A four-step walkthrough of how I turn a business need into governed, production-ready AI. Step 2 is a live, clickable prototype: Nexus AI, an AI-governance platform I built, reviewing a clinical supply-chain tool for risk against the EU AI Act and GDPR — with a model-deviation tracker for the AI it oversees.
Simulated environment — every response is canned. No live AI calls are made.
01
Start from the need, not the tech.
Most AI fails because someone picked the tool first. I start with a real audience and a real problem, then match it to the lightest approach that works. Toggle the constraints below — the recommendation updates live.
The constraints (toggle these)
Recommended approach
—
Select the constraints that match your situation.
02
AI that governs AI — clickable.
Below: Nexus AI reviewing a clinical supply-chain tool against the EU AI Act & GDPR held in a retrieval corpus (RAG). Use the sidebar to move around — run the assessment, browse the corpus, and open the Model Deviation Tracker. Nothing calls a real model.
🔒 nexus.structuredai.app/review● SIMULATED
Governance Overview
System Operational2026-06-01
▦
↗ +6
42
AI projects registered
◷
↗ +3
7
In review
✓
↗ +5
28
Approved · conditions
⚠
↘ 13 open
13
Open gaps
Current review
submitted 2026-05-30
Horizon ClinOps
clinical-trial supply intelligence multi-agent · Gemini · Claude · Mistral
Idle — assess this tool against the EU AI Act & GDPR.
LIMITED-RISK · APPROVE WITH CONDITIONS
Decision-support AI: it recommends, a human decides. Approved provided the two conditions below are met and post-deployment drift is monitored.
Findings — grounded in the regulatory corpus
Conditions to clear: ① Add a user-facing notice that outputs are AI-assisted (EU AI Act Art. 13). ② Enable post-market model-deviation monitoring (Art. 72) — see Model Deviation.
Regulatory corpus (RAG)
authoritative text · not model memory
EU AI Act
Reg. (EU) 2024/1689
● indexed · cited
GDPR
Reg. (EU) 2016/679
● indexed · cited
DORA
Reg. (EU) 2022/2554
● indexed
▸ pick a question to retrieve a grounded passage
When regulators publish new guidance, an administrator uploads the document — every later assessment reasons against the new text, with no retraining.
Tool under review — live preview
Horizon ClinOps · GIS monitoring
model agreement: 96.4% · drift within ±5%
Map legend Phase III site Phase II site Phase I site
A simulated snapshot of the supply-chain tool under governance. Nexus doesn't run it — it reviews how it's built, what data it touches, and how its AI behaves over time.
Model Deviation Tracker
Horizon ClinOps · Art. 72
Status: Healthy — cross-agent agreement within ±5% tolerance · run #9 flagged & reviewed
Cross-agent agreement — last 12 runs (%)
Principle: lower cross-agent divergence on equivalent inputs indicates a healthier pipeline. A sudden jump means a model, prompt or data source shifted under you. Why it matters: this operationalises the EU AI Act's Art. 72 post-market monitoring duty — you catch silent drift before it reaches a patient-adjacent decision. Recommendation: re-baseline after the next prompt update.
Settings — governance controls
Audit trail
immutable
⚗
03
Iterate in sprints. Fail fast. Recover better.
A PoC is a conversation, not a contract. I put the prototype in front of real users every few days, let it break against reality, and recover to a stronger version. The cost of a wrong turn is a day — not a quarter.
04
Ship it — hardened, and on your terms.
A prototype earns production through review, not enthusiasm. Two routes, depending on how sensitive your data is.
Route A
Internal production
Promote the PoC inside your environment after a rigorous, documented review.
Security-architect review (threat model, data flows, secrets)
Human-in-the-loop sign-off on every consequential output
Model governance: tiering, evaluation harness, drift monitoring, audit trail
Tenant isolation & access control
Route B
Skill-files for your own infrastructure
For the most sensitive data, I don't take it anywhere. I hand over methodical, multi-phase skill files your team loads onto your own infrastructure — so your data never leaves your walls or touches an external party.
Phased, documented build instructions (no black box)
Runs entirely inside your tenant / VPS
No sensitive data exposed to third parties
You own it, you can audit it, you can leave
European data sovereignty & exit
Built for sovereignty, not lock-in.
For regulated European organisations, where the data and the model run matters as much as what they do. Model routing can be kept EU-sovereign, data residency stays in-region, and — critically — there's a real way out.
EU-sovereign routingInference routed to European providers (e.g. Mistral) so prompts and data stay in-region.
Data residencyStorage and processing pinned to EU; no silent transfer to external parties.
Exit plans (EBA)Documented exit strategy and portability aligned with EBA outsourcing guidelines & DORA — no concentration lock-in.