For teams that need to move beyond baseline records into connected implementation evidence: enhanced ACT-1 workbooks, policy and procedure files, vendor diligence, FRIA starter artifacts, board reporting, MCP governance, agentic AI control boundaries, OpenClaw governance context, and a six-month rollout plan.
ACT-2 is an implementation evidence pack. It is not an enterprise SaaS platform, a law-firm opinion, a certification engagement, or a substitute for internal governance ownership.
ACT-2 is broader than a policy download. It is for buyers who need connected evidence across inventory, controls, policies, board reporting, FRIA, vendors, and agentic AI.
ACT-2 is file-based. It does not provide log ingestion, workflow automation, access control, API integrations, runtime attestation, or continuous monitoring.
ACT-2 supports implementation evidence. It does not provide legal compliance assurance, ISO certification assurance, regulatory acceptance, audit result assurance, or buyer approval.
The pack only works when governance, risk, security, legal, procurement, and AI owners maintain the records and make internal decisions.
ACT-2 adds the operational layer missing from most template packs: policy files, vendor diligence, board reporting, FRIA starter artifacts, MCP governance, agentic AI control boundaries, and a rollout plan. It supports evidence collection. It does not provide legal compliance assurance, certification assurance, or regulatory safe harbor.
ACT-2 is the implementation evidence pack for teams that have moved beyond baseline registers. It adds policy files, board evidence, vendor diligence, FRIA starter materials, and AI-agent governance records while keeping the deliverables editable and internally owned.
ACT-2 expands the starter control view into a fuller evidence map for ISO/IEC 42001, NIST AI RMF, EU AI Act-adjacent evidence, Colorado-style documentation needs, and practical implementation ownership.
ACT-2 adds executive-facing governance status artifacts so risk, security, privacy, and technical owners can explain progress, gaps, and decisions without turning the board pack into a legal opinion.
ACT-2 adds vendor evidence request structure for AI tooling, third-party model use, procurement review, and buyer-facing assurance conversations.
ACT-2 provides starter evidence structures for regulated-use review. The templates support internal documentation but do not replace qualified legal, privacy, or sector-specific review.
ACT-2 adds AI-agent inventory, boundary register, oversight log, incident path, and shutdown or escalation prompts for teams deploying autonomous or semi-autonomous workflows.
ACT-2 adds governance records for MCP and OpenClaw-adjacent risk review. Technical hardening still belongs in M78Armor; ACT-2 keeps the governance evidence trail.
Decision rule: ACT-2 is the default product when a buyer needs connected implementation evidence rather than a single template, policy, or inventory spreadsheet.
Review how to buy ACT-2
AI Controls Professional contains the complete Starter controls matrix — enhanced with two additional tabs and expanded gap analysis columns — plus 14 additional deliverable files that close the implementation gaps Starter identifies.
A connected implementation package: a 13-module governance workbook, policy and procedure templates, structured implementation workbooks, board reporting support, README, and legal disclaimer. Delivered as editable workbooks and templates, not as legal advice or a hosted SaaS workflow.
All 11 Starter tabs plus new Evidence Tracker (Tab 12) with completion dashboard and Regulatory Update Log (Tab 13). Gap Analysis enhanced with Remediation Status and Evidence Attached columns. 106-row cross-framework controls matrix.
Foundational policy establishing governance structure, risk appetite, classification criteria, approved and prohibited uses, data governance, human oversight requirements, and third-party governance. RACI matrix included.
Comprehensive acceptable use rules covering approved tools, data handling, prohibited activities, output review, IP obligations, and incident reporting. Section 8 adds 9 subsections of open-source AI agent governance covering deployment scenarios, credential isolation, HITL thresholds, network controls, and decommissioning.
Operational risk identification, 5×5 assessment methodology, treatment options, residual risk acceptance, register maintenance, and escalation thresholds. Color-coded risk matrix with brand-consistent formatting.
Detection, classification, triage, containment, root cause analysis, and corrective action. Section 8 adds agent-specific procedures: supply chain compromise (ClawHavoc pattern), gateway token theft, persistent memory poisoning, and credential rotation checklist.
8-category vendor assessment criteria, 5-point risk scoring, due diligence workflow, contractual clause recommendations, and MCP server vetting pipeline with 7-step operational workflow.
Email-ready questionnaire with 8 sections. Internal scoring guidance included (marked “Do Not Send to Vendor”). Scoring thresholds aligned with the Due Diligence Procedure.
50-control security matrix covering OWASP Top 10 for Agentic Applications (ASI01–ASI10), OWASP LLM Top 10 (LLM01–LLM10), and MCP protocol controls. Agent inventory, access control matrix, agent risk register, and open-source agent risk register with 18 mapped risks.
