Transitioning to enterprise software. Services live now. First product, RAG Studio, ships Q4 2026. See the roadmap →
sonofgraigsonofgraig isometric mark. Primary. Three-face hexagonal prism. Flat colour.
sonofgraig
Service · Cluster 1 · Ethical AI

Three questions your board will ask.

A focused, vendor-independent audit of any AI system your organisation is already running — ChatGPT for the team, Copilot in the suite, a third-party RAG, an in-house model. Two to three weeks, fixed price, board-ready output. We answer the three questions that decide whether your AI gets to stay in production: is it fair, can we explain it, and are we POPIA-compliant.

Vendor-independent. We audit any AI system — not just ours. sonofgraig is the auditor, not the supplier.
Four frameworks. POPIA Sections 11, 19, and 72 · EU AI Act risk classification · GDPR alignment · ISO/IEC 42001 readiness.
Bias & explainability tested, not assumed. Fairlearn and AIF360 for bias; SHAP for XAI; Evidently for drift.
Board-ready summary. Risk register and remediation roadmap your CIO can present without further translation.
Enquire about AI Governance Audit See what's included
Information Officer signed
NDA before scoping
30-day re-test option
Convertible to Governance Hub
Starting at
R45,000
Delivery window
2–3 weeks
Frameworks audited
POPIA · EU AI Act · GDPR · ISO 42001
Output
Board-ready dossier
The enterprise unlock

No South African bank, insurer, or government department
signs an AI contract without answering three questions.

sonofgraig's product strategy is built on this insight. Every regulated industry customer that procures an AI system in South Africa needs board-level certainty on three questions before deployment. This audit answers all three — in writing, with evidence, in language non-technical directors understand. The questions are simple. The answers, without an audit, are usually wrong.

Question 01
Is this AI fair?
Audience: Board · CRO · Information Officer
Question 02
Can we explain its decisions?
Audience: Customer-facing teams · Legal
Question 03
Are we POPIA-compliant?
Audience: Information Officer · Information Regulator
02 · Outcomes

What ships at the end of week three.

Most AI governance work ends at "we should think about this carefully" and produces a slide deck. Our audit produces three artifacts your CIO and CRO can act on the same week. Each artifact is independently usable — the risk register is a procurement tool, the bias report is a compliance record, the board summary is a director-level communication.

Outcome 01
A POPIA-grade risk register
Every finding numbered, classified by severity, mapped to the specific POPIA section or framework requirement it implicates, and tagged with an estimated time-to-remediate. The register is exported as both a PDF and an editable spreadsheet your team can track to closure.
~25 findings on a typical engagement
Outcome 02
Bias & explainability tested, not assumed
Algorithmic bias audit using Fairlearn and AIF360 across protected characteristics. Demographic parity, equal opportunity, and disparate impact computed. Model explainability with SHAP — a sample of decisions explained in plain language for non-technical reviewers.
3 fairness metrics + SHAP value plots
Outcome 03
A board-ready summary
A 6-to-8 page director-level document covering risk classification under the EU AI Act, the three-question summary, the headline risk register, and the prioritised remediation roadmap. Written in plain language by people who routinely brief boards.
1 document your CIO can present unchanged
03 · What we audit

Six dimensions, one engagement.

sonofgraig's source-service catalog defines Ethical AI Consulting as six sub-disciplines. The audit covers all six. Each pillar produces specific findings that flow into the risk register, mapped to the specific section of POPIA, the EU AI Act, or ISO/IEC 42001 it relates to. Nothing is generic; everything cites the source rule.

