Methodology
Kizata's diagnostic and engagement work is built on three public risk-management frameworks, plus the operator's eye that translates them into mid-market operating reality. The standards are converging: what was once cybersecurity-only governance is now extending to AI and ML systems.
The frameworks
NIST AI Risk Management Framework (NIST AI 600-1)
The U.S. federal framework for managing AI risk across the model lifecycle. Provides the structure for governance, mapping, measurement, and management of AI risk.
ISO 42001
The international standard for AI management systems. Specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system within an organization.
NIST Cybersecurity Framework (NIST CSF)
The foundational framework for managing cybersecurity risk. Now extended through SR 26-2 (the April 2026 revised interagency model risk management guidance from FRB, OCC, and FDIC) to cover AI and ML model risk for financial institutions.
The Audit methodology
The AI Stack Audit is the entry diagnostic. It applies the inventory and exposure layer of the same framework: every AI tool and license your company is paying for, classified by utilization, redundancy, and data sensitivity. The output is a two-page executive summary plus detailed appendix, naming the three highest-exposure gaps and grounded in NIST AI RMF and ISO 42001.
The Bundle methodology
The Strategy + Governance Bundle applies a 10-dimension risk identification framework derived from these standards, mapped against the Kizata Governance Ladder maturity model with five levels (0 through 4). The output is a written governance memo identifying prioritized AI risks in the business and their corresponding ladder positions, with a 30/60/90-day action plan and the foundational policies the business needs in writing.
Sources and design rationale
Kizata's methodology is sourced from public risk-management standards (NIST AI RMF, ISO 42001, NIST CSF), the regulatory frameworks they support, and the firm's independent product engineering practice. Sources and design rationale are documented internally for legal defensibility per the firm's own compliance discipline.
How this differs from a generic AI strategy assessment
Generic AI strategy work asks "where could AI help?" Kizata's diagnostic asks "where is AI already creating risk you can't see?" Different question, different output. The Bundle produces a board-shareable governance memo and written policies, not a strategy deck.