← All Builds DAY 8 OF 30

GovernAI

Cyber Security / MSP — AI Governance · Next.js 14 App Router · AWS ECS Fargate ARM64 · API Gateway + Lambda (Node 20) · Postgres 16 + pgvector (RDS) · Claude Sonnet 4.5 + Haiku 4.5 via Bedrock · Cognito (multi-tenant) · react-pdf · AWS SES · VelocityStack CDK · 100h build
LIVE https://governai.cloud

Day 8 of 30 — the cluster closes

GovernAI is live at governai.cloud — and it closes the CyberSavi family week.

Six ventures from one operator team in eight days. SecureStackScan finds the gaps. CompliancePulse runs continuous compliance against them. CyberSavi Academy trains the people who run it. CyberSavIQ extends to the personal/reputation layer. GovernAI overlays AI governance for the EU AI Act moment. By this morning, the channel-motion thesis lands as fact, not pitch.

GovernAI is the AI governance module Cyber Savi MSPs and vCISOs use to stand up an ISO 42001 / NIST AI RMF / EU AI Act program for an SMB client in 48 hours — and keep it continuously compliant for less than the cost of a steakhouse lunch per month.

What it does

The clock that started this build: August 2, 2026. That’s when EU AI Act high-risk deployer obligations come into force. The MSP / vCISO conversation has shifted in 90 days from “do we need an AI policy?” to “we need one before August.” Yesterday’s Substack essay (When the Bot Disappears) made the regulatory case. Today the product lands.

Concretely, here’s what an MSP gets when they spin up a client tenant:

  • Five complete framework libraries, loaded on day one and cross-mapped to each other. ISO/IEC 42001:2023 Annex A — 38 controls. NIST AI RMF 1.0 plus the GenAI Profile (NIST-AI-600-1) — 84 subcategories. EU AI Act deployer obligations — 29 duties, tier-mapped to Articles 6, 9, 13, 14, and 50. Colorado AI Act — 12 obligations, effective February 2026. NYC Local Law 144 — 4 hiring-AEDT duties. 167 controls in total, sitting in the database, cited in every artifact.

  • An AI inventory module that ingests systems via manual entry or CSV import. Haiku auto-classifies each system into the EU AI Act four-tier scheme and proposes data-flow metadata. PII is regex- and classifier-scrubbed before any model invocation.

  • A 30-minute conversational risk interview driven by Sonnet, scoring seven dimensions: bias, hallucination, data leakage, IP contamination, explainability, dependency, provider concentration. The system prompt and a 6,000-token framework knowledge base sit behind a one-hour prompt cache. A pgvector top-K=8 retrieval over the client’s prior assessments is appended on each turn — so the second client looks sharper than the first, the tenth sharper than the second.

  • Eight client-specific policies generated in under two minutes — Acceptable Use, Procurement, Data Handling, Output Review, Model Lifecycle, Third-Party Vendor, Incident Response, Board Oversight. Every claim footnoted to a real control ID. A second Haiku pass validates citations before the vCISO publishes.

  • A signed-link employee acknowledgement workflow. vCISO publishes, picks a recipient list, the system mails HMAC-signed JWTs that resolve to a public, no-auth, rate-limited acknowledgement page. Every click writes to the audit log.

  • Board-ready PDF in under 30 seconds — react-pdf running in Lambda, MSP-branded, with executive summary and top-five recommendations narrated by Sonnet. KMS-encrypted in S3, served via 24-hour signed URL.

  • A public AI Trust Center per client — editorial design, framework-percent-satisfied, public-facing AI systems table, published policies list. SMBs forward the URL to enterprise prospects who ask “what’s your AI governance posture?”

  • An AI incident register with eight incident kinds and a Sonnet-generated structured response playbook covering containment, customer communications draft, regulator notification draft (with EU AI Act Article 73 trigger detection), and framework references.

The unfashionable choice we made on purpose: vCISO-in-the-loop on everything. No auto-send. No shipped-to-employee policies the human practitioner hasn’t read. The model does the typing. The vCISO does the judgement.

Why Day 8

Two reasons.