Pillar 01 · Algorithmic Bias Audits
Algorithmic bias testing
Statistical testing for demographic parity, equal opportunity, and disparate impact across protected characteristics. Fairlearn and AIF360 run on a representative sample of model outputs supplied by your team.
  • Fairlearn fairness metrics across groups
  • AIF360 disparate impact analysis
  • Documented in board summary
Pillar 02 · AI Governance Frameworks
Governance framework gaps
Review of your AI governance policies, model approval processes, change management, incident response, and acceptable-use rules. Mapped to ISO/IEC 42001 and the AI Risk Management Framework requirements.
  • Policy review & gap analysis
  • AI risk register starter pack
  • Incident response runbook review
Pillar 03 · Model Explainability
XAI — SHAP value analysis
A sample of model decisions explained using SHAP values. Each decision presented with the contributing features ranked by influence, written up in plain language for non-technical stakeholders — not academic feature-importance plots.
  • SHAP value plots per sampled decision
  • Plain-language explanations for legal & CX
  • Model card per audited system
Pillar 04 · Regulatory Compliance
POPIA · EU AI Act · GDPR
Compliance mapping across the four major frameworks. POPIA gaps are not assumptions — we cite the section number and the specific control. EU AI Act risk classification per the official taxonomy, with the rationale documented.
  • POPIA ss.11, 13, 19, 22, 26, 72 mapping
  • EU AI Act risk classification
  • Data flow map to verify residency
Pillar 05 · AI Safety Red Teaming
Adversarial & jailbreak testing
Systematic adversarial probing for prompt injection, data exfiltration, jailbreaks, and known LLM attack patterns from the OWASP LLM Top 10. Each successful attack is reproduced in the report with mitigation guidance.
  • OWASP LLM Top 10 testing
  • Prompt injection & jailbreak attempts
  • Reproducible PoC for each finding
Pillar 06 · Sustainability & cost
Compute & carbon efficiency
Token consumption per workflow, model right-sizing recommendations, and a basic carbon-equivalent estimate. Often the cheapest remediations come from this pillar — smaller models are usually safer, cheaper, and lower-carbon.
  • Token consumption baseline per workflow
  • Model right-sizing recommendations
  • FinOps & carbon delta projections
04 · Frameworks covered

Four frameworks, honestly mapped.

A serious AI audit doesn't promise certification it can't grant — it produces a clear-eyed map of where your system stands against each applicable framework, with the citations a regulator would expect. The depth tag below tells you whether your engagement produces a full controls map (most), a readiness assessment (some), or only flags the gaps for a separate workstream.

Framework
What we cover
Audit depth
POPIA
Act 4 of 2013 · ZA
South African Protection of Personal Information Act. Section-by-section gap analysis covering Section 11 (lawful processing), Section 13 (data minimisation), Section 19 (security safeguards), Section 22 (breach notification), Section 26 (special PI), and Section 72 (data residency).
Full controls map
EU AI Act
Regulation (EU) 2024/1689
Risk classification of the audited AI system per the official taxonomy — minimal, limited, high-risk, or unacceptable. High-risk systems get the Annex III mapping. Required for any organisation serving EU data subjects or operating in EU jurisdictions.
Readiness assessment
GDPR
Regulation (EU) 2016/679
Alignment review for organisations with EU data subjects. Most POPIA controls satisfy the equivalent GDPR requirements; we identify the deltas. Standard Contractual Clauses reviewed for cross-border data transfer where lawful.
Full controls map
ISO/IEC 42001
AI Management System
The new international standard for AI management systems. We assess your current state against the AIMS clauses and produce a readiness gap. Useful as a foundation for organisations considering ISO/IEC 42001 certification within 12 months.
Readiness assessment
NIST AI RMF 1.0
AI Risk Management
US National Institute of Standards and Technology AI Risk Management Framework. Useful as a structured way to think about the four core functions: govern, map, measure, manage. Cross-walked to your audit findings for completeness.
Gap-flagging
PAIA + sector rules
South African industry-specific
For regulated sectors, we cross-walk findings to the relevant sectoral law — FAIS and FICA for financial services, the National Health Act for healthcare, the Banks Act for retail banking. Sector mapping is included where it applies.
Sector add-on
05 · Common triggers

Six situations that mean it's time.

