Methodology

AI governance built for the standard a fiduciary owes — and the evidence a regulator will request.

Our approach to AI governance does not begin with AI.

It begins with the business. Because the business defines the risks. The risks drive the controls. The controls take form as policies and procedures. The policies and procedures generate evidence. And the evidence — contemporaneous, documented, and examiner-ready — is what manifests due care in the use, management, and supervision of artificial intelligence.

This causal chain is the spine of every Traiceback engagement, and it is the architectural premise of the methodology we have built around it.

AIMSMART™

We deliver our work through AIMSMART: Artificial Intelligence Management that is Specific, Measurable, Achievable, Realistic, and Trustworthy. The acronym is a deliberate echo of the SMART-goal discipline that boards and audit committees already recognize. Specific, Measurable, Achievable, and Realistic carry their familiar meaning. Trustworthy is not aspirational: it adopts the definition set out in the NIST AI Risk Management Framework — the standard a fiduciary owes and an examiner is entitled to test.

AIMSMART is not constructed from first principles. It is anchored to the recognized standards your regulators, your auditors, your board, and your insurance carrier already trust: the NIST AI Risk Management Framework, ISO/IEC 42001:2023, COSO's Achieving Effective Internal Control Over Generative AI (2026), the Investment Advisers Act and Rule 206(4)-7, ERISA §404, OWASP's LLM Top 10, and the SEC's published examination evidence expectations.

We do not paraphrase the standards. We map to them — specifically.

The Ten Domains

The methodology is organized around ten control Domains. Each Domain addresses a distinct domain of AI governance, from organizational accountability to the fiduciary-specific concerns that arise when an investment adviser or ERISA-regulated entity uses AI in connection with client or participant assets.

1. 01 AI Governance & Accountability
2. 02 AI Use Case Inventory & Classification
3. 03 Data Governance & Privacy
4. 04 Model Design, Development & Validation
5. 05 Security, Access Control & Misuse Prevention
6. 06 Third-Party & Vendor AI Risk Management
7. 07 Threat Awareness & Adversarial Risk
8. 08 Monitoring, Logging & Recordkeeping
9. 09 Transparency, Training & Continuous Improvement
10. 10 AI Conflicts of Interest & Fiduciary Alignment

The Domains are the structural scaffolding. The controls within them are the working surface.

The Six-Element Anchoring Discipline

Every control in AIMSMART is constructed through the same six-element discipline shown in Exhibit A above. Each control carries an operative definition, a stated rationale, an explicit mapping to the principle or control point in the underlying standard that authorizes it, evidence expectations differentiated by how the AI is deployed, a maturity progression, and cross-references to the controls it depends on or reinforces.

What this means in practice: when an examiner — or, in the worst case, plaintiff's counsel — asks why a control exists and on what authority, the answer is not we thought it was a good idea. The answer is a specific section of a specific recognized standard, paired with a specific item of evidence that demonstrates the control is operating as designed.

AIMSMART is deliberately designed as a manifestation of due care. That phrasing is not marketing. Due care is the substantive standard against which fiduciary conduct is measured under the Advisers Act and ERISA, and the foundation of any defense against allegations of negligence, regulatory deficiency, or breach of fiduciary duty. A framework that cannot produce contemporaneous evidence of due care is a framework that cannot defend itself when defense is required.

We build for the day defense is required.

Proportionality - Achievable and Realistic

A common concern among smaller advisers is that an AI governance framework will require rebuilding what already exists. AIMSMART does not. The framework is designed to operate either as a standalone AI governance regime or as a supplement to an adviser's existing compliance policies and procedures — extending what is already in place rather than replacing it.

The framework also calibrates to where a firm actually is in its use of artificial intelligence. We classify deployments along three Model Deployment Posture tiers, each carrying correspondingly proportionate controls and evidentiary documentation.

The same AIMSMART control may demand more rigor and more documentation at an MDP-3 firm than at an MDP-1 firm. Both can be compliant. Neither is held to the other's standard. Proportionate governance is precise governance — neither over-engineered for a small firm nor under-engineered for a large one.

Why Traiceback

Most AI governance offerings come from one of two places: a law firm that can interpret the regulations but cannot operationalize them, or a technology vendor that can build controls but cannot defend them under the standards a regulator will actually apply.

Both fall short for a reason that has less to do with their work product than with the structure of the problem. AI governance is not a single-stakeholder discipline. The General Counsel and the Chief Compliance Officer — often the same person at a smaller adviser — own the legal interpretation and the regulatory record. The Chief Information Security Officer — or the managed service provider acting in that capacity — owns the technical controls. The investment teams own the business case for using the tools in the first place. A framework that cannot meet each of them on their own terms is a framework that will not be implemented.

Gordon Eng has expertise and deep experience in the three critical domains at the intersection of AI governance for fiduciaries: 1) investment adviser management, 2) securities law, complex financial instrument litigation, and regulatory defense, and 3) compliance for SEC registered investment advisers and European registered funds. Gordon has supplemented his experience with postgraduate training in the Chief Information Security Officer (CISO) certificate program at NYU Tandon School of Engineering/Emeritus^™, and in Machine Learning and Artificial Intelligence: Business Applications at the University of Texas at Austin McCombs School of Business/Great Learning^™. The result is a practice that engages your General Counsel and Chief Compliance Officer as peers, your Chief Information Security Officer or technology provider in their own technical vocabulary, and your investment teams in the language of the trading desk and the portfolio manager.

That breadth informs more than the methodology. It informs the tools we use to deliver it. AIMSMART itself is developed and refined within a retrieval-augmented generation pipeline that holds the framework to the same standards of provenance, traceability, and evidentiary discipline we prescribe for clients. Governance you can describe is not the same as governance you can demonstrate. We build the second kind.