Frequently Asked Questions
Last updated: October 2025
About ELSA AI
What is ELSA AI?
ELSA AI is an advisory firm specialising in AI governance for organisations that deploy third‑party AI tools. We make adoption safe, compliant, and auditable by turning principles into controls and controls into evidence—without building or operating your systems. (Advisory‑only scope; your teams implement technology.)
Are you the same as ELSA Speak (the English‑learning app)?
No. We are ELSA AI—a governance, security, and assurance consultancy for enterprise AI deployers. ELSA Speak is a consumer language‑learning app. Different brands; different services.
Do you offer language‑learning or pronunciation tools?
No. We do not provide consumer apps. We focus exclusively on enterprise AI governance and assurance.
About GenAI Assure™
What is GenAI Assure™?
GenAI Assure™ is ELSA AI's governance framework that provides a pragmatic 30‑60‑90‑day implementation pathway for organisations using third‑party AI tools. It links principles → controls → evidence across security, regulatory, ethics, operations, and culture.
What's the relationship between ELSA AI and GenAI Assure™?
- GenAI Assure™ = the framework (the what)
- ELSA AI = the advisory services that help you implement it (the who)
Who is GenAI Assure™ designed for?
AI deployers—organisations using third‑party AI services such as:
- Copilots (e.g., Microsoft 365 Copilot, GitHub Copilot)
- Chatbots/assistants (e.g., customer service agents)
- Workflow automation (e.g., n8n, Make, Zapier)
- Content & document generation/analysis
What problems does GenAI Assure™ address?
- Shadow AI without oversight
- Data leakage and misuse via prompts/automations
- Regulatory non‑compliance (EU AI Act, GDPR, ISO/IEC 42001, NIST AI RMF, SOC 2)
- Ethical risks (bias, explainability gaps, harmful outputs)
- Missing audit trails ("prove what your AI decided")
Implementation & Delivery
How does implementation work?
We run a 90‑day phased programme:
Days 1–30: Foundation
- AI Use Policy & exception framework
- Value & Risk tiering (intake form)
- Shadow AI discovery & inventory
- Initial DPIA/FRIA triggers
- SSO plan; SIEM event schema
Days 31–60: Core Controls
- DLP patterns for AI risk
- Secrets management & token hygiene
- Vendor risk & DPA reviews
- Transparency labels & explainability profiles
- Incident response runbooks
- Bias/harm testing (TEVV‑Lite context)
Days 61–90: Optimisation & Scale
- Evidence Pack automation
- Audit dashboards & KPIs
- Internal audit dry‑runs
- Quarterly review cadence
- Full compliance validation
Is GenAI Assure™ software or a managed service?
Neither. It's a framework and advisory methodology. We provide blueprints, control designs, validation, and evidence structures. Your teams implement and operate the technology.
Who does what (roles & responsibilities)?
Your team (Client):
- Implement & operate controls (SSO/MFA, DLP, SIEM, secrets vault, SOAR/GRC wiring)
- Manage vendors and contracts
- Own day‑to‑day operations
ELSA AI (Advisory):
- Governance framework & policies
- Risk & assessment frameworks (DPIA/FRIA facilitation)
- Technical standards & control specifications
- Evidence Pack structure & automation guidance
- Implementation reviews & validation
- Audit‑readiness assessment
We provide the blueprint and independent oversight; you build and run the controls.
Compliance & Standards
What frameworks and regulations does GenAI Assure™ map to?
GenAI Assure™ maps to major frameworks and regulations:
- EU AI Act (Article 26) — deployer duties: logging, transparency, human oversight
- GDPR/UK GDPR — lawful basis, DPIA/FRIA, rights handling, transfers (SCC/IDTA)
- ISO/IEC 42001 — AI Management System (Plan‑Do‑Check‑Act)
- NIST AI RMF — Govern, Map, Measure, Manage
- NIST CSF 2.0 — Identify/Protect/Detect/Respond/Recover
- SOC 2 — Security, Availability, Confidentiality
What audit evidence will we have?