Every audit we run starts with a specific business event — a board paper, a regulator letter, a procurement requirement. The patterns below cover roughly nine in ten of the engagements we deliver. If your situation looks like one of these, we can usually scope inside a single 30-minute call.

Financial services
Pre-deployment audit before going live with a customer-facing AI
Banks and insurers cannot deploy a customer-facing AI agent or decision-support model without a board-level sign-off. The audit produces the artifacts the board needs — the three-question summary, the bias report, and the POPIA s.19 evidence pack — without delaying go-live.
FAISPOPIA s.19Bias audit
Shadow AI
Audit of staff-deployed ChatGPT, Copilot, or Gemini usage
Your organisation has staff using ChatGPT, Copilot, or third-party AI tools without IT central oversight. The audit maps actual data flows, classifies the POPIA exposure, and produces an acceptable-use policy your CISO can roll out the following week.
Shadow ITData flowAUP
Government & SOEs
Information Regulator inquiry response preparation
A regulator letter has arrived — or is expected. The audit gives you a defensible POPIA position document, a complete data flow map, and remediation evidence that demonstrates good faith. We do not represent you to the Regulator, but we equip your Information Officer to.
POPIA s.22PAIAEvidence
Procurement
Pre-acquisition due diligence on a target AI vendor
Your organisation is about to procure a third-party AI system or acquire a company that uses one. The audit acts as technical due diligence — identifying inherited risk in bias, residency, explainability, and POPIA exposure that the seller will not surface voluntarily.
Due diligenceM&AVendor risk
Healthcare
POPIA Section 26 review of clinical-adjacent AI
Healthcare AI handling special personal information requires Section 26 safeguards. The audit reviews data handling against the heightened requirements, classifies the system per the EU AI Act (where high-risk Annex III likely applies), and confirms adequate human oversight controls.
POPIA s.26EU AI ActNational Health Act
Group risk
Annual AI risk register refresh for the board
Larger groups have multiple AI systems across business units. The audit produces a unified group AI risk register and refreshes it annually. The board gets a single view across all AI risk; each business unit gets its specific remediation tasks.
ERMRisk registerAnnual review
06 · The deliverable

A risk register your CIO can actually use.

The risk register is the centre of gravity of the audit. Every finding is numbered, mapped to a specific framework citation, classified by severity, and tagged with an estimated time-to-remediate. The mock below shows the live structure — identical to the one your team receives, with your real findings instead of these illustrative ones.

What you receive
Three artifacts. One audit.
The audit produces three deliverables, each independently usable. The risk register is the technical backbone. The board summary is the director-level communication. The bias and explainability appendix is the evidence pack your Information Officer files for compliance.
The Risk Register — PDF and editable spreadsheet. ~25 typical findings with framework citations, severity, owner, and due date.
The Board Summary — 6 to 8 page director-level dossier. Three-question summary, EU AI Act classification, headline findings, prioritised roadmap.
The Evidence Appendix — bias metric outputs, SHAP plots, sample model decisions, data flow diagram, framework controls map.
30-day re-test option — validate critical-severity remediations and update the register at no additional cost.
AI Risk Register — Acme Holdings
v1.0 · 24 findings · last updated wk 3
FY26-Q2
Critical & high All findings By framework Roadmap
001
Customer queries forwarded to ChatGPT include raw SA ID numbers POPIA s.19 violation — no PII redaction before transmission to a non-residency LLM. {org}/CX-bot
Critical
≤ 7 days
002
No record of consent (POPIA s.11) for the AI processing of customer data Customer-facing T&Cs reference data processing in general but do not enumerate AI-specific processing.
Critical
≤ 14 days
003
Disparate-impact ratio of 0.71 across one protected group Below the 0.80 four-fifths threshold. AIF360 disparate impact, demographic parity gap of 0.14.
High
≤ 30 days
004
Vendor LLM data residency unverified Inference traffic egresses to eu-west-1. POPIA s.72 requires explicit transfer basis.
High
≤ 30 days
005
No model card or documented use-case constraints EU AI Act Article 13 & ISO/IEC 42001 AIMS clause 7.5 require documented intended use.
High
≤ 30 days
006
Audit log retention period unconfigured Production prompts and responses retained indefinitely. Conflicts with POPIA s.14 minimisation.
Medium
≤ 60 days

Findings shown are illustrative composites — not from any specific customer. Real engagements typically surface 20–30 findings; complex cross-organisation systems can surface more.

