Most UK businesses are using AI without a governance posture. No documented acceptable use policy, no model card, no audit trail, no EU AI Act position. It works until it does not. The first compliance review, security audit or procurement question that lands tends to be the moment leadership realises the practice was never on solid ground.
Teylu builds the governance, risk and compliance posture that puts your AI practice on solid ground. Documented acceptable use, model cards, audit trail design, EU AI Act categorisation and ICO AI Code of Practice alignment. The work your legal, risk and procurement teams need to see, written in language a board can act on.
What you get:
AI rollouts move faster than compliance teams can keep up with. Engineers ship, marketers prompt, leadership applauds the early wins. Governance gets deferred to phase two. Phase two never lands. Then a procurement review, a customer security questionnaire or a regulator inquiry forces the issue, and everything stops while the team scrambles.
A documented policy. A clear approval process for new AI use cases. A model card for each production system. An audit trail covering every consequential decision. An EU AI Act categorisation per use case. An ICO alignment summary. A team that knows the boundaries. Procurement and security reviews stop being firefights.
Acceptable use policy. Data classification rules. Sensitive data handling. Approval workflow for new use cases. Model cards for production systems. EU AI Act categorisation register. ICO AI Code of Practice alignment summary. Audit trail design. Vendor and partner due diligence framework. Training programme for the wider team.
The EU AI Act high risk obligations come into force on 2 August 2026. UK businesses serving the EU are in scope. The audit categorises each of your AI use cases, identifies which fall into high risk and which do not, and delivers the mitigation plans for the ones that do.
The ICO's AI Code of Practice Regulations came into force on 12 May 2026. We align your AI practice with the principles, document the alignment evidence and prepare you for any future ICO engagement. The framework is built into the operating model rather than bolted on later.
Every production AI system gets a model card: what it does, what data it uses, what decisions it makes, how it is monitored, where human oversight sits. The card is documented in plain language. Your risk and security teams can verify the posture without needing a translator.
Every consequential decision the AI takes is logged. Every tool call is auditable. Every model update is versioned. The audit trail is designed for the obligations you will face, not bolted on after an incident. The trail satisfies internal audit, external audit and regulator inquiry alike.
Your team needs to know the boundaries. The acceptable use policy defines them in language that does not require legal training to understand. The training programme makes sure every person who touches AI knows what they can do, what they cannot, and where to ask.
You get a documented posture you can defend to regulators, auditors, customers and procurement teams. The defensive position stops being implicit and starts being explicit. The first hard question you receive lands on solid ground.
You get an acceptable use policy, vendor due diligence framework and incident response plan ready for review. The legal team's exposure on AI drops sharply. The team that used to be the bottleneck on AI rollouts becomes the enabler.
You get a security posture aligned with your existing controls, an audit trail design that integrates with your SIEM and a governance model that brings shadow AI into a properly visible estate. Risk reduces measurably.
You get the assurance that AI is moving forward inside the business without exposing the brand, the customer relationships or the balance sheet to compliance risk. The board conversations on AI shift from defensive to commercial.
Financial services, healthcare, legal and professional services, public sector. Where compliance is a material part of the operating environment, the governance posture is non negotiable. We design for the obligations of your sector, not a generic framework.
If your customers run security and AI assurance reviews, your governance posture is part of the sale. We deliver the documentation procurement teams ask for, so AI moves from being a sales blocker to being a sales accelerator. Customer trust compounds.
Teylu is an independent agency. The governance work is not selling you a platform. The recommendations are scored on what the obligations require and what your operating model can sustain, not on partner economics. Partnership, not transaction.
The governance work integrates into how your team already operates. Acceptable use sits inside the onboarding pack. Approval workflow sits inside the project management tool. Model cards sit alongside the technical documentation. The governance lives where the work lives.
Regulation will change. New use cases will emerge. New models will ship. The governance posture is designed to evolve, with versioning, review cadences and a clear ownership model. The investment compounds rather than expiring.
The EU AI Act high risk obligations land in months. Most UK businesses are not ready. The governance audit gives you a documented position, a mitigation plan and a clear date by which the obligations are met. No surprises.
Big Four advisory teams will sell you a six month assessment with a senior partner appearing for the kick off and the wash up. We deliver a working governance posture in weeks, with senior people on every conversation and the documentation your team will actually use.