The cluster needed a closer. Days 1, 4, 5, 6 built up the CyberSavi family — find, comply, train, extend. Day 7 (TrainTogether + the EU AI Act Substack essay) set up the regulatory tailwind. Day 8 lands the product that turns the tailwind into revenue. By this afternoon the audience has seen five production-class ventures from one channel — and the channel-motion thesis stops being a pitch and starts being a portfolio.

The August regulatory deadline is real. The GovernAI Substack thesis dropped yesterday (https://toddmerrill.substack.com/p/when-the-bot-disappears-from-scrutiny) and is the highest-signal slot of Week 1. MSP and vCISO buyers reading the Substack on the weekend need a product surface to land on by the time they reach the call-to-action. governai.cloud opens this morning.

The Velocity Process notes

What Claude Code handled: the entire ECS Fargate deployment under VelocityStack, all five CDK stacks (IAM/Data/API/Frontend/Monitoring), seven Lambda handlers totalling ~1,356 LOC, the Postgres + pgvector schema across 8 migrations, the seed loaders for all 167 controls across 5 frameworks, the React-PDF renderer, the Bedrock client with prompt-caching wrapper, the PII scrubbing pipeline, the Cognito multi-tenant setup with msp_id claim, every line of the Next.js 14 App Router frontend across 22 pages. 14,169 LOC across src/. 26 commits since the Day 2 bootstrap.

What required human judgement: the choice of Postgres + pgvector over DynamoDB (CyberSaviPulse uses single-table Dynamo and that’s the right answer for its workload — GovernAI is multi-table joins plus vector RAG, different shape, different DB); the model split (Sonnet for the work where quality is the product, Haiku for classification and the post-generation hallucination check); the vCISO-in-the-loop guardrail as the non-negotiable product principle (no auto-send, ever); the per-end-client pricing model with the database structure that makes seat-based metering trivial; the position of coexisting with Cynomi/Vanta/Drata rather than trying to displace them; the deferral of native M365/Google OAuth discovery to Sprint 3 (manual + CSV intake gets a vCISO from zero to complete inventory in under an hour for any client they understand).

What broke: the first version of the policy generator put every framework citation through Sonnet, which produced beautiful-looking but occasionally fabricated control IDs. Fix was the Haiku validation pass — it reads the generated policy, walks every [Source: X] footnote, and flags any that don’t resolve to a control ID actually loaded in the database. Publishing is blocked until the vCISO resolves every flag. ~4 hours of human design, 2 hours of Claude Code implementation.

The CyberSavi family arc — in retrospect

Read the cluster end-to-end:

  • Day 1: SecureStackScan finds the gaps in an SMB’s stack — and feeds them into CompliancePulse.
  • Day 4: CompliancePulse is the spine. It calls out to and gathers from the other four.
  • Day 5: CyberSavi Academy receives training assignments from CompliancePulse and reports completion back into the evidence stream.
  • Day 6: CyberSavIQ feeds personal/reputation signal on owners and key staff into CompliancePulse’s per-tenant risk picture.
  • Day 8 (today): GovernAI receives AI-governance posture and policy hooks from CompliancePulse and writes back AI-control state to the same evidence package.

Same channel. Same buyer. One coherent operating system at per-end-client economics. Built and launched in eight days.

What’s next

  • Tomorrow (Sat May 9): CogleGroup GP partnership announcement — the Sequoia / Julien Bek autopilot-thesis activation, alongside the Anthropic Claude Partner Network and the new coglegroup.com Astro 5 rebuild.
  • Saturday morning: TFTSL Week 1 wrap drops — 60 seconds per build, all eight in one episode.
  • Saturday on Substack: the long-form GovernAI thesis — AI governance is the next per-end-client SKU — drops as the Week 1 anchor essay.

Want to talk

If you run an MSP / vCISO / fractional CISO desk and you have at least one regulated SMB client who has asked an AI governance question in the last quarter — we’re taking 10 design partners this month at no cost. You get a year of the Growth tier free across your book, naming on the launch page, and a direct line to the build team. Book 30 minutes.

If you want every build delivered to your inbox, the email signup on the home page is wired to GoHighLevel — no noise, just the build.

GovernAI is co-built with Kirby Winters and the Cyber Savi Security team. Live now at governai.cloud.

Live Product →