Everything in ACT Tier 1 — enhanced — plus 5 audit-ready policy templates, an AI agent security module with dual-OWASP coverage, a FRIA template with Colorado consumer rights operational templates, a board reporting pack, a 6-month implementation plan, and an MCP security governance checklist. From gap analysis to audit-ready evidence in one toolkit.
Payments processed by Lemon Squeezy (Merchant of Record). Price increases to $1,499 after initial launch period.
ACT Tier 2 Professional contains the complete Tier 1 workbook — enhanced with two additional tabs and expanded gap analysis columns — plus 14 additional deliverable files that close the implementation gaps Tier 1 identifies.
One ZIP file. 13-tab enhanced workbook, 8 Word policy and procedure templates, 4 Excel deliverables, 1 PowerPoint board pack, plus README and legal disclaimer. Delivered as an instant download.
All 11 Tier 1 tabs plus new Evidence Tracker (Tab 12) with completion dashboard and Regulatory Update Log (Tab 13). Gap Analysis enhanced with Remediation Status and Evidence Attached columns. 106-row cross-framework controls matrix.
Foundational policy establishing governance structure, risk appetite, classification criteria, approved and prohibited uses, data governance, human oversight requirements, and third-party governance. RACI matrix included.
Comprehensive acceptable use rules covering approved tools, data handling, prohibited activities, output review, IP obligations, and incident reporting. Section 8 adds 9 subsections of open-source AI agent governance covering deployment scenarios, credential isolation, HITL thresholds, network controls, and decommissioning.
Operational risk identification, 5×5 assessment methodology, treatment options, residual risk acceptance, register maintenance, and escalation thresholds. Color-coded risk matrix with brand-consistent formatting.
Detection, classification, triage, containment, root cause analysis, and corrective action. Section 8 adds agent-specific procedures: supply chain compromise (ClawHavoc pattern), gateway token theft, persistent memory poisoning, and credential rotation checklist.
8-category vendor assessment criteria, 5-point risk scoring, due diligence workflow, contractual clause recommendations, and MCP server vetting pipeline with 7-step operational workflow.
Email-ready questionnaire with 8 sections. Internal scoring guidance included (marked “Do Not Send to Vendor”). Scoring thresholds aligned with the Due Diligence Procedure.
50-control security matrix covering OWASP Agentic Top 10 (ASI01–ASI10), OWASP LLM Top 10 (LLM01–LLM10), and MCP protocol controls. Agent inventory, access control matrix, agent risk register, and open-source agent risk register with 18 mapped risks.
Strategic governance layer for autonomous and semi-autonomous agents. 5-level autonomy boundaries, dynamic access control, identity management, inter-agent communication governance, MCP tool and protocol governance (5 subsections), deployment approval workflow, monitoring, and kill-switch requirements.
MCP server inventory with approval status tracking, 20-control security checklist across 6 categories, and 7-step server vetting workflow with sign-off fields. The only purchasable MCP governance artifact on the market.
Structured fundamental rights impact assessment with rights identification checklist, affected population analysis, risk scoring, stakeholder consultation, and approval workflow. Appendix contains 6 Colorado Consumer Rights operational templates: consumer notice, adverse decision explanation, data correction workflow, appeal routing SOP, public website disclosure, and AG notification template.
Executive-ready presentation covering governance posture across 12 domains, risk heat map, 4-framework compliance progress with deadline tracker, remediation timeline, and budget recommendations.
Data feed workbook supporting the Board Reporting Pack. Governance posture scores, risk summary, framework compliance status, and implementation progress with working formulas.
6-month phased implementation roadmap with 28 tasks, phase-colored rows, deliverable cross-references, and dependency tracking. From policy approval through audit readiness.
No competing product maps both OWASP Agentic Top 10 and OWASP LLM Top 10 into ISO 42001 controls, adds MCP protocol governance, and provides open-source agent risk mapping — all in purchasable, customizable templates.
ACT Tier 2 covers OpenClaw, Manus, AutoGPT, CrewAI, LangGraph, and any autonomous agent architecture. The governance documentation addresses shadow AI agent deployments, supply chain compromise scenarios (including the ClawHavoc registry attack pattern), credential isolation, persistent memory governance, and decommissioning obligations.
The MCP Security Governance Checklist is the first purchasable governance artifact dedicated to the Model Context Protocol — covering server inventory, 20 security controls across 6 categories, and a 7-step vetting workflow.
| Framework | Issuing Body | Coverage in ACT Tier 2 |
|---|---|---|
| OWASP Agentic Top 10 | OWASP Foundation (Dec 2025) | 24 controls mapped to ASI01–ASI10 |
| OWASP LLM Top 10 | OWASP Foundation (2025) | 18 controls mapped to LLM01–LLM10 |
| MCP Security Governance | Move78 (proprietary) | 8 protocol controls + 20-item checklist + 7-step vetting |
| Singapore IMDA | IMDA (Jan 2026) | Referenced in Agentic AI Governance Policy |
| UC Berkeley BAIR | UC Berkeley (Feb 2026) | Referenced in Agentic AI Governance Policy |
The Colorado AI Act (SB 24-205 as amended by SB 25B-004, enforcement June 30, 2026) gives deployers an affirmative defense under C.R.S. 6-1-1706 if they demonstrate compliance with a recognized AI risk management framework. ACT Tier 2 provides the governance documentation to support that defense.
Nine frameworks unified in one implementation system. Every reference verified against primary source documents.
| Framework | Source | Coverage |
|---|---|---|
| ISO/IEC 42001:2023 | Purchased standard PDF | Every clause (4.1–10.2) and Annex A control (A.2–A.10) |
| NIST AI RMF 1.0 | NIST AI 100-1 (Jan 2023) | All 72 subcategories across GOVERN, MAP, MEASURE, MANAGE |
| NIST AI 600-1 GenAI Profile | Published profile (Jul 2024) | 200+ actions mapped to corresponding RMF subcategories |
| Colorado AI Act | SB 24-205 as amended by SB 25B-004 | All deployer and developer obligations with C.R.S. citations |
| OWASP Agentic Top 10 | OWASP Foundation (Dec 2025) | ASI01–ASI10 mapped to ISO 42001 and NIST controls |
| OWASP LLM Top 10 | OWASP Foundation (2025) | LLM01–LLM10 mapped to ISO 42001 and NIST controls |
| MCP Security Governance | Move78 proprietary research | 20 controls, 6 categories, server vetting workflow |
| Singapore IMDA | Gov framework (Jan 2026) | Referenced in Agentic AI Governance Policy |
| UC Berkeley BAIR | Academic framework (Feb 2026) | Referenced in Agentic AI Governance Policy |
A complete AI governance implementation typically costs $20,000–$200,000 in consulting fees or $5,000–$50,000 per year in platform subscriptions. ACT Tier 2 delivers equivalent documentation at less than 3% of the cheapest alternative.
CTOs, CISOs, DPOs, and compliance leads at technology-centric SMEs (10–250 employees) who need a complete, audit-ready implementation system covering ISO 42001, NIST AI RMF, Colorado AI Act, and AI agent security — including autonomous agent governance for OpenClaw and similar open-source deployments.
ACT Tier 2 is the right choice for organizations that have completed an initial gap analysis (or are ready to skip directly to implementation) and need the full documentation set to demonstrate governance maturity to auditors, regulators, boards, and customers.
Starting point. Not sure where the gaps are yet? ACT Tier 1 Starter ($399) provides the unified controls matrix, gap analysis checklist, and risk register to assess your current posture. The gap analysis results will name exact Tier 2 deliverables needed to close each gap.