07 · Delivery cadence

Three weeks. Three artifacts.

A 2–3 week audit runs at a deliberate pace — not a sprint, not a slog. Most engagements complete in 14 to 18 working days from kickoff. The cadence below is the standard plan; multi-business-unit engagements occasionally extend the discovery week. We will tell you which week you are in at every check-in.

Kickoff & data gathering
System inventory · Data flows · Document collection · NDA
Week 1
A two-hour kickoff workshop with the audit sponsor, your Information Officer, and the technical owner of the AI system. We agree the systems in scope, request a defined evidence pack (model documentation, training-data summary, sample inputs and outputs, current policies), and run a short interview series with end-users and downstream consumers of the AI system.
Deliverables
Signed engagement letter and mutual NDA
Documented system inventory and data flow map
Audit work plan with daily check-in cadence
Technical testing & framework mapping
Bias audit · SHAP · Adversarial · Compliance map
Week 2
The technical core of the engagement. Algorithmic bias testing on the supplied output sample using Fairlearn and AIF360. SHAP value extraction and plain-language explanation of a sampled set of decisions. Red-team probing for prompt injection and OWASP LLM Top 10 risks. Section-by-section mapping against POPIA, EU AI Act, GDPR, and ISO/IEC 42001.
Deliverables
Bias audit report with three fairness metrics
SHAP value analysis on a sampled set of decisions
Adversarial test log with reproducible PoC for each finding
Framework compliance map with section citations
Synthesis, board summary & readout
Risk register · Board summary · Roadmap · Readout
Week 3
All findings consolidated into the AI risk register, classified by severity, prioritised by remediation impact and effort. The board summary is drafted, reviewed by your Information Officer, finalised. Two readout sessions: one technical with your platform and AI teams; one director-level with the audit sponsor and CIO/CRO. The 30-day re-test window opens.
Deliverables
AI Risk Register — PDF and editable spreadsheet
Board-ready compliance summary — 6 to 8 pages
Prioritised remediation roadmap with effort estimates
Two readout sessions — technical and director-level
30-day re-test window opens for critical-severity findings
08 · Scope

Exactly what's in. Exactly what's not.

Fixed-scope means we have to be explicit about boundaries. The lists below are the standard inclusions and exclusions for the R45,000 starting price — the audit of a single AI system within a single business unit. Multi-system or group-wide engagements are quoted separately based on system count.

Included
In the fixed-scope engagement
  • Audit of one AI system within one business unit
  • Kickoff workshop & up to 6 stakeholder interviews
  • Documented data-flow map for the audited system
  • POPIA section-by-section gap analysis — ss.11, 13, 19, 22, 26, 72
  • EU AI Act risk classification with rationale
  • GDPR alignment review
  • ISO/IEC 42001 readiness assessment
  • Algorithmic bias audit with Fairlearn and AIF360
  • SHAP value plots and explanations on a sampled set of decisions
  • Adversarial test log against OWASP LLM Top 10
  • Token consumption baseline & right-sizing recommendations
  • AI risk register with severity, owner, due date
  • Board-ready compliance summary (6–8 pages)
  • Prioritised remediation roadmap with effort estimates
  • Technical readout (60 min) & director-level readout (45 min)
  • 30-day re-test of critical-severity findings at no extra cost
Out of scope
Quoted separately
  • Audit of more than one AI system — +R20K each
  • Group-level engagement across multiple business units
  • Implementation of remediations — that is the AI Agent service
  • POPIA Information Officer outsourcing — you retain that role
  • Legal representation to the Information Regulator
  • ISO/IEC 42001 certification work — this is readiness only
  • Penetration testing of underlying infrastructure
  • Training-data provenance audits requiring vendor disclosure
  • Continuous monitoring — available via Governance Hub product
  • Custom academic-style fairness research beyond the three metrics
09 · Methodology & tools

Open source. Reproducible.

