peculiar.cloud
Request a scoping call
Services Cloud Security Reality-CheckAWS / Multi-Cloud Landing ZoneZero-Trust TransformationHybrid NetworkingAI Platform Governance Approach Engagements Notes Request a scoping call

Fixed-scope engagement

AI Platform Governance

AI platform governance gives your teams a safe, paved path to build AI features — approved models, controlled data access, spend and usage limits, and audit — enforced as policy-as-code guardrails you own. Not a rented governance dashboard. Not a Big-4 control binder. Owned IaC in your repo.

Request a scoping call

The problem this solves

"Every team is wiring up an LLM and nobody owns the policy. We don't know what data is going to which model, the spend is untracked, and shadow usage is everywhere. The vendors selling us AI governance want a per-seat SaaS dashboard that sits outside our stack, and the consultancies want to sell us a framework deck. We need actual enforced guardrails in our cloud — that we control." Root cause: AI adoption outran platform controls; governance bought as external SaaS or slideware doesn't enforce anything inside your accounts, doesn't survive the subscription, and leaves the data-flow and spend risk live.

Why this isn’t governance-SaaS or slideware

A rented dashboard observes; it rarely enforces, and when you stop paying, the control leaves with it. A consultancy framework tells you what good looks like and bills you to be told. We build the guardrails as policy-as-code and infrastructure inside your own accounts — so the enforcement is real, it's auditable, it keeps working after we're gone, and it's yours to change as the models and your needs change.

What you own when we leave

  • A paved-path module: Terraform/IaC for sanctioned model access (managed-model access patterns, gateways, key handling) that teams consume instead of going around.
  • Policy-as-code guardrails: which models, which data classifications, allowed regions, spend/rate limits, logging of usage where appropriate — enforced, in your repo.
  • A data-flow threat model for AI usage (what data can reach which model, and the boundaries that stop the rest).
  • Cost and usage visibility/controls as code.
  • ADRs for the model-access and data-boundary decisions, and runbooks for sanctioning a new model or use case.

Not an "AI governance strategy" document. Working guardrails your teams build against.

How we approach it

  1. 01

    Discovery

    We read your accounts, configs, and constraints directly (scoped read-only access or exported state), map the real current state, and agree on a written scope and success criteria before any code is written.

  2. 02

    Architecture Decision Records

    We write down the key decisions — what we’re doing, the options we rejected, and why — as ADRs in your repo, so the reasoning survives long after we’re gone and you can challenge it before we build.

  3. 03

    Implementation

    We build the solution as reviewable Terraform/IaC in small, tested pull requests against your CI, so you watch it land incrementally and nothing arrives as a black box.

  4. 04

    Handover

    We walk your team through the repo, the threat model, and the runbooks live, confirm you can apply/destroy/extend it yourselves, and then we leave. You own everything — there is no phase 5 where you still need us.

Engagement shape

A fixed-scope build over your AI/cloud platform, delivered as a consumable paved-path module plus enforced policy-as-code and a live handover. Scope is set by your cloud, the model-access patterns in play, and the policies you need enforced — agreed up front.

Engagements typically start at $28,000 USD. Contact for scope and a fixed price.

A sample of what we ship

policy/guardrails.rego Sanitized sample 
# policy/guardrails.rego — model calls fail closed at the gateway
package ai.guardrails

default allow := false

allow if {
  input.model.id in data.sanctioned_models
  data_classification_permitted
  input.usage.monthly_spend_usd < data.team_budgets[input.team].limit_usd
}

# Restricted data only reaches no-retention models in the required region.
data_classification_permitted if {
  input.request.data_classification == "restricted"
  data.models[input.model.id].retention == "none"
  data.models[input.model.id].region == input.policy.required_region
}

data_classification_permitted if {
  input.request.data_classification in {"public", "internal"}
}
An AI guardrail that enforces instead of observes: a call to an unsanctioned model, with the wrong data classification, or over budget fails at the gateway — it does not get logged for later.

Related note: AI governance SaaS vs policy-as-code you own →

FAQ

Questions about this engagement

What do I actually get — is this just a report?

No. Every engagement ends with infrastructure-as-code in your repository: Terraform/IaC, the guardrail set (Service Control Policies or equivalents), a threat model, ADRs, and runbooks. The documents exist to help an engineer run the code — they are never the deliverable instead of the code. "We ship, not slide" is the whole point. The sample Terraform on this site shows the shape of what you get.

Why not just use a CSPM/governance SaaS or a Big-4 firm?

A SaaS dashboard observes and alerts; it rarely enforces inside your accounts, and the control leaves when the subscription does. A Big-4 engagement often ends in a framework and a recommendation to hire builders. We build the enforcing controls as code you keep. Different tools have their place — but if you want enforcement you own, that is specifically what we do.

What if something breaks after you’ve handed over and left?

Every engagement includes a 90-day warranty: if anything we shipped does not behave as documented, we fix it at no charge — that is a defect we own, not new scope. After that window the code is standard Terraform/IaC on standard tools, so your team or any engineer can maintain it. If you would rather we come back for a defined follow-on — a new scope, a new fixed price — we are a short email away. We make ourselves unnecessary by default; we do not make ourselves unreachable.

We already have a security team / platform team. Why bring you in?

Usually because they are at capacity, or the work needs a specific senior depth (landing-zone design, zero-trust enforcement, hybrid routing, AI guardrails) that is hard to staff for a one-time build. We work as reviewable PRs against your CI so your team reviews and absorbs everything as it lands — by handover it is genuinely theirs, not a black box dropped on them.

What access do you need, and how do you handle our data and credentials?

Discovery uses scoped, read-only IAM roles that you create in your accounts and can revoke at any second — never long-lived keys we hold. Where you must export configuration or state, it lands encrypted in storage you control, and we delete our working copies on a documented schedule with written confirmation. We use no sub-processors and nothing leaves the jurisdiction you specify; wherever possible, implementation runs entirely inside your own tenancy and CI so we never hold your credentials at all. We will complete your security questionnaire (CAIQ/SIG-lite) before you grant any access. You can inspect this site too: cookie-free self-hosted analytics, Cloudflare only for edge/CDN and bot protection, a clean CSP, and no third-party trackers.

Start with a scoping call

Request a scoping call