documentation supporting regulatory reporting and audit

Warehouse & Analytics Governance

DORA's business continuity (Art. 11–12) and ICT asset management requirements apply to data warehouses supporting financial analytics, reporting, and regulatory obligations.

What This Module Adds

  • Warehouse infrastructure included in resilience testing programme
  • Regulatory reporting data integrity controls with reconciliation procedures
  • Analytics platform BCP/DR with defined RTOs for reporting-critical systems

Need AI-Specific Readiness Support?

We help AI and data companies build a control environment that satisfies enterprise buyers and addresses the unique risks of AI products.

Get in Touch