Two systems · one product · first vetting pass

govrn × Aperture

Two builds that started from the same conviction — an AI estate you can't see, you can't govern — and grew toward each other from opposite ends. govrn built the standard, the assessment, and the attestation path. Aperture built the live command center. This page maps the merge: what overlaps, what's unique to each side, and how the two halves make one product — with Grace Hill as the first proof-of-concept partner.

01 · The merge board

Where it merges, overlaps, and stays distinct.

govrnassess · attest

The standard and the judgment layer — what an auditor, board, or regulator will accept.

Assessment instrumentproductized three-lens baseline: technology · security · AI

Standards crosswalksNIST AI RMF · CSF 2.0 · ISO/IEC 42001 · EU AI Act · OWASP · ATLAS

Attestation pathaudit-ready evidence; certification via accredited third parties — never self-certified

Product-AI reviewthe AI a company ships — model disclosure, oversight basis, regulated-domain review

Engagement methodrepeatable across clients: readout, playbook, gap-check

Cost & efficiency lensassessment-grade: modeled baseline, right-sizing, recoverable spend

TOGETHERthe shared spine

Both sides built these independently — convergence is the proof the thesis is right.

AI inventory / estate visibilitygovrn: AI-BOM & baseline · Aperture: live discovery — one inventory, two refresh rates

Spend & ROIone lens, two modes: modeled at assessment, live once the gateway connects

Policy-as-codewhich models touch which data, autonomy limits, PII — same rules, written once

Shadow-AI discovery & governed onboardingfind it, then sanction / govern / replace / block

Audit trailtamper-evident record of AI actions — the raw material of attestation

Framework alignmentboth map to NIST AI RMF and the EU AI Act by design

Privacy & honesty principlesmetadata not content · enablement not surveillance · nothing claimed live until connected

Aperturesee · operate

The command center — the living system the governed estate actually runs on.

Mission Controllive map of every agent, session, and workflow; real-time cost ticker

Agent registry & autonomyevery agent, its owner, its autonomy level; approval workbench; gated kill switch

Connector & MCP inventorywhat every connector touches, who owns it, whether it's healthy

Engineering productivitycycle time, churn, AI code share — adoption with proof, not vanity output

Intelligence layerAsk & Act command bar · anomaly detection · auto board-readouts · eval & quality

Capability catalogan app store of sanctioned agents, prompts, and workflows — adoption done safely

left: ink — the standard · center: stitched — built twice, merged once · right: teal — the command center

02 · One engagement arc

The merge in motion: assess → design → implement → operate.

Laid on the engagement arc both sides already use, the merge is almost embarrassingly clean: govrn is the front half, Aperture is the back half, and the build phase is where the two teams work as one.

Phase 1

Assess

The baseline: three-lens posture, AI-BOM, product-AI review, cost read, gap report against the standards.

govrn leads

Phase 2

Design

Operating model, decision rights, policy set, autonomy tiers — and the evidence interface spec.

govrn leads · joint

Phase 3

Implement

The command center stands up: gateway + spend, policy-as-code, audit layer, control plane — built on the vetted toolchain.

co-build

Phase 4

Operate

Aperture runs the estate: Mission Control, anomalies, readouts, evals — continuously emitting evidence.

Aperture runs

The evidence interface Operate ──emits evidence──▶ re-Assess · the run-state feeds the next baseline, and the loop closes

Drawn as a starting point — the shape we would propose, not the shape we have decided. Section 06 is where it gets decided together.

Why the interface matters — a principle, not a preference: independent assessment can't rest solely on the governed system's own reporting — that's basic separation of duties, the same reason auditors don't grade their own books. So the merge keeps two distinct roles by design: Aperture produces the evidence; the govrn assessment consumes and judges it. That separation is precisely what makes the combined product credible to a board, an auditor, or a regulator — neither half can offer that alone.

03 · Resolving the overlaps

Built twice, merged once.

