SDVOSB · Veteran-led · Boston, MA

§ 0 · Published policy · Nexurion, LLC · revised May 2026

How we use AI · on the record · audit-firm discipline

AI generates signal. Nexurion makes it defensible.

Most firms are rushing AI into compliance work without the controls they would refuse to certify in a client. We are not most firms. This page is our published policy: where we use AI, where we do not, and which human signs every artifact that leaves the building.

Stance Local processing · no client data to public APIs · no AI-authored deliverables · one human signature per artifact.

Client data

Local

Processed in controlled environments only

Public AI APIs

No client artifacts ever leave for inference

Final deliverables

Human

Authored, reviewed, signed by a principal

Accountability

1:1

One named human owns every artifact

§ I · The stance

What we believe, on the record

Discipline, not hype. Judgment, not autocomplete.

The compliance industry is in the middle of an AI gold rush. Vendors are wiring public language models directly into client artifacts: control narratives, policies, audit responses: with no published policy, no provenance, and no human accountable for the output. We will not work that way.

A note on alignment, not certification. Nexurion is not certified against any AI governance framework. The practice you are about to read is aligned to the same standards we deploy for clients: ISO/IEC 42001:2023, NIST AI RMF 1.0 with the GenAI Profile, EU AI Act obligations for general-purpose AI, and AIUC-1, the emerging audit standard for AI agents. When we tell a client to publish a policy, log inferences, track provenance, and name a human owner: we have done it ourselves first.

The premise

AI is a research instrument. It is not a decision-maker.

A model can read faster than a human, surface patterns across a control set, and accelerate the boring work of normalization. That is useful. It is also the floor, not the ceiling. An AI cannot stand in front of an auditor. It cannot be deposed. It cannot put its name on the closing memo. The judgment that matters in compliance: what is in scope, which finding is material, what the program owes a regulator: is judgment a human practitioner owns, or it is judgment that does not survive contact with the audit.

The promise

Every artifact that leaves Nexurion is human-authored, human-signed, and human-defensible.

We use AI internally, on local infrastructure, to accelerate analysis and surface patterns earlier. We do not use AI to write the language a client signs, the memo an auditor reads, or the policy a regulator inspects. The deliverable is written by a named principal. The signature is real. The accountability is ours.

AI generates signal. Nexurion makes it defensible. - Operating principle · published · on the record

§ II · The ledger

Where we use AI · where we don’t

A line, drawn in the open. So you do not have to guess what is in your artifacts.

Every firm has a position on AI. Most do not publish it. This is ours: in the same two-column format we'd want to see from any vendor handling our own artifacts. Print it. Paste it into your security review. Hold us to it.

Where we use AI

To accelerate the boring work: locally, controlled, supervised.

Internal acceleration only. On Nexurion infrastructure. Outputs are inputs to a human practitioner: never the deliverable.

USE 01

Data normalization and structuring.

Reformatting evidence intake, deduplicating control sets, parsing legacy policy libraries into machine-readable form. The model handles the shape; the practitioner reads every line.
USE 02

Pattern recognition across controls and gaps.

Cross-referencing a client's control set against SOC 2, ISO 27001, NIST 800-53, ISO 42001: surfacing overlap, conflict, and likely gaps for a senior practitioner to validate.
USE 03

First-pass analysis and issue identification.

Reading large evidence packages or vendor questionnaires to flag what a senior practitioner should look at first. The triage is faster; the judgment is unchanged.
USE 04

Internal research and reference lookup.

Pulling regulatory text, comparing framework revisions, summarizing case law for the practitioner's review. Same purpose as a paralegal: faster, narrower, never authoritative on its own.
USE 05

Drafting internal working notes: never client artifacts.

Scratch material the practitioner edits down to the language they would themselves write. No drafted text is shipped as-is. Every sentence in a client deliverable is human-authored.

Where we do not use AI

For anything a human signs, an auditor reads, or a regulator inspects.

These are the bright lines. They do not move under deadline pressure, client pressure, or competitive pressure.

NEVER 01

No client data sent to public AI APIs.

We do not transmit client artifacts: policies, evidence, audit material, system data: to any model we do not control. Public APIs are off the table for client work, full stop.
NEVER 02

No AI-generated final deliverables.

