Skip to content
Terranord
01 — Index
MMXXVI

AI inside the
business.Built to pass audit. Quietly. Correctly.

Most AI consultancies help you ship faster. Terranord makes sure what you ship survives an examination — Reg S-P, HIPAA, ISO 27001, NIST AI RMF, OWASP LLM Top 10. Compliance-first AI integration for family offices, regulated healthcare, and the firms that answer to both.

Compliance-first AI, built to pass audit.

See how we work →

30 minutes · replies within one business day · by appointment

Every engagement maps to whichever frameworks examine you.

01Frameworks coveredNIST · ISO 27001 · HIPAA · PCI · GDPR · Reg S-P
02AI-specific standardsNIST AI RMF · ISO 42001 · OWASP LLM Top 10
03Engagement floor90 days
04Hardened by defaultFIDO2 keys · client-tenant scope
01a — Due diligence

What due diligence covers.

Eight things a compliance officer asks before signing. Answered here, documented in full on the trust page.

  • IBAA on file

    Business Associate Agreement signed before any HIPAA-scope engagement begins.

  • IIReg S-P 72-hour notice

    Incident response with 30-day customer notification, per the 2026 amendments.

  • IIIClient-tenant default

    Your data, your cloud, your accounts. We never co-mingle tenant infrastructure.

  • IVHardware-key MFA

    FIDO2 hardware keys for all production access. Phishing-resistant by design.

  • VInsurance

    Professional liability and cyber coverage in place. Certificate available on request under MNDA.

  • VIMSA · SOW · NDA · DPA

    Standard templates ready, derived from Common Paper. Counsel-reviewed redlines welcome.

  • VIIQuarterly trust review

    Trust posture changelog updated each quarter. Material changes versioned on the /trust page.

  • VIIICoordinated disclosure

    Published policy at /.well-known/security.txt (RFC 9116). Full posture at /trust.

§ 02 — Services

What we install.

Three practices. One discipline. Each engagement starts with a two-week diagnostic and ends with production systems your team owns — and can defend.

  1. IPractice

    AI Readiness & Security Audit

    2 weeks · from $4,500 (SMB) · from $25,000 (family office)

    We map every place AI already lives in your business — sanctioned and otherwise — and grade each against NIST AI RMF, OWASP LLM Top 10, and the regulations that examine you: Reg S-P, HIPAA, ISO 27001, PCI DSS. You receive a written risk register, a remediation sequence ranked by likelihood and blast radius, and the documentation an auditor will ask for first.

    • Shadow-AI inventory
    • Vendor & data-flow mapping
    • Examiner-grade documentation
  2. IIPractice

    AI Strategy Sprint

    2 weeks · from $15,000 (SMB) · from $50,000 (family office)

    For institutions that have decided AI belongs in their operating model and need the architecture before the build. We design the governance layer first — model selection, agentic system boundaries, data residency, prompt and output controls, human-in-the-loop gates, audit logging — then the integration sequence. The deliverable is a buildable blueprint, not a slide deck. Your engineers (or ours) ship from it.

    • Governance architecture
    • Agentic system design
    • Integration roadmap
  3. IIIPractice

    Fractional AI Security Officer

    Monthly retainer, 3-month minimum · from $7,500/mo (SMB) · $15,000–$25,000/mo (family office)

    A named, accountable security officer for your AI program. Monthly cadence: control reviews, policy maintenance, incident-response readiness, vendor due-diligence, board-level reporting, and direct response when an AI-related question arrives from an examiner, an enterprise-customer questionnaire, or a fraud event. One practitioner, quoted directly. Continuity matters more than coverage.

    • Program ownership
    • Examiner & questionnaire response
    • Board reporting
§ 03 — Approach

How we work.

01

Diagnose

2 weeks

We inventory every AI surface, sanctioned or not, and map it to the frameworks that examine you. The output is a written risk register and a regulator-grade gap analysis — not a deck.

02

Blueprint

1 week

We design the governance layer first: model boundaries, data flows, audit logging, human gates. Engineers can build from it; counsel can review it; a board can approve it.

03

Install

4–6 weeks

We integrate the AI workflow with the controls already specified — secure CI/CD, secrets management, prompt and output governance, monitored from the first request. No retrofitting compliance.

04

Operate

90 days

We hold the program through its first audit cycle. Examiner questionnaires, incident drills, vendor reviews, board reporting. After 90 days you have a defensible record, not just a system.

“Most AI failures are governance failures discovered late.”
Architectural fragment
Miami · MMXXVI
§ 04 — FAQ

Questions we're asked.

§ 05 — Contact

Start with an introduction.

Thirty minutes, by appointment. We'll tell you where AI belongs in your operations, where it doesn't, and what the next step looks like — including the cases where the next step isn't us.

Replies within one business day · Miami, FL