Evidence Packs per use case, including:
Policy & Governance:
AI Use Policy, approvals, exception register; lifecycle gate records
Legal & Compliance:
DPIA/FRIA, RoPA entries, Transfer Register, transparency labels/notices
Technical Controls:
SIEM logs (prompts/outputs/decisions), DLP policies & violations, SSO/SCIM reports, secrets/token inventories, vendor attestations (SOC 2/ISO, sub‑processors)
Testing & Validation:
TEVV‑Lite results (bias, explainability, HITL), IR runbooks & transcripts, accessibility conformance
Format & Assurances:
Evidence YAML manifests with SHA‑256 hashes and WORM/append‑only storage; tiered retrieval SLA (Tier‑1 ≤4h, Tier‑2 ≤8h, Tier‑3 ≤24h)
Pricing & Engagement
How do you price engagements?
Pricing is set after a Tier‑0 Readiness & Assessment (inventory coverage, intake live, rubric approved). Your use cases are tiered (Tier‑1/2/3) by value/risk, then delivered via the 30‑60‑90 methodology with milestone‑based billing.
What determines my tier?
A simple rubric across: data sensitivity, decision impact, output scope, and blast radius. The score maps to Tier‑1 (Fast Lane), Tier‑2 (Standard Review), or Tier‑3 (Full Governance).
What's included in every engagement?
Advisory‑only delivery covering: policy & gates, control design/validation (GA‑PG/TP/DM/DC/RR/RB), TEVV‑Lite acceptance, and audit‑ready Evidence Packs with tiered SLAs. You implement the tech; we design, validate, and sign‑off via change tickets.
What's not included?
Hands‑on technical build or operations (e.g., configuring SSO/MFA, deploying DLP, wiring SIEM, secrets vault setup, SOAR/GRC automation).
How are milestones & billing structured?
We align invoices to exit gates:
- Foundation (Days 1–30): Policy approved; intake/rubric live; inventory ≥95%
- Core Controls (Days 31–60): SIEM events live; DLP active; TEVV‑Lite pass
- Audit‑Ready (Days 61–90): Evidence Packs meet SLA; dashboards operational
Technical Requirements
What technical stack do we need?
Minimum stack:
- IdP (e.g., Entra ID, Okta) with SSO/MFA
- SIEM or central logging (e.g., Splunk, Elastic, Microsoft Sentinel)
- Secrets management (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault)
Enhanced capabilities:
- CASB/proxy for domain control
- Endpoint/Web/SaaS DLP coverage
- GRC/ticketing (e.g., ServiceNow, Jira)
- SOAR for automation (optional)
We adapt to your environment—not the other way around.
Does GenAI Assure™ cover model development or fine‑tuning?
No. The framework is for AI deployers using third‑party tools; model building or fine‑tuning is out of scope.
Framework Usage
How is GenAI Assure™ licensed?
Licensing & Use
GenAI Assure™ Framework v1.0 is © ELSA AI LTD and released under CC BY-ND 4.0. You may share the framework unchanged, including commercially, with attribution to ELSA AI LTD and a link to the license. No derivatives or modified versions may be distributed. Trademarks (e.g., GenAI Assure™) are not licensed by CC; please use the name to reference the framework, not to brand your own services.
Scope of Services
ELSA AI provides advisory governance only: oversight, reviews, approvals, and audit-readiness validation via structured change management. We do not deploy, configure, or operate systems—your teams (or your MSPs) implement the controls we specify.
Can we access the framework before engaging?
Yes. We make core framework materials available to prospective clients for evaluation. For implementation support, training, or partnership discussions, please contact us.
Getting Started
How do we know if we need GenAI Assure™?
You likely do if:
- You're already using AI tools in business workflows
- You process customer or employee data through AI
- You operate in the EU/UK or sell to European customers
- You face audits, customer questionnaires, or board scrutiny
- You have "Shadow AI" usage without oversight
- You need to demonstrate GDPR‑aligned AI processing and prepare for EU AI Act deployer duties
What's the first step?
Book a short readiness call to confirm scope, then schedule Tier‑0 Readiness & Assessment. You'll receive a prioritised roadmap with tiering, critical gaps, and recommended timelines.