The shared-spine items aren't duplication to eliminate — each was built from a different vantage point, and the merged version is better than either original:

Capability	govrn brought	Aperture brought	Merged
Cost lens	Assessment-grade model: spend baseline, right-sizing, recoverable estimate	Live telemetry: gateway-level spend, budgets, alerts, forecasting	One lens, two modes — modeled at baseline, live once connected; the model becomes the forecast check
Governance & policy	The vetted toolchain: policy-as-code, machine-readable compliance evidence, LLM audit logging, telemetry standards — selected and framework-mapped	The operational design: governed-onboarding funnel, data-sensitivity classification, vendor/DPA gating	The kit meets the funnel — our tool selections become the build's components; nothing researched twice
Inventory	AI-BOM at assessment depth, incl. the AI the company ships	Continuous discovery of internal tools, agents, connectors	One registry, two refresh rates — point-in-time depth + always-on breadth
Framework mapping	Working crosswalks across six standards	NIST AI RMF / EU AI Act policy mapping in the rules engine	One crosswalk library feeding both the assessment and the policy engine
Reporting	The readout: posture, gaps, remediation path, attestation status	Auto-generated weekly board readouts	Operational cadence + independent verdict — weekly from the platform, attested at re-baseline

04 · The first proof

Grace Hill: proof of concept → product.

Grace Hill is the right first partner for the merged system, for reasons that are already on the table: generative AI embedded in compliance-sensitive workflows, a regulated domain with a real external forcing function, AI-forward leadership, and a relationship where both halves of this merge are already trusted. Everything below is subject to scoping with Grace Hill — nothing on this page commits them to anything.

What the PoC proves.

The arc works end-to-end — baseline → design → command-center build → operate, one client, one story.
The evidence interface is real — the run-state feeding a re-baseline with live data instead of public signals.
Both risk surfaces covered — the AI the company uses (the command center's home turf) and the AI it ships (the assessment's) — the complete answer neither half gives alone.
The universal model holds — new tools and departments plug in without rebuilding, the test of productizability.

What makes it a product after.

Repeatability — the method is already multi-client by design; the PoC hardens the command center for tenant two.
The full-spectrum claim — see it, measure it, govern it, prove it: no single competitor covers assessment + attestation + live operations.
Reference evidence — a real regulated-domain deployment, instrumented from day one.
Two doors into every account — the command center speaks to the CTO; the assessment speaks to risk, compliance, and the board. One product, both buyers.

05 · What each side gains

The merge is additive in both directions.

Aperture gains from govrn:

The standards spine — six crosswalked frameworks its policy engine can enforce against from day one
The vetted build kit — policy-as-code, compliance-evidence, and audit tooling already researched, compared, and selected
The attestation path — its evidence becomes provable governance, the thing boards and auditors actually buy
A multi-client method and delivery muscle — the road from internal platform to product

govrn gains from Aperture:

The connected run-state — the monitoring our dashboard honestly marks "not connected" becomes real
Live telemetry under the cost lens — modeled baselines upgraded to gateway-level truth
The control plane — agent autonomy, approval gates, kill switch: governance that can act, not just attest
A builder inside the first account — the fastest possible proof of concept

06 · To vet together — before anything is implemented

The open questions.

The evidence interface spec. What exactly does the assessment consume from the run-state — formats, the compliance-evidence mapping, audit-log requirements, refresh cadence? This is the load-bearing joint; spec it first.
One data model. Aperture's universal model and govrn's AI-BOM/posture model need to become one schema — the inventory both refresh rates write into.
Product-AI placement. The AI a client ships (models, disclosures, regulated-domain review) — does the command center grow a product-AI surface, or does it stay assessment-side with Aperture feeding it telemetry?
Naming & architecture. Is Aperture the command-center module of the combined platform, a companion product, or the run-state tier of one brand? (No right answer yet — just an explicit one.)
The Grace Hill PoC scope. Which phases, what's in the first ninety days, what does "proven" mean — and what the engagement looks like commercially.
Partnership structure. Contribution, ownership, and roles formalized in writing while everything is friendly and small — the cheapest moment to do it.

Status: nothing is implemented. This page is the vetting surface — the shared map for the conversation. When the questions above have answers, the merge map becomes the build plan.

The merge map.