Every measurement in the audit comes from a tool you can run yourself afterwards. We do not use proprietary scoring frameworks or invented severity scales. The toolchain below is industry-standard open source — the same toolchain sonofgraig's own Governance Hub product is built on.

Tool
Category
Role in the audit
Fairlearn
Bias metrics
Microsoft's open-source fairness toolkit. Demographic parity, equalised odds, and equal opportunity metrics across protected groups. MIT licensed.
AIF360
Bias metrics
IBM's AI Fairness 360 toolkit. Disparate impact ratio, statistical parity difference, and several mitigation algorithms for benchmarking remediations.
SHAP
Explainability
SHapley Additive exPlanations — the standard for explaining individual model decisions. Both per-feature contributions and plain-language summaries.
Evidently AI
Drift
Open-source ML monitoring. Used during the audit to establish a drift baseline against the supplied output sample. Useful baseline for ongoing monitoring after handover.
Garak
LLM red team
NVIDIA's open-source LLM vulnerability scanner. Probes for prompt injection, encoded payloads, and known jailbreak patterns from the OWASP LLM Top 10.
PyRIT
Adversarial
Microsoft's Python Risk Identification Toolkit. Used for systematic adversarial probing of generative-AI systems against catalogued attack patterns.
EU AI Act risk taxonomy
Framework
The official Regulation (EU) 2024/1689 risk classification. Annex III high-risk system list mapped to the audited system.
POPIA Act 4 of 2013
Framework
Section-by-section traceability of audit findings to the specific subsection of POPIA they implicate — with the citation in the risk register entry.
ISO/IEC 42001 AIMS
Framework
2023 international standard for AI management systems. Cross-walked to the audit findings as a readiness gap for organisations considering certification.
NIST AI RMF 1.0
Framework
The NIST AI Risk Management Framework. Used as a structured way to map findings to the four core functions: govern, map, measure, and manage.
10 · Pricing

One number. No hourly surprises.

sonofgraig service projects are deliberately simple to procure. The price is the price. Scope is fixed before contracting. Variations are quoted in writing and signed before any additional work is performed.

AI Governance & Ethics Audit
Fixed-scope engagement
R45,000 ZAR
Starting price for the audit of a single AI system within a single business unit. Final figure depends on system complexity and the breadth of the regulatory regime applicable.
Single payment. 50% on contract signature, 50% on board-summary delivery.
2–3 weeks. Standard delivery window. Multi-stakeholder engagements may add up to a week.
30-day re-test included. Validate critical-severity remediations at no additional cost.
NDA before scoping. A standard mutual NDA can be in place within an hour of request.
Book a scoping call
What sits outside the engagement price
Additional AI system audited +R20K each
Group-wide audit across business units Per system
Sector-specific framework cross-walks (FAIS, FICA, etc.) +R12K each
Implementation of remediation findings AI Agent svc.
ISO/IEC 42001 certification preparation From R85K
Continuous AI governance monitoring Governance Hub
Information Regulator response support beyond audit Per case
Annual re-audit (recommended) 20% discount
Convert to platform on close. Continuous monitoring of the audited system is available through the sonofgraig Governance Hub product (Q1 2027) — bias detection, XAI reports, automated POPIA compliance monitoring, and an immutable audit log. Founding-customer terms credit the first three months of subscription against the audit fee.
12 · Frequently asked

Questions risk, legal and procurement teams ask.

If your team is preparing for a vendor review or a board sign-off, the answers below cover most of what gets raised. Anything else, your account team can route to engineering directly.

