Ship AI that is secure, compliant, and defensible.
TaoQ AI is an independent AI practice spanning the full value chain, with sharper focus on security, governance, and evaluation. We work with European tech companies building AI systems that need to hold up — to a regulator, an auditor, a customer, or an attacker — across the frameworks that matter (EU AI Act, ISO/IEC 42001, NIST AI RMF), alongside your team from design through remediation, not from a slide deck handed over at the end.
Three questions you cannot confidently answer
01
Is this system exposed to agent-specific attacks we have not tested for?
Prompt injection, tool misuse, data poisoning, exfiltration, boundary violations. Secure-by-design threat modelling or live red-teaming with Ziran, depending on where the system is.
02
Are we meeting the EU AI Act obligations that apply to us?
Classification under Article 6, conformity pathway mapped to specific articles, technical file scaffolding written in parallel with the code.
03
Can we prove it to an investor, customer, or regulator who asks?
You leave with evidence you can show anyone, not a deck.
Entry points across the AI system lifecycle.
Most AI security and compliance risks are decided upstream of production, not discovered at launch. We engage at three points in the lifecycle, and we stay with the team through remediation of the findings, not just diagnosis. Fixed fees where scope allows. Nothing is bundled, nothing auto-renews.
SECURE-BY-DESIGN
AI Threat Model & Security Architecture Review
For teams with committed architecture, still writing code. Threat model on the system being built, data pipeline security, RAG and retrieval hardening, agent tool-chain design review, and Annex IV scaffolding written alongside the code. We stay through remediation of the findings, not hand over a report.
Fixed fee where scope allows. Quoted on discovery call.
PRE-LAUNCH
AI Risk Baseline
Fixed-fee assessment for systems about to ship or recently shipped. EU AI Act classification, agent red-teaming with Ziran, conformity gap analysis. A comprehensive, actionable executive document you can show a board, investor, or regulator.
Fixed fee. 2 to 3 weeks elapsed. Quoted on discovery call.
POST-LAUNCH
AI Security, Compliance & Governance Partner
Retained specialist access for ongoing hardening, AI Act evidence maintenance, architecture review as systems evolve, incident response, and governance roadmapping. Three tiers, quoted against the specific risks surfaced earlier.
Monthly retainer. 3-month minimum. Quoted on discovery call.
Engagements typically begin at one entry point and extend across the lifecycle. Security belongs at every stage, so any of these is a valid place to start. For programmes that span the full SDLC from the outset, a continuous partnership option is described on the Engagement page.
We close findings. We do not just name them.
A threat model handed over as a deliverable leaves the team with the same risk they started with. We sit with your engineers, close the specific vulnerabilities, write the Annex IV evidence alongside the code, and stay until the system can stand up to scrutiny. Our sharper focus is security, governance, and evaluation. We are not generalist AI delivery consultants, and we will tell you honestly when a need falls outside that.
Four disciplines, one practice.
Most specialists work in one or two of these. TaoQ AI works across all four.
AI GOVERNANCE FLUENCY
Regulation and standards, read as engineering
EU AI Act classification under Article 6, conformity pathways and Annex IV technical files. ISO/IEC 42001-aligned AI management systems for the parts of governance that the regulation does not specify. NIST AI RMF where US frameworks apply. Not compliance theatre, the specific articles and clauses that map to the specific controls in your system.
AGENT RED-TEAMING
Adversarial evaluation of AI systems
Tool chain analysis, multi-phase trust exploitation, multi-agent coordination testing. Delivered using Ziran, the open-source framework maintained by the practice, alongside Garak and Promptfoo for LLM-level coverage.
PRODUCTION AI ARCHITECTURE
Systems that have shipped
The practice lead authored the AI Reference Architecture at PostNL's AI Centre of Excellence. Prior WatsonX architecture work at IBM across the NCEE market. Familiar with what breaks in production and why.
OPEN-SOURCE CREDIBILITY
Recognised in the ecosystem
Contributor to NVIDIA Garak and Hugging Face Transformers. Published on AI agent security and AI governance.
Leone Perdigão, Independent Principal AI Architect · MSc Artificial Intelligence (Distinction), University of Bath · ISO/IEC 42001 Senior Lead Implementer (PECB)