AI consultancy · management systems, infrastructure, execution

We build your AI management system. You run it.

Your customers now ask who owns AI risk before they sign. Extrasphere builds the management system that answers them, aligned with ISO/IEC 42001, wires it to run inside your own Microsoft 365 tenant, and automates the work so it produces results, not just documents. Done for you, fixed scope, a launch date.

Book a scoping call See a build Fixed fee · agreed before we start
Built and aligned to the frameworks your buyers ask about
ISO/IEC 42001 AI management systems EU AI Act readiness NIST AI RMF mapped Microsoft SSPA Section K
Why now

The AI question moved from the ethics deck to the sales cycle.

Governance used to be optional. Now it is a forcing function: a deal stalls, a supplier form arrives, a regulation lands, or the board asks who is accountable. Buying more software has not fixed it, because the gap is organizational, not a missing tool.

The questionnaire

A customer's security review now has an AI-governance section, and your team cannot answer it confidently. The deal waits.

The supplier bar

Microsoft SSPA, enterprise procurement, and larger competitors already hold AI governance evidence. You are the vendor that does not.

The regulation

The EU AI Act and sector rules raise exposure, and existing law already applies to AI harms today. Someone has to own it.

The shadow

Staff already use AI tools nobody approved, on data nobody scoped. You suspect information has left the building through them.

What we do

Governance and execution in one engagement.

Most providers split these apart: advisers hand over a slide deck, automation shops build tools with no governance, and ISO implementers stop at documents. We do all three, so procurement gets a complete answer and your team gets a system that works.

01 · Governance

AIMS implementation and ISO 42001 readiness

We build your AI Management System end to end and prepare your organization for an independent certification audit.

  • Policies drafted to your organization, marked for counsel review
  • Live registers: systems, risks, incidents, intake, audits, training
  • A clause-coverage scorecard and a launch plan with dates
02 · Infrastructure

AI infrastructure and tooling

We stand up the platform that holds your governance and your AI work inside your own tenant, where your data already lives.

  • SharePoint, Lists, Planner, Forms, Purview, and Teams wired together
  • Evidence, approved-tool lists, and controls where your team works
  • Your data stays inside your own Microsoft 365 service boundary
03 · Execution

Automation and execution

We turn the roadmap into running workflows, so the system produces outcomes instead of sitting as a binder on a shelf.

  • Guided task flows and automations for the recurring work
  • Ready-to-use agent prompts your team runs in approved tools
  • Pilots moved out of proof-of-concept into steady-state operation
04 · For firms

White-label advisor track

For MSPs, vCISOs, and consultancies moving into AI governance, we build the system behind your brand, on a recurring basis.

  • Done-for-you ISO 42001 readiness delivered under your name
  • Multi-client deployment across your book, per engagement
  • See the Advisor program →
From a recent build

A working system your team operates, and your auditors can follow.

A governance operations console and an all-staff hub, delivered as a single package that lives in the client's own Microsoft 365 tenant. Client details changed; the structure is real.

AI governance operations console: clause scorecard, live registers, task flow, and reporting
All-staff AI hub: plain-language guidance, approved tools, and how to raise a concern

Governance ops console and all-staff hub · identifying details replaced · see the full walkthrough →

How it works

A scoped engagement with a launch date, not an open-ended project.

Scope

One week: inventory what exists, pick the framework posture, and agree the fixed scope, fee, and launch date.

Build

The system takes shape: policies, registers, both hubs, and the task flow, reviewed with your owner as it lands.

Wire & launch

Evidence and workflow move into your tenant. Your team runs the guided roadmap; we clear the blockers.

Operate

Ninety days of support while the review cadences take hold, then a handover your auditors can follow.

Fixed fee, fixed scope, agreed before we start.
Scoped on a call against the size of your AI footprint and how much of the system already exists. If you are already ISO 27001 certified, much of the groundwork carries into 42001 and the build compresses. And if a self-serve kit already covers your need, we will say so and point you there.
Why Extrasphere

Boutique speed, senior hands, honest scope.

Done for you, not advised at

You receive a working operations console your team uses, not a strategy deck to implement yourself later.

In your tenant

The system runs inside your own Microsoft 365. Prompts, evidence, and data stay inside your service boundary; we wire your controls rather than route your data through ours.

Weeks, not quarters

A fixed scope and a real launch date, sized to your footprint. No timeline theatre, and no artifact dump pretending to be a system.

Senior and direct

You work with the people building the system, not a rotating team layered over an offshore bench.

Codified, not improvised

The same practice publishes a library of governance kits and guides, so the methodology is battle-tested and repeatable.

Legally disciplined

We prepare you for independent certification and never claim to issue it. The separation is what makes the audit credible.

Straight answers

The questions buyers actually ask.

Can you get us certified?

No, and neither can any consultant. Certification is issued only by accredited certification bodies, and the rules bar a body that helps build your system from also certifying it. We build and align your AIMS to ISO/IEC 42001 and prepare you to pass an independent audit. That separation is what makes the audit credible.

Does ISO 42001 make us compliant with the EU AI Act?

No. ISO/IEC 42001 aligns your AI management system; it does not certify your AI products and it is not a compliance sign-off for the EU AI Act or any regulation. It is strong evidence of reasonable governance. For legal conclusions about a specific obligation, use qualified counsel; we prepare the evidence and the program, not the legal opinion.

Will our data be exposed to your tooling?

No. The system runs in your own Microsoft 365 tenant under your own policies. Prompts, retrieved data, and evidence stay inside your service boundary. We wire Purview and your existing controls rather than route your data through us.

We already use an automation agency. Why you?

Automation without governance is what stalls deals and fails questionnaires. We build the management system that makes your AI defensible and the automations that make it useful, in one engagement, so procurement gets a complete answer and your team gets working workflows.

Could the Big Four do this?

They can, over multiple quarters at high six figures, with a rotating team. We ship a working system on a fixed fee with a launch date, and you work directly with the people building it. If your footprint is small, that is a feature, not a compromise.

Can you really move faster than a nine-month project?

When ISO 27001 already exists, much of the groundwork carries into 42001 and the build compresses. We scope a realistic launch date up front and refuse timeline theatre. A rushed artifact dump produces documents, not a management system, so we scope honestly instead.

Clear the AI question. Unblock the deal.

Tell us where the pressure is coming from and what you have already built. We will scope a fixed engagement, or point you to a self-serve kit if that is genuinely all you need.

Book a scoping call