For the executives operating AI in companies where it has to pass an audit

Most companies are running AI as a project portfolio.This is where you learn to run it as an operating system.

The project portfolio model produces governance debt, vendor lock-in, audit exposure, and shadow AI. The operating system model produces shipped systems that survive the next quarterly. Frameworks, case studies, and the operating manual. Built from inside a Swiss GRC consultancy.

Read the canonical reframeSee the operating manual
03 · The Operating Shift

Two ways to run AI. Only one survives the next audit.

Column A

The Project Portfolio

Column B

The Operating System

Funded as discrete experimentsEach use case has its own budget, sponsor, and timeline. The line items live in eight different P&Ls.
Funded as one cost center with shared infrastructureOne executive owns the total spend. Use cases draw from a common stack and a common ledger.
Governance added when something breaksRisk and compliance are summoned reactively after the first incident, regulator letter, or board question.
Governance is the substrate everything sits onISO 42001 controls are written before the first deployment. Every system is born inside the audit chain.
Each tool has its own contract, audit trail, modelSix vendors, six DPAs, six evaluation harnesses, six versions of the same prompt template.
One control surface, one auditable recordLogs, evals, prompts, and access live in a single layer the auditor can read in an afternoon.
Vendor lock-in compounds with every new use caseSwitching cost grows quadratically. The exit assessment is written after the contract is signed, if at all.
Vendor exit is part of every deploymentNo system goes live without a documented unwind. The lock-in surface is bounded by design.
Shadow AI proliferates because no surface absorbs demandEmployees solve their own problems on consumer tools. The data leaks the org cannot see are the loudest ones.
Shadow AI cannot exist because there is somewhere to put itSanctioned channels are faster than unsanctioned ones. Demand routes itself to the operated layer.
Reports to whoever requested the use caseAccountability follows the org chart. The CMO answers for the marketing model. The CFO never sees it.
Reports to a single executive accountable for the systemOne seat owns the platform, the controls, and the outcomes. The org chart adapts to the system, not the reverse.

Every framework, every case study, every analysis on this site makes the case for the right column.

05 · Where the Operator Sits

A new C-suite seat appears. Three existing seats compress.

SOX produced the modern CFO. ISO 27001 produced the CISO. GDPR produced the DPO. ISO 42001 and the EU AI Act are now producing the executive who runs the AI operating system, while CMO, CTO, and CISO seats consolidate around them.

CEO
CFO
CMO
compresses
CTO
compresses
CISO
compresses
new seat
AI Operator
COO

scroll →

SOX, 2002ProducedThe modern CFO
ISO 27001ProducedThe CISO
GDPR, 2018ProducedThe DPO
ISO 42001 + EU AI ActProducesThe AI operator

The seat is real. The question is whether it is operated or coordinated.

04 · What the Operating System Looks Like by Function

Every department is part of one system.

Marketing, finance, customer service, operations, HR, risk. Different vocabulary, identical pattern.

01 · Marketing

Content production as a controlled pipeline, not a prompt library.

Brand voice, claims review, and channel routing live inside the same evaluation harness as the model that drafts the copy.

02 · Finance

Forecasting and close as audited model output, not analyst opinion.

Every figure that lands in a board pack is reproducible from a logged prompt, a logged input, and a logged version.

03 · Customer Service

Tier-one resolution as a governed system, not a wrapper.

Escalation paths, refusal logic, and disclosure rules are written controls, not screenshots in a Notion doc.

04 · Operations

Process automation as a continuous deployment, not a project.

The COO holds a system that ships weekly. The PMO becomes a release function.

05 · HR

Hiring, performance, and policy as model-mediated workflows.

The same audit chain that satisfies the AI Act also satisfies the works council. Both are reading the same log.

06 · Risk & Compliance

The function that turns the operating system from a story into a record.

Sits inside deployment review, not after it. Owns the controls library every other function depends on.

Six functions. One operating system. The infrastructure underneath is shared.

06 · The Operating Manual

The frameworks the operating system actually requires.

Built in public. One per week. Each one is what an operator inside a regulated mid-market company actually uses.

Framework · 015

The P&L of an AI Deployment

What an AI system actually costs. Revenue impact. Token spend. Engineering. Audit costs. The format your CFO reads in 90 seconds and signs off on, or doesn't.

Read the framework →
Framework · 016

The ISO 42001 Control Map

Eight clauses. Three documents. One audit. The mapping between ISO/IEC 42001 clauses and the artifacts that satisfy them.

Read the framework →
Framework · 017

The 90-Day Diagnostic

What to demand in the first quarter. The artifacts a board should require within 90 days of any AI executive appointment.

Read the framework →
07 · Case Studies

What an AI program looks like when it actually works.

Three public companies. Three structural analyses. What’s working, what’s failing, and why.

Klarna
Fintech · StockholmScale without a system

The most-cited AI deployment of 2024 is also the most-cited example of what unstructured looks like at scale.

Klarna built a tool that scaled. They have not yet built the system around the tool.
Read the full Klarna analysis →
Duolingo
Edtech · PittsburghProcurement as transformation

Replacing contractors with model output is a sourcing decision, not an operating system.

When the variance moves, the operating layer is where you see it. When the operating layer is not built, the variance shows up in the customer.
Read the full Duolingo analysis →
HSBC
Banking · LondonOperating system, working

The most extensive enterprise AI deployment in European banking is also the least visible.

The deployment that does not make the news is usually the deployment that survives the next regulator.
Read the full HSBC analysis →
08 · How to Read This

Four reader paths. Pick yours.

If you are building

You’re inside a company trying to ship AI. Start with the frameworks. The P&L is the first read.

Go to the operating manual
If you are governing

You’re on a board or audit committee. Start with the case studies. HSBC is the model. Klarna is the warning.

Go to the case studies
If you are funding

You’re allocating capital. Start with the reframe. The right column is what you should be underwriting.

Go to the reframe
If you are hiring

You’re recruiting the AI operator. Start with the corner office. The seat shape is the brief.

Go to the corner office
11 · Latest

Three recent pieces from the operating manual.

Framework · 01412 min

The vendor exit assessment every AI contract should be born with.

What goes in the unwind clause. Why most contracts skip it. The four lines that compound across a portfolio.

Case · 01322 min

Bayer’s quiet model registry, and why the audit went faster than the board expected.

The artifact the second line built in 2023, and the way it turned a three-week review into a four-day one.

Reframe · 0129 min

“AI strategy” is the wrong artifact. The operating model is the artifact.

Why the slide your CEO is asking for next quarter is the slide that will be rewritten the quarter after.

Built fromInside a Swiss GRC consultancy
Operating contextMid-market regulated Europe
Frameworks of recordISO 42001 · EU AI Act · ISO 27001
CadenceOne piece per week
10 · Working with Sebastián

Two ways to engage. Most readers should pick the first.

Everything on this site is free and complete. The frameworks are not teasers. The case studies are not paywalled. For a small number of readers whose situation matches, there is an engagement path.

Read

Subscribe to the operating manual.

One piece per week. Frameworks, case studies, the operating system applied. No engagement required.

Une publication par semaine. Désinscription à tout moment.

Engage

Apply for a limited engagement.

Three to four engagements per year. By application. The author embeds with a mid-market regulated European company to build the operating system inside one organization. Most applicants are directed back to the operating manual first. If we proceed, the engagement is scoped, fixed-fee, and built around your specific restructuring.

Engagements are built around your situation. Tailored, not templated. The operating manual is the default and the better path for most.