Strategic governance layer for autonomous and semi-autonomous agents. 5-level autonomy boundaries, dynamic access control, identity management, inter-agent communication governance, MCP tool and protocol governance (5 subsections), deployment approval workflow, monitoring, and kill-switch requirements.
MCP server inventory with approval status tracking, 20-control security checklist across 6 categories, and 7-step server vetting workflow with sign-off fields. An MCP governance artifact designed for lean teams that need a file-based approval and evidence workflow.
Structured fundamental rights impact assessment with rights identification checklist, affected population analysis, risk scoring, stakeholder consultation, and approval workflow. Appendix contains 6 Colorado Consumer Rights operational templates: consumer notice, adverse decision explanation, data correction workflow, appeal routing SOP, public website disclosure, and AG notification template.
Executive-ready presentation covering governance posture across 12 domains, risk heat map, 4-framework compliance progress with deadline tracker, remediation timeline, and budget recommendations.
Data feed module supporting the Board Reporting Pack. Governance posture scores, risk summary, framework compliance status, and implementation progress with working formulas.
6-month phased implementation roadmap with 28 tasks, phase-colored rows, deliverable cross-references, and dependency tracking. From policy approval through audit readiness.
No competing product maps both OWASP Top 10 for Agentic Applications and OWASP LLM Top 10 into ISO 42001 controls, adds MCP protocol governance, and provides open-source agent risk mapping — all in purchasable, customizable templates.
AI Controls Professional covers OpenClaw and MCP-based agent architectures, with governance principles applicable to any autonomous agent deployment. The governance documentation addresses shadow AI agent deployments, supply chain compromise scenarios (including the ClawHavoc registry attack pattern), credential isolation, persistent memory governance, and decommissioning obligations.
The MCP Security Governance Checklist is the first purchasable governance artifact dedicated to the Model Context Protocol — covering server inventory, 20 security controls across 6 categories, and a 7-step vetting workflow.
| Framework | Issuing Body | Coverage in AI Controls Professional |
|---|---|---|
| OWASP Top 10 for Agentic Applications | OWASP Foundation (2026 list) | 24 controls mapped to ASI01–ASI10 |
| OWASP LLM Top 10 | OWASP Foundation (2025) | 18 controls mapped to LLM01–LLM10 |
| MCP Security Governance | Move78 (proprietary) | 8 protocol controls + 20-item checklist + 7-step vetting |
| Singapore IMDA | IMDA (Jan 2026) | Referenced in Agentic AI Governance Policy |
| UC Berkeley BAIR | UC Berkeley (Feb 2026) | Referenced in Agentic AI Governance Policy |
The Colorado AI Act (SB 24-205 as amended by SB 25B-004, effective June 30, 2026) gives deployers an affirmative defense under C.R.S. 6-1-1706 if they demonstrate compliance with a recognized AI risk management framework. AI Controls Professional provides the governance documentation to support that defense.
Nine frameworks unified in one implementation system. Every reference verified against primary source documents.
| Framework | Source | Coverage |
|---|---|---|
| ISO/IEC 42001:2023 | Purchased standard PDF | Every clause (4.1–10.2) and Annex A control (A.2–A.10) |
| NIST AI RMF 1.0 | NIST AI 100-1 (Jan 2023) | All 72 subcategories across GOVERN, MAP, MEASURE, MANAGE |
| NIST AI 600-1 GenAI Profile | Published profile (Jul 2024) | 200+ actions mapped to corresponding RMF subcategories |
| Colorado AI Act | SB 24-205 as amended by SB 25B-004 | All deployer and developer obligations with C.R.S. citations |
| OWASP Top 10 for Agentic Applications | OWASP Foundation (2026 list) | ASI01–ASI10 mapped to ISO 42001 and NIST controls |
| OWASP LLM Top 10 | OWASP Foundation (2025) | LLM01–LLM10 mapped to ISO 42001 and NIST controls |
| MCP Security Governance | Move78 proprietary research | 20 controls, 6 categories, server vetting workflow |
| Singapore IMDA | Gov framework (Jan 2026) | Referenced in Agentic AI Governance Policy |
| UC Berkeley BAIR | Academic framework (Feb 2026) | Referenced in Agentic AI Governance Policy |
A complete AI governance implementation typically costs $20,000–$200,000 in external implementation fees or $4,999–$50,000 per year in platform subscriptions. AI Controls Professional delivers equivalent documentation at less than 3% of the cheapest alternative.
