178 controls across ISO 27001, ISO 27701, and ISO 42001 — modelled as complex adaptive systems, stress-tested under deep uncertainty, powered by agent-based simulation and local LLM integration. One platform, three management systems, 15 standards.
Traditional GRC treats controls as independent items to be individually assessed and audited. Risk assessment uses likelihood x impact matrices that produce inconsistent rankings and miss compound failures. The same methodology is applied identically to information security, privacy, and AI governance — despite fundamentally different uncertainty structures.
We apply Decision Making Under Deep Uncertainty (DMDU) — the same methods used by RAND, Deltares, and the World Bank for climate adaptation and infrastructure planning — to security, privacy, and AI governance.
93 Annex A controls modelled as a coupled system. Four coupling types reveal how training failure cascades into malware susceptibility, how budget pressure creates correlated control degradation.
47 privacy controls with 9 privacy-specific coupling types. Consent chains, rights cascades, cross-border transfer risk. The controller/processor split creates accountability gaps that traditional auditing misses.
38 AI controls with coupling types unique to AI: data dependency, lifecycle sequencing, risk amplification, governance tension. The system under management is itself adaptive — governance must be too.
62 cross-references bridge the three systems. Investing in bridge controls simultaneously strengthens all three management systems.
Map directed interactions between controls. Information flows, failure propagation, consent chains, data dependencies. The coupling structure reveals which controls fail together.
Label propagation identifies tightly coupled control subsystems. Each community is scored for ABM candidacy based on coupling density and cross-category diversity.
10-phase NetLogo engine, 18 parameters, no hardcoded rates. Five feedback loops produce cascading failure, workaround contagion, normalisation of deviance, and recovery.
Pre-configured BehaviorSpace experiments generate parameter sweep data. The DMDU pipeline feeds into PRIM and CART analysis to isolate the specific combinations — budget-pressure x turnover x threat-novelty — that drive system failure.
Coupling discovery for ISMS, PIMS, AIMS. Connectivity analysis. Cluster identification. NetLogo export. ABM simulation. Standards mapping for 15 standards.
3 ISMS (training, perimeter, data-regulated), 3 PIMS (consent, rights, high-sensitivity), 3 AIMS (oversight, data quality, transparency). BehaviorSpace experiments pre-configured.
Scope selector (ISMS/PIMS/AIMS). Structured consultant notes: diagnosis, document review, session log, running findings with severity classification. JSON/CSV import/export.
Connects to Ollama (qwen3:4b recommended). Document ingestion: upload client docs → extract profile. Report generation: analysis results → tailored narrative. All local — no data leaves your machine.
| System | Core | Controls | Coupling types | Extended standards |
|---|---|---|---|---|
| ISMS | 27001 | 93 | 4 | 27005, 27007, 27035, 27799 |
| PIMS | 27701 | 47 | 9 | 27557, 29100, 29134, 31700 |
| AIMS | 42001 | 38 | 6 | 38507, 23894, EU AI Act, NIST AI RMF |
| Report | System | Audience |
|---|---|---|
| Service Overview | ISMS | Prospects |
| Technical Documentation | ISMS | Engaged clients |
| User Guide | ISMS | Engaged clients |
| Privacy Service Overview | PIMS | Prospects |
| Privacy Technical Guide | PIMS | Engaged clients |
| AI Governance Service Overview | AIMS | Prospects |
| AI Governance Technical Guide | AIMS | Engaged clients |
| SSRN Working Paper | All | Academic / thought leadership |
Plus LLM-generated custom reports: findings & recommendations, executive summaries, technical analysis, implementation roadmaps, risk assessment narratives — all tailored to the specific client profile and analysis results.
Pick a management system to explore its coupling structure, or load a client profile to begin an engagement.
ISMS coupling → PIMS coupling → AIMS coupling → Client profile → LLM assistant →