Phase 3 of The Protocol

Don't Wait for the Audit. Be Ready for It.

Pre-built documentation that accelerates your compliance review. We prepare the evidence file; your auditor validates it.

$8-12k 2 Weeks ISO 27001 Aligned
Start Compliance Shield – $8-12k View Sample Documentation ↓

The "Audit Delay" Trap

External audits typically take 8-12 weeks because auditors start from scratch. They request architecture documentation, data flow diagrams, security evidence, control mappings—all from you. Your team scrambles to find it, organize it, and present it in a format they can understand.

Meanwhile, your AI implementation is blocked, waiting for audit sign-off.

Phase 3 solves this by building the evidence file in advance. Your auditor reviews pre-built documentation instead of requesting it from you piece by piece. They validate it, ask clarifying questions, and sign off faster.

We don't replace your auditor. We accelerate them.

What Your Auditor Gets: Pre-Built Evidence Package

Phase 3 produces a comprehensive documentation package designed to be handed directly to your external auditor or compliance team.

✓ Architecture & Data Flow Documentation

Visual diagrams showing exactly where your data sits, how it moves, and where it's processed. Includes:

  • Cloud tenant boundary diagram (Azure/AWS/GCP)
  • Data flow: Documents → AI Pipeline → Your ERP
  • Network architecture and access control points
  • Encryption in transit and at rest
Your auditor uses this as the starting point. Instead of asking "where does the data go?", they review your answer already documented. Saves ~2-3 weeks of back-and-forth.

✓ ISO 27001 Control Mapping

Documentation linking your AI deployment to specific ISO 27001 control clauses. For each relevant control, we document:

  • What the control requires
  • How your AI deployment meets it
  • Evidence (logs, screenshots, policies)
  • Residual risks and mitigations
Your auditor validates this mapping. They may ask clarifying questions or request additional evidence, but they're reviewing your answer instead of starting from "what controls apply?"

✓ Risk & Mitigation Assessment

We identify potential risks specific to AI-powered automation and document how each is mitigated:

  • Hallucination Risk: Mitigated by "Human-in-the-Loop" review
  • Data Quality Risk: Mitigated by Phase 1 validation and monitoring
  • Model Drift Risk: Mitigated by retraining and monitoring
  • Access Control Risk: Mitigated by role-based ERP permissions
  • Data Residency Risk: Mitigated by tenant-only processing
Your auditor assesses whether these mitigations are sufficient. This documentation gives them the starting point for that conversation.

✓ Security & Compliance Checklist

Pre-filled questionnaires addressing common auditor/insurer concerns:

  • Data sovereignty: Does the AI access data outside your tenant? (No)
  • Vendor access: Can we access your data? (No)
  • Audit trails: Are AI decisions logged? (Yes)
  • Change management: How are model updates controlled? (Documented)
  • Disaster recovery: What if the AI fails? (Manual fallback)
Your auditor reviews these answers. You're answering with documentation instead of improvising.
Phase 3 Compliance Process Infographic

Phase 3 Sample Documentation

See what your auditor receives. This is a redacted example showing the Pre-Audit Pack we delivered for a 50-person engineering firm—complete with risk matrices, ISO 27001 control mappings, and pre-filled compliance questionnaires.

What's Inside This Sample:

📋
Risk Assessment

5 major risks identified, scored, and mitigated with controls

ISO 27001 Mapping

Pre-filled control mappings to 4 core clauses with evidence

🔒
Security Controls

Data residency, access control, and validation documented

📊
PI Insurance Q&A

Pre-filled questionnaire with evidence index for insurers

Note: This is a redacted sample from a real client engagement. Client-specific data, architecture diagrams, and sensitive details have been removed. Your Phase 3 report will include full technical documentation customized to your environment.

Accelerate Your Audit Process

Phase 3 delivers the evidence file your auditor needs—architecture diagrams, control mappings, risk assessments. They review it instead of requesting it piece by piece.

Start Compliance Shield ($8-12k) Book 15-Min Consultation

Or explore Phase 2 Strategic Assessment if you haven't completed it yet.

What Phase 3 Is NOT

This is critical to understand. Phase 3 is audit support, not a substitute for auditor judgment.

✗ Not an Audit

Phase 3 is documentation preparation, not an audit. We don't review your security controls, test your systems, or validate compliance—we document your architecture so your auditor can review it.

Your external auditor still conducts a full audit. They review our documentation, ask follow-up questions, and make the final compliance determination.

✗ Not a Certification

Phase 3 does not certify that you meet ISO 27001, SOC 2, or any other standard. We align documentation to those standards; your auditor validates the alignment.

Only your external auditor can certify compliance. We support their review; we don't replace it.

✗ Not Insurance Pre-Approval

Phase 3 does not include insurance approval, pre-approval, or coverage guarantees. We prepare documentation that helps your insurer understand your AI deployment; they make the coverage decision.

Insurance underwriting happens after Phase 3. You'll submit Phase 3 documentation to your PI insurer. They review it (2-8 weeks) and make a coverage determination.