The transmittal memo, the SOC 2 control narrative, the ISO 42001 policy, the DPIA, the audit response: written by a human practitioner, line by line. AI is not on the page when the artifact ships.
NEVER 03

No AI making audit decisions.

Whether a finding is material, whether a control is in scope, whether a program is ready for an external audit: these are practitioner calls, owned and signed by a named principal. A model does not have authority to decide them.
NEVER 04

No AI operating without human validation.

No autonomous agents writing artifacts. No unsupervised pipelines producing client output. Every model output crosses a practitioner's desk before it crosses the firewall.
NEVER 05

No AI in the signature.

The name on the memo is a human. The accountability is a human. If the practitioner who signed the artifact cannot defend every sentence in it, the artifact does not ship.

Filed Nexurion AI policy · v.1 · revised May 2026 · copy this. challenge it. hold us to it.

§ III · Data handling

What happens to your data

Your material stays where you put it. No exceptions.

The first question every CISO and procurement reviewer asks is the right one: what happens to my data when it touches your AI? Three answers, in plain language.

01Local processing

Client data is processed on Nexurion-controlled infrastructure.

When AI assists with normalization, pattern recognition, or first-pass analysis on client material, it runs in a controlled environment we operate. The data does not leave for an inference call to a third-party endpoint we do not own.

PostureLocal · controlled

02No external exposure

No client artifact is sent to a public model.

Public APIs: including the major commercial endpoints: are not in the path for client material. If a question requires a capability we cannot run locally, the practitioner answers it without the artifact, or we answer it differently.

Public APIs0 · client work

03Confidentiality preserved

Confidentiality is treated as a control, not a setting.

The same NDA and engagement-letter terms that govern a human practitioner govern any tooling that touches your material. Access is least-privilege. Retention is purpose-limited. The artifact register tracks what existed, who handled it, and when it was destroyed.

TreatmentControl-grade

§ IV · Human accountability

Who owns the artifact

A human name. A human signature. A human you can call.

The accountability for every artifact at Nexurion is a person, not a tool. The signature is real. The standing-behind-it is real. We are accountable. We are not a tool.

Operating standard · signed deliverables

Every artifact is reviewed and owned by a named human expert.

Every deliverable that ships under the Nexurion letterhead: the SOC 2 control narrative, the AI governance policy, the DPIA, the readiness assessment, the closing transmittal: is reviewed and signed by the named principal who led the engagement. There is no anonymized "the team" sign-off. There is no machine-generated signature line.

If a sentence in the artifact cannot be defended by the human whose name is on it, the sentence does not ship. If the artifact cannot survive an auditor's question, the artifact does not ship.

Signature standard · representative

"This memo is the working contract for the engagement. I sign for it."

Nexurion Principal

One signature · one practitioner · one artifact

Signed

§ V · Why this matters to you

The buyer-side outcome

Discipline at the firm becomes defensibility at your audit.

This is the part that lands in front of your auditor, your board, and your enterprise customer's procurement team: the people whose signatures matter as much as ours.

Outcome 01

Faster audit readiness.

Acceleration on the boring work shortens the calendar. We move from intake to a clean readiness package in weeks: without compromising the line-by-line review of the artifact that ships.

Outcome 02

Stronger, more defensible controls.

Pattern recognition surfaces gaps a single reader would miss. Human authorship hardens the language. The result is a control set that survives the auditor's question, not a draft that hopes for the best.

Outcome 03

Reduced risk of failure or rework.

AI-authored artifacts get caught in audit. Ours do not, because they are not AI-authored. You pay for the work once, on a fixed fee, and the artifact stands on the audit-firm desk without revision.

Outcome 04

Confidence in front of auditors and boards.

You can answer the question every reviewer is now trained to ask: "how was this written, and who is accountable?": with a name, a signature, and a published policy. Theirs and ours.

§ VI · The closing line

Engage Nexurion · written scope · fixed fee

AI accelerates the work. Nexurion owns the outcome.

Tell us what triggered the call. We will reply with the next available principal-led slot and, within forty-eight hours of the call, a written scope on Nexurion letterhead: signed by a human, defensible by a human, and built to survive the audit. The signature on your artifact will be a person's name.

Tell us the trigger → See a sample artifact

Filed · Nexurion AI policy · v.1 · published May 2026