Legal firms will write you a policy. We will integrate that policy into how your business actually operates, build the model cards, design the audit trail and train the team. Governance is more than a document, and we deliver the operating model that makes it real.
Three to six weeks from kick off to a delivered governance posture. Week one to two is current state assessment. Week two to four is policy, model card and audit trail design. Weeks four to six is training, embed and handover.
Fixed scope governance build, then ongoing retainer for evolution as regulation changes, new use cases emerge and the AI estate grows.
See how Teylu has delivered AI governance for clients across regulated, B2B and consumer sectors in the UK.
This is built for businesses that recognise the AI conversation is moving from possibility to obligation. That usually means:
Regulated and enterprise sellers facing security and AI assurance reviews from customers and partners.
Risk, legal and compliance leaders needing a documented AI posture before the next audit, regulator inquiry or board review.
Founders and CEOs taking AI seriously as a board level topic and needing the assurance to discuss it confidently.
Businesses serving the EU approaching the 2 August 2026 EU AI Act high risk deadline without a documented position.
.png)
Week 1 to 2
We document every AI use case in the business, the data flows, the decision logic, the human oversight and the existing policies. We score each against EU AI Act categorisation and ICO alignment.
A documented current state assessment. You know exactly where you sit on each obligation and where the gaps are.
Week 2 to 4
We write the acceptable use policy, the model cards for production systems, the approval workflow for new use cases and the audit trail design. We align with your existing risk framework.
A documented governance posture: policy, process, technology controls, model cards, audit trail. Ready for legal and risk sign off.
Week 4 to 6
We embed the governance into your operating model. Train the wider team. Run the acceptable use briefings. Align with procurement and security on the new posture.
A trained team, an active governance model and a defensible posture. The first audit conversation lands on solid ground.
Week 6 onwards
We maintain the governance posture as regulation evolves and new use cases emerge. Quarterly reviews. Updates to model cards. Refresh of acceptable use policy. The posture stays current rather than ageing.
A governance posture that compounds in value, a regulatory position that adapts as obligations change and a leadership team confident in defending the AI practice.
Tell us where your AI practice sits today and what compliance obligations are landing. We will tell you whether a governance engagement is the right next move.
Three tiers, sized to the maturity of your AI practice.
Governance Diagnostic (entry tier)
A two week diagnostic covering current state assessment, EU AI Act categorisation and ICO alignment, with a written gap analysis and roadmap.
Implementation (core tier)
Three to six week build of the governance posture: policy, model cards, audit trail, approval workflow, training programme and handover.
Embedded Governance (ongoing tier)
Monthly retainer to maintain, evolve and report on the governance posture as regulation and use cases change.
Pricing is transparent, sized to the maturity of your AI practice. Enterprise grade thinking without the enterprise overhead.
.png)
Teylu has built governance documentation, EU AI Act categorisation work and ICO alignment evidence for AI implementations across HMS Networks, Arrow ECS, Timberplay, TouchWood Play and Blake Mill Menswear. The governance posture we will build for you is grounded in real production deployments, not theoretical frameworks.
If your AI practice is moving faster than your governance can keep up with, and the next audit or regulator inquiry is closer than the team is ready for, this is built for you.
Speak to a senior member of the team. We will scope a discovery in the call and give you a clear next step.
Do we really need an EU AI Act position by August?
If you serve EU customers in any form, yes. The high risk obligations come into force on 2 August 2026. The audit categorises each of your AI use cases, identifies which fall into high risk and delivers the mitigation plans for the ones that do. No surprises.
What does a model card look like?
A documented description of what the AI system does, what data it uses, what decisions it makes, how it is monitored and where human oversight sits. Plain language. Verifiable. Your risk and security teams can sign it off without a translator.
How does this differ from a legal firm writing us a policy?
A policy is words on a page. We integrate the policy into how your business actually operates: acceptable use sits in the onboarding pack, approval workflow sits in the project tool, model cards sit alongside technical documentation. Governance lives where the work lives.
Do you cover regulated sector requirements?
Yes. For financial services, healthcare, legal, professional services and public sector, the governance pack is configured for your sector's obligations. We do not deliver a generic framework. We design for the regulatory environment you actually operate in.
How long does the engagement take?
Three to six weeks. Two weeks of current state assessment. Two to four weeks of policy, model card and audit trail design. Two weeks of training, embed and handover. You finish with a defensible posture.
Have a question we have not answered? Tell us. We will give you a straight answer, not a pitch.