✗ Not Risk Mitigation

Phase 3 documents risks and proposed mitigations; it doesn't eliminate them. Your auditor/insurer may decide that some risks require additional controls beyond what Phase 3 proposes.

We identify the risks; you and your auditor decide if the mitigations are sufficient. If they aren't, you may need additional security work before proceeding.

Bottom line: Phase 3 is a time-saving tool for your auditors and insurers, not a substitute for their judgment. It's the difference between "we'll need to understand how your AI works" (slow, 12 weeks) and "we've reviewed your architecture documentation and have three follow-up questions" (fast, 3 weeks).

Who Needs Phase 3?

Phase 3 is valuable for any firm, but essential if any of these apply to you:

You Have an External Audit Coming

If you're subject to ISO 27001, SOC 2, or similar audits, Phase 3 documentation will dramatically reduce audit timeline and cost. Your auditor starts with pre-built evidence instead of sending you a 20-item questionnaire.

You're Regulated or Certified

Financial services (AFSL), healthcare (HIPAA), legal (privilege), government (security clearances)—if you're regulated, your auditor/regulator will ask about the AI. Phase 3 gives them the answers upfront.

Your Insurer Wants Understanding

PI insurers are increasingly asking about AI deployments. Phase 3 documentation helps them understand your risk management approach so they can make a coverage decision faster.

You Have a CTO or IT Governance Team

If your IT team wants documentation of the AI system before it goes live, Phase 3 provides architecture diagrams, control mappings, and risk assessments in the language they understand.

Your Industry Moves Slow on AI Adoption

Accounting, legal, and financial services are conservative. Having pre-built compliance documentation removes a common blocker: "We need to understand the risk before we approve this."

You're Moving Fast to Production

If you passed Phase 1 & 2 and want to go live quickly, Phase 3 removes the compliance delay. Auditors review documentation in parallel instead of blocking Phase 4.

If none of these apply to you: You may not need Phase 3. Many small firms without external audits or insurance requirements skip Phase 3 and go straight from Phase 2 to Phase 4. Discuss with your team based on your risk appetite and stakeholder concerns.

Phase 3 in 2 Weeks

Phase 3 is quick because we're documenting existing architecture, not designing anything new. We leverage the technical foundation built in Phase 2.

Day 1-2

Kickoff: Architecture Review & Scope

90-minute call with your IT lead. We review the Phase 2 technical blueprint and confirm the deployment architecture (Azure/AWS/GCP, integration points, data flows). We scope what documentation is most important for your auditors/insurers.

Day 3-9

Documentation Build: We Create Everything

You don't lift a finger here. We build the evidence package: architecture diagrams, ISO 27001 mapping, risk assessment, security checklist. We work from Phase 2 blueprints and industry-standard control frameworks.

Minimal input from you: 1-2 email responses if we have questions about your specific tools or processes. Otherwise, we deliver complete documentation.

Day 10-14

Review & Refinement: Your Team Validates

We share the complete package with your IT/Risk lead. They review for accuracy. Questions like:

  • "Is this data flow diagram correct?"
  • "Are we missing any controls you want documented?"
  • "Does this match our security policies?"

We refine based on feedback and deliver the final package.

Day 14

Handover: Ready to Share with Your Auditor/Insurer

Final package delivered. You now have production-ready documentation to send to your external auditor, compliance team, or insurer.

What We Need From Your Team

Phase 3 is designed for minimal disruption. Your team provides validation, not production work.

IT Admin / CISO / Security Lead

  • Kickoff call (90 min): Confirm architecture, identify what matters most for your auditors
  • Review & feedback (2-3 hours): Review draft documentation for accuracy, suggest revisions

Risk/Compliance Owner (Optional)

  • Review & sign-off (1-2 hours): Validate that documentation aligns with your risk appetite and policies

Total time commitment: ~4-5 hours over 2 weeks (mostly review, not creation)

Investment & Value

Phase 3 Cost

$8–12k

Fixed investment. Depends on environment complexity (single cloud vs. multi-cloud, integration points).

  • Architecture & data flow diagrams
  • ISO 27001 control mapping
  • Risk & mitigation assessment
  • Security questionnaire pre-fill
  • Your team review & refinement

Auditor Time Saved

40–50%

Typical external audits cost $8–15k and take 8–12 weeks. Phase 3 reduces auditor hours and timeline.

Example: If your auditor bills at $200/hour and spends 30 hours building your evidence file, that's $6k. Phase 3 eliminates most of that.

What Happens After Phase 3?

Phase 3 delivers documentation, not approvals. Your auditors and insurers now review it.

External Audit Timeline

2–4 Weeks

(Instead of 8–12)

Your auditor reviews Phase 3 documentation and has clarifying conversations instead of starting from scratch.

  • Week 1: Auditor reviews architecture and control mapping
  • Week 1-2: Clarification questions (usually 3-5 items)
  • Week 2-4: Validation and final sign-off

Timeline depends on your auditor's workload and complexity of your environment. This is typical, not guaranteed.

Insurance Review Timeline

2–8 Weeks

(Depends on Insurer)

Your PI insurer reviews Phase 3 documentation to understand your AI risk management and make a coverage decision.

