Case studies.
Client names remain confidential. The shape of the work, the workstreams run, and the outcomes delivered are shared here in full.
Most NEXUS.ai engagements sit inside regulatory and investor-facing territory. Naming clients would break the trust that lets us operate at that level. What follows is a faithful description of engagement shape, workstream count, outcomes, and operating context — with identifying detail deliberately removed.
Fractional CRCO for a HealthTech SaMD scale-up — six regulatory workstreams, one senior operator.
Context
A HealthTech scale-up operating a regulated SaMD product across multiple jurisdictions needed senior regulatory and risk leadership — fast. Enterprise health-system buyers were asking for certifications the company did not hold. Investors required a defensible compliance roadmap. Internal capacity was limited to a small engineering and product team.
Mandate
Embed a fractional Chief Risk & Compliance Officer to own the full regulatory agenda end-to-end. Restructure the compliance posture, design the control environment, stand up the operating rhythm with board, and carry six parallel workstreams through to certification or submission-ready state.
Workstreams run in parallel
ISO 27001 — Information Security
ISMS scope definition, Statement of Applicability, risk register, policy stack, technical controls, evidence pipeline, internal audit, external auditor selection and coordination.
ISO 42001 — AI Management System
AIMS design for the AI components of the product, model risk classification, model lifecycle governance, evaluation and change controls, integration with the ISMS.
ISO 13485 — Medical Device QMS
Quality management system aligned to SaMD requirements, design controls, document control, CAPA, supplier controls, and integration with the engineering development process.
GDPR-by-design
Data minimisation embedded into product architecture, RoPA, DPIA programme for clinical data flows, DPA templates, cross-border transfer mechanisms, DSAR workflow.
Security Operations Centre
SOC establishment — detection, response, and recovery capability built from scratch. MSSP selection, runbook design, tabletop exercises, alignment with ISMS and incident response obligations across jurisdictions.
Third-Party Risk Management
Vendor tiering, due-diligence workflow, contractual safeguards (DPAs, SCCs, security addenda), continuous monitoring cadence, and board-level vendor risk reporting.
Operating model
One senior operator running six workstreams under a single ITCA™-based delivery plan. Board-level reporting monthly. Full integration with engineering, product, clinical, and legal functions. No junior layer, no subcontractors, no handoff risk.
Outcome position
Workstreams sequenced toward certification or submission-ready state on a common timeline. Enterprise procurement posture unlocked well in advance of the buying cycles it was built to support. Investor-facing compliance narrative hardened against diligence. Certification milestones are tracked to internal schedules and not disclosed externally.
Shapes we have run.
Brief descriptions of the other engagement shapes in recent rotation. Specific clients, timelines, and outcomes remain confidential.
ISO 27001 + SOC 2 Type II dual-track readiness
Growth-stage SaaS losing enterprise deals on security questionnaires. Unified control framework designed once, mapped to both standards, delivered through a Compliance Sprint. Audit preparation, auditor selection, questionnaire response library.
EU AI Act classification & ISO 42001 foundation
AI-first company with high-risk system exposure needing clear regulatory classification before enforcement windows closed. AI system inventory, risk tiering, governance structure, conformity documentation pack, procurement-ready evidence library.
Fractional CISO on a multi-quarter retainer
Embedded CISO presence for a scale-up carrying active regulatory obligations without a full-time hire. Board reporting, regulator liaison, vendor risk programme, incident response readiness. Hand-over-ready when internal hire closes.
Your situation is probably not unique. Your timeline is.
30-minute scoping call. Written proposal within 5 business days.
Request scoping →