AI Consultant
The AI Consultant is an in-platform advisory tool that analyses and drafts from your live assessment records, the system context, framework scores, evidence entries, risk items and findings already recorded. It draws on what is in the workspace, not on general knowledge alone, so its output is specific to the governance situation in front of it.
Grounded, not general
Section titled “Grounded, not general”Every consultation reads the current assessment at the moment of the query. That grounding is both the Consultant’s strength and its limit:
- When the record is detailed, scored controls with notes, evidence linked to controls, named risk owners, a specific system description, the Consultant produces directly relevant analysis.
- When the record is thin, the output is generic, because there is nothing specific to draw from.
The practical consequence: the Consultant cannot compensate for an incomplete assessment. The areas it cannot see do not appear as caveats; they simply do not appear. Treat its output as a drafting accelerator for well-prepared records, not as authoritative governance and not as a substitute for the work that produces the record.
Task-specific modes
Section titled “Task-specific modes”The Consultant offers focused modes, each oriented to a specific governance activity. Matching the mode to the question produces sharper output than a general query:
| Mode | What it produces |
|---|---|
| Governance Review | Ownership, accountability, approval gaps and operating-model weaknesses. |
| Risk Review | Risk statements, exposure summaries and treatment options from the assessment data. |
| Evidence Review | What evidence is present, what is missing, and which requests would strengthen assurance. |
| Policy Support | Generates or improves policy wording from the governance record. |
| Report Support | Report-ready narrative. |
| Agentic AI Review | Scoped to agentic governance: agent controls, approval gates, ATF readiness and Gateway records. |
| Board Summary | The assessment distilled into executive priorities and decisions needed. |
| Remediation Planning | Sequenced actions with owners, dependencies and closure tests. |
| General Advice | Open-ended questions, broader output than the task-specific modes. |
How it is governed
Section titled “How it is governed”The Consultant is held to the same controls as every other AI feature in Gamut:
- Server-side only. Prompts and responses are proxied server-side; model provider keys are never exposed to the browser. See AI assistance & data handling.
- Entitlement and permission gated. It requires both the
ai_chatentitlement and the AI Consultant permission, an Advanced-tier capability. See Plans & entitlements and Users & roles. - Usage-metered. AI calls count against the plan’s daily and monthly quotas.
- Tenant-scoped. It only ever sees the records of the workspace you are in.
Get the most from it
Section titled “Get the most from it”- Complete the assessment first. A half-finished assessment leaves the Consultant blind to large parts of the picture, and the output will sound more complete than it is.
- Pick the right mode. “What are the ownership gaps here?” belongs in Governance Review, not General Advice.
- Treat output as a draft. Review and own everything it produces before it becomes a governance artefact.
- Assessments & control testing: the record the Consultant reads from.
- Policy generation: the structured-document counterpart.
- Remediation Roadmap: where Remediation Planning output lands.