CTOs, CISOs, DPOs, and compliance leads at technology-centric SMEs (10–250 employees) who need a complete, audit-supporting implementation system covering ISO 42001, NIST AI RMF, Colorado AI Act, and AI agent security — including autonomous agent governance for OpenClaw and similar open-source deployments.
AI Controls Professional is the right choice for organizations that have completed an initial gap analysis (or are ready to skip directly to implementation) and need the full documentation set to demonstrate governance maturity to auditors, regulators, boards, and customers.
Starting point. Not sure where the gaps are yet? AI Controls Starter ($399) provides the unified controls matrix, gap analysis checklist, and risk register to assess your current posture. The gap analysis results will name exact Tier 2 deliverables needed to close each gap.
Need rollout support after purchase? ACT Tier 3 is the fixed-scope Implementation Sprint for buyers of AI Controls Professional. It provides 6 live sessions in 30 calendar days covering document tailoring guidance, evidence review, rollout priorities, and direct use of the Professional deliverables. View Implementation Sprint.
AI Controls Professional is built for teams that already know they need evidence, not another overview. It turns the baseline controls into policy artifacts, evidence tracking, board reporting, Agentic AI/MCP governance, and a sequenced implementation plan.
Inventory, controls, evidence tracker, regulatory update log, and progress structure.
Editable governance, acceptable-use, risk, incident, and vendor workflow documents.
Impact-assessment and consumer-rights evidence starters for governance files.
Management-facing structure for posture, gaps, roadmap, and remediation decisions.
Controls for autonomy, MCP approval, OpenClaw-relevant governance, override, and shutdown.
Sequenced rollout path so teams can turn artifacts into an operating model.
Move78 ACT provides editable AI governance implementation evidence for SMEs and technical teams. Pick the route closest to your role, then decide whether ACT-1, ACT-2, or an implementation sprint fits the gap.
Build a credible AI governance baseline without hiring a full GRC team.
Turn scattered AI activity into evidence registers, policy artifacts, and owner-led workflows.
Map shadow AI, vendor risk, agentic workflows, MCP exposure, and OpenClaw governance.
Reuse structured client-delivery artifacts without rebuilding cross-framework evidence packs.
See how Move78 maps source frameworks into editable artifacts, review notes, and claim boundaries.
Review invoice, bank-transfer, delivery, support, refund, and licensing expectations before purchase.
AI Controls Professional includes the enhanced 13-module workbook, audit-supporting policy and procedure templates, AI Agent Security Module, Agentic AI Governance Policy, MCP Security Governance Checklist, FRIA and Colorado consumer rights templates, board reporting pack, and implementation project plan.
Yes. AI Controls Professional includes the complete AI Controls Starter foundation and expands it with additional tabs, implementation artifacts, policy templates, reporting assets, and governance modules.
Yes. AI Controls Professional includes dedicated governance content for Agentic AI, OpenClaw-relevant agent security scenarios, OWASP Top 10 for Agentic Applications, OWASP LLM Top 10, and MCP server governance.
Yes. AI Controls Professional includes Colorado-focused crosswalks, FRIA and consumer rights operational templates, and evidence-oriented implementation artifacts designed to support safe harbor readiness work.
Yes. AI Controls Professional is delivered as editable implementation workbooks and templates so internal teams can tailor them to their operating model, governance structure, and evidence requirements.
No. AI Controls Professional already includes the Starter foundation. Buyers can begin directly with Professional if they are ready to move from assessment into full implementation.
No. Live rollout support is not bundled into AI Controls Professional. Buyers that need fixed-scope rollout guidance can add the AI Governance Implementation Sprint separately.
The toolkit includes a 6-month phased implementation project plan. Actual timing depends on buyer maturity, internal ownership, evidence availability, and how many deliverables are deployed in the first rollout cycle.
ACT-2 is the stronger route when the implementation gap includes board evidence, vendor diligence, FRIA/DPIA starters, cross-framework mapping, agentic AI governance, or M78Armor-adjacent runtime governance records.
Inspect the public board reporting structure before buying ACT-2.
Preview the agentic AI governance evidence field model.
Compare public ACT-1 and ACT-2 sample fields before purchase.
Source and review note: This page was last reviewed on 6 May 2026 against the current Move78 public site baseline and relevant official or authoritative sources where laws, standards, frameworks, cybersecurity controls, product scope, pricing, or support policy are discussed. It provides operational implementation guidance and product information only; it is not legal advice, tax advice, audit assurance, certification assurance, conformity-assessment advice, buyer-approval assurance, or security assurance. Validate legal, regulatory, contractual, tax, audit, and security decisions with qualified professionals.