  • Week 1: You submit Phase 3 documentation to your insurer
  • Week 1-4: Insurer reviews (timeline varies widely)
  • Week 2-8: Coverage decision and policy endorsement

Insurance underwriting is slower because many insurers are still developing AI coverage policies. Budget 4-8 weeks.

Insurance: What to Expect

Insurance underwriting for AI deployments is still evolving. Many insurers are cautious. Here's what to prepare for:

  • Questions, not approval: Expect your insurer to ask follow-up questions about your risk management approach
  • Possible coverage limitations: Some insurers may approve coverage but with exclusions or higher premiums for AI-related errors
  • Third-party assessments: Some insurers request independent penetration testing or security audits before approving coverage
  • Waiting for policy evolution: If your insurer hasn't developed an AI policy yet, they may delay underwriting while they develop one

Phase 3 doesn't guarantee insurance approval. It gives your insurer the information they need to make a decision, but that decision depends on their risk appetite and current policies. Discuss with your broker early.

Common Questions About Phase 3

Do I have to do Phase 3? Can I skip it and go straight to Phase 4?

Yes, you can skip Phase 3. Many small firms without external audits or strict compliance requirements go straight from Phase 2 to Phase 4.

But consider Phase 3 if:

  • You're subject to external audits (ISO, SOC 2, etc.)
  • You work in regulated industries (financial services, legal, healthcare)
  • Your CTO/IT governance team requires documentation before go-live
  • Your insurer is asking questions about AI deployments

Discuss with your audit/compliance/IT team. If they're not concerned, Phase 3 may not be necessary.

If the audit finds issues, does that mean Phase 3 failed?

No. Phase 3 documents your architecture; audits identify whether that architecture meets your compliance requirements.

Common scenarios:

  • "You need additional monitoring." Phase 3 proposes monitoring; auditor says you need more. You add it in Phase 4.
  • "This control is insufficient." Phase 3 documents a mitigation; auditor requires a stronger one. You strengthen it before go-live.
  • "You need penetration testing." Phase 3 isn't penetration testing. Auditor may require it before final approval.

Phase 3 succeeds if it accelerates the conversation. If your auditor asks 10 clarifying questions instead of 50, Phase 3 worked. The fact that they identify additional requirements is normal.

What if my auditor doesn't accept Phase 3 documentation and asks for something different?

That's fine. Every auditor has slightly different requirements. Phase 3 builds a strong foundation; auditors often request format changes or additional detail, not a complete rework.

If your auditor asks for something Phase 3 didn't cover: Tell us. We can often scope a Phase 3 extension (additional cost, usually $2-4k) to address their specific requirements.

Common extensions:

  • Penetration testing scope & findings
  • Business continuity & disaster recovery documentation
  • Detailed access control logs and testing evidence
  • Vendor risk assessments for third-party tools
Does Phase 3 guarantee my insurer will approve coverage?

No. Phase 3 gives your insurer the information they need to make a decision, but that decision is theirs.

Possible outcomes:

  • Approved as-is: Insurer reviews documentation and approves coverage without changes
  • Approved with conditions: Insurer approves but requires monitoring, regular retraining, or higher premiums
  • Approved with exclusions: Insurer approves general coverage but excludes AI-related errors
  • Requires assessment: Insurer requests penetration testing or independent security audit before deciding
  • Pending policy development: Insurer hasn't developed an AI coverage policy yet; you wait for their policy to evolve

Recommendation: Contact your broker early in Phase 2. Give them a heads-up that you're implementing AI-powered automation. Some insurers will tell you upfront what they require (then Phase 3 addresses it).

Can Phase 3 documentation be used for multiple audits (internal, external, regulatory)?

Mostly yes, but with variations. Phase 3 documentation is designed to address common control frameworks (ISO 27001, SOC 2, general security). It can be adapted for industry-specific regulators.

Examples:

  • Internal audit: Use Phase 3 documentation as-is
  • External SOC 2 audit: May require additional detail on user access controls and change management
  • AFSL compliance (financial services): Phase 3 + additional documentation on conflicts of interest, data integrity
  • HIPAA compliance (healthcare): Phase 3 + additional documentation on data encryption, breach notification

Discuss with your compliance team if Phase 3 covers everything needed for your specific requirements. We can often adapt it with minimal additional work.

What happens if I complete Phase 3 but decide not to proceed with Phase 4?

You keep all the documentation. Phase 3 deliverables are yours—the evidence file, architecture diagrams, control mappings, risk assessment. All yours.

You can:

  • Use it for your next audit (saves auditor time and cost)
  • Share it with other vendors who propose AI solutions
  • Store it for future reference when you're ready to revisit AI automation

Phase 3 has standalone value. Even if you don't implement with us, the documentation accelerates your audit and gives your team a clear picture of the AI deployment architecture.

Reduce Audit Delays. Give Your Auditor a Head Start.

Phase 3 isn't a certification. It's audit acceleration. Two weeks, $8-12k, 40-50% faster audits.

Start Compliance Shield

Or book a 15-minute consultation to discuss whether Phase 3 is right for your situation.