Governed Infrastructure Assurance. Three engagements (Assess, Harden, Sustain). Two subscription tiers (Standard, Premium). External engineers. Framework-mapped evidence flowing continuously into Reign's Audit Ledger (CAVR).
WHY FSAI
The assurance gap most enterprises have right now.
SaaS governance overlays produce policy dashboards that never touch the runtime. They cannot tell you what the agent did at 3:14 AM when it called an MCP server, picked up a credential, and exfiltrated a row to an LLM provider outside your governed boundary. Big 4 assessments produce a thick PDF, a steering committee readout, and an invoice. Six months later the PDF is stale, the model has been swapped, and the assurance posture is decorative.
Both approaches produce a one-time deliverable that decays the moment it lands. The runtime keeps moving. The threat surface keeps expanding (tool-call abuse via MCP, prompt injection, credential leakage, output abuse, supply-chain attacks on weights, blast radius from autonomous tool calls). The frameworks keep tightening (OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, FINOS AIGF v2.0, EU AI Act Article 9).
FSAI closes the gap by productizing the assurance work itself. Each engagement produces reusable platform artifacts (control wirings, remediation playbooks, framework mappings) that carry forward. Evidence flows continuously into Reign's Audit Ledger (CAVR), so the auditor sees a hash-chained record, not a stale snapshot.
THREE ENGAGEMENTS
Assess, Harden, Sustain.
FSAI is delivered through three engagements, in order. Always Assess first.
Assess
A four to six week external review of your AI infrastructure, conducted by iTmethods engineers (not auditors, not policy reviewers). Working engineers who have built and operated governed AI substrates in regulated production. Scoped against your foundation model footprint (Bedrock, AI Foundry, Vertex, OpenAI, Anthropic), agent runtimes (Cursor Self-Hosted, Claude Code, LangGraph, CrewAI, Agentforce), MCP servers, identity surface, secrets management, and network boundary.
Deliverables, in writing, against a fixed scope: a board-ready threat model named to your assets and mapped to the risks that matter; a gap report against framework expectations and what your auditor will ask in twelve months; a prioritized, scoped, effort-estimated remediation plan; framework-mapped findings against OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, FINOS AIGF v2.0, and EU AI Act Article 9. The plan is what Harden executes against.
Engineering execution against the remediation plan produced in Assess. iTmethods engineers do the work, in your environment, against your runtime. Not consulting advisory. Not a steering committee. Not a slide deck handed back across the table. Engineers writing configuration, deploying controls, implementing pipeline gates, and wiring evidence collection into Reign's Audit Ledger (CAVR) so every control firing produces a hash-chained record.
Typical engagement runs 6 to 12 weeks, scoped against the Assess backlog. Hardened tool configurations across the Governed Tooling Layer. Control libraries deployed across the Forge AI Substrate. Pipeline gates implemented at the points runtime risk concentrates. Acceptance criteria documented per remediation item. CISO sign-off at exit; audit committee briefing optional.
Sustain
Continuous operation of the assurance posture established in Harden. Not a monitoring dashboard. Operation as a discipline, with iTmethods engineers responsible for the running posture across the Governed Tooling Layer and the Forge AI Substrate. The runtime keeps moving. New agents ship, foundation models swap in, MCP servers connect, tools get added. The posture certified in Harden is correct on day one and drifts by day forty. Sustain keeps it current against that drift. Continuously, not quarterly.
Posture monitoring across the four sub-components of the substrate. Drift response when configurations move, agents are added, models swap, or tool surfaces expand. Incident remediation when a control fires, a tool-call goes out of bounds, or an agent exhibits anomalous behavior. Continuous evidence flow into Reign's Audit Ledger (CAVR), pre-mapped to Assurance Packs. Quarterly posture reviews with CISO and audit committee. Framework mapping updates as standards evolve.
Reign · Governance Layer
FSAI engagements emit structured evidence into Reign's Audit Ledger (CAVR). Every assessment, every remediation, every continuous posture check. Findings are pre-mapped to Reign's Assurance Packs covering EU AI Act, OSFI E-23, SR 26-2, FDA PCCP, DORA, BCBS 239, ISO 42001, NIST AI RMF, and the rest of the library (13-plus frameworks). The regulator sees the underlying ledger, not a PDF FSAI generated.
After Assess produces a remediation plan, customers move into a recurring tier. Both tiers run Sustain continuously. They differ in who does the remediation work.
Standard
Assurance posture only. Customer-led remediation with iTmethods advisory.
Continuous posture monitoring
Continuous framework mapping
Evidence flow into Reign's Audit Ledger (CAVR)
Drift detection
Customer-led remediation with iTmethods advisory
Premium
24/7 expert-led remediation pod. Active remediation, not just monitoring.
Everything in Standard
24/7 expert-led remediation pod
Active remediation, not just monitoring
Named iTmethods principals plus embedded pod
Full Reign Assurance Pack library (13-plus frameworks)
STATUS AND NEXT STEP
FSAI Assess runs in production. The rest is in Early Access through 2026.
Every FSAI engagement begins with Assess. The four to six week external review, available today. Harden, Sustain, and the Standard and Premium tier subscriptions are in Early Access, co-developed with a limited cohort across banking, capital markets, life sciences, and defense.