About Alatus Advisory
A specialized AI security practice for regulated industries.
Who we are
Alatus Advisory was built around a specific observation: regulated industries are adopting AI faster than their governance and security programs can keep up. The compliance teams are asking questions the security team can't answer. The security team is worried about threats the engineering team doesn't know exist. And the board is asking both groups to hurry up.
We sit at the intersection of AI adoption, security, and compliance, not because it's a good market position, but because that's where the real work is. Our engagements are built to move fast without cutting corners: automated discovery where possible, scored assessments that produce defensible baselines, and deliverables built from a tested template library rather than written from scratch.
We work with CISOs, CCOs, and CTOs at regulated companies who need to move quickly without moving recklessly.
Leadership
Alex leads client engagements across AI governance, compliance, and secure development programs. With a background in security architecture and regulated industry advisory, he focuses on building governance frameworks that hold up to auditor scrutiny while enabling organizations to adopt AI at speed. He is particularly focused on the intersection of AI adoption and regulatory risk in healthcare, financial services, and pharma.
Chad leads threat readiness and security operations engagements, with deep expertise in vulnerability management, incident response, and security program design for organizations undergoing AI adoption. He has spent his career building and running security operations for complex enterprises, and brings that operational lens to every engagement.
How we approach engagements
Most advisory firms bill their highest-rate consultants to collect data that a script could gather in minutes. We front-load every engagement with automated discovery, AI tool inventories, configuration scans, policy gap questionnaires, so that our time with you is spent on the judgment calls, not the data gathering. You pay for analysis, not administration.
Every engagement produces a scored gap analysis tied to the relevant framework, ISO 42001, OWASP LLM Top 10, NIST AI RMF, or your regulatory requirement of record. Scores are repeatable, which means you can run the same assessment six months later and show progress. A defensible baseline, not a one-time narrative. Auditors and boards can both read it.
AI governance policies, SDLC frameworks, incident response playbooks, we've built versions of all of these across multiple engagements and regulatory environments. We don't write them from scratch on your time. We start from a tested, battle-hardened library and adapt for your environment. The result is faster delivery and better quality than a blank-page approach.
Frameworks we work with
The definitive risk classification for LLM-based applications. We use it to structure threat assessments and governance gap analyses for any organization deploying or building with large language models.
Cloud Security Alliance guidance on AI-specific security controls and cloud-hosted AI risk. Informs our threat readiness assessments and cloud AI architecture reviews.
The U.S. government's AI Risk Management Framework, a comprehensive voluntary standard for managing AI risk across the full lifecycle. A key reference for our governance and compliance engagements.
The first international standard for AI management systems. Increasingly demanded by enterprise buyers, regulators, and auditors. We deliver ISO 42001 gap analyses and readiness assessments.
The global baseline for information security management systems. AI governance programs should be designed to integrate cleanly with existing ISO 27001 controls, ours are.
The Known Exploited Vulnerabilities catalog from CISA, the authoritative source for actively exploited vulnerabilities. Central to our VM velocity gap analysis and threat readiness work.
Let's talk about your environment.
Every engagement starts with a direct conversation, no process, no pitch deck.
Talk to us →