Is this a regulatory certification?
No, and we are explicit about that. sonofgraig is not an accredited audit firm and we do not issue regulatory certifications. What we provide is a technical and compliance audit by senior engineers who have built POPIA-compliant AI systems — a defensible analysis your CIO, CRO, and Information Officer can rely on, with framework-cited findings, reproducible bias and explainability tests, and a board-ready summary. For organisations pursuing ISO/IEC 42001 certification, this audit is excellent preparation; the certification itself is performed by an accredited certification body separately.
Will sonofgraig audit AI systems built by your competitors?
Yes. The audit is vendor-independent — we audit any AI system regardless of who built it: ChatGPT, Microsoft Copilot, Google Gemini, AWS Bedrock workflows, third-party RAG implementations, in-house models, and sonofgraig's own platform. We are explicit that an audit by us is not a certification of suitability for a sonofgraig replacement. If we find issues, the audit reports them. Whether you remediate, replace, or accept the risk is your decision. Most engagements do not result in a sonofgraig product purchase.
Is the R45,000 fixed, or just a starting figure?
It is the starting price for the standard scope — one AI system, one business unit, the four core frameworks. Your final fixed price is confirmed at the end of a 30-minute scoping call, before any contract is signed. Once signed, the price does not move. Common extensions are an additional system (typically +R20K), a sectoral cross-walk like FAIS or the National Health Act (+R12K each), or a multi-business-unit engagement (per-system pricing).
What evidence do you need from us, and is any of it sensitive?
We typically request: a summary of training-data sources (categories, not raw data), model documentation if available, a representative sample of inputs and outputs with personal information redacted by your team, existing AI policies, and access for a brief technical conversation with the engineer responsible for the system. We do not need or want production credentials, raw personal information, or untouched datasets. The mutual NDA is in place before evidence is shared, and all data is processed inside af-south-1 and deleted within 30 days of audit close.
Do you represent us to the Information Regulator?
No. We are a technical and compliance audit firm; we are not a law firm. The audit equips your Information Officer to respond to a regulator inquiry confidently, with documented evidence, framework citations, and a remediation roadmap demonstrating good faith. If the regulator requires legal representation, we can refer you to South African legal practices we have worked alongside.
Can the audit happen if our AI system is hosted externally?
Yes — this is our most common case. Most South African enterprises run AI on third-party services (ChatGPT, Copilot, Gemini, Bedrock, third-party SaaS). We work from your usage of the system, not from inside the vendor's infrastructure. The audit assesses what data you send, where it goes, what the vendor's published controls are, and whether your usage produces the POPIA, EU AI Act, and ISO/IEC 42001 evidence you need. Most "shadow AI" findings come from this category.
What does the 30-day re-test cover?
A re-validation of the critical-severity findings in the original risk register, at no additional cost, within 30 days of audit close. We re-run the relevant tests, update the register, and issue a short addendum confirming which critical findings have been remediated to closure. Medium and low findings are not re-tested as part of the original engagement — those can be re-tested in a separate, smaller engagement or as part of an annual re-audit.
Do you sign mutual NDAs and handle confidential disclosures?
Yes. We have a standard mutual NDA we can send for signature within an hour of request, and we are happy to sign your standard NDA. The audit team has Information Officer attestations on file. Audit data is processed inside AWS af-south-1, encrypted in transit and at rest, and deleted within 30 days of audit close per our data retention policy. Your Information Officer is named in the engagement letter and copied on every status update.
Are sonofgraig B-BBEE certified and CIPC registered?
Yes — SonOfGraig Digital Solutions (Pty) Ltd is B-BBEE certified and CIPC registered. B-BBEE spend certificates are issued per invoice. All commercial documentation is available to your procurement team for supplier on-boarding via tumiso@sonofgraig.com.
Ready to scope

Book a 30-minute scoping call.

A senior auditor joins, we step through the AI system in scope and the regulatory regime that applies, identify whether it fits the standard scope, and confirm what your final fixed price will be. No commitment until contract signature. NDA in place within an hour of request.

Book a scoping call All service projects