ikwe.ai Product Gap Opportunities
Confidential Regulatory ↗ ← HQ
Overview
Priority Matrix
High Priority
EU Notified Body
OCC / Financial Services
Multi-State Bundle
Build Now
Crypto Audit Trail
Procurement Cert
Monitoring Layer
Long-Term
CT/VA IVO Status
Product Expansion
7 Product Gap
Opportunities
Full research · Requirements · Obstacles · Action Items · May 2026 · CONFIDENTIAL
Prioritization principle: The fastest path to revenue is completing what's almost done. Gaps 4, 6, and 7 require no new product infrastructure — they are packaging and process additions to existing EQSB methodology. Do those first. Then invest in Gap 2 (IVO) relationship-building in parallel as a long-game move. Gaps 1 and 5 are high-value but require significant investment.
#GapTime to RevenueInvestmentStrategic Weight
7 Procurement Certification
Vendor questionnaire response kit + attestation letter
2–4 months Low High — near-term revenue, builds credibility with enterprise buyers
6 Multi-State Compliance Bundle
Iowa + TX + IL + NYC + CO + CT in one product
2–4 months Low High — premium pricing, faster close, leverages existing product
4 Cryptographic Audit Trail
RFC 3161 timestamps + SHA-256 chain of custody
1–3 months Low Medium-High — feature add-on, enables litigation and insurance markets
3 Continuous Monitoring Infrastructure
Behavioral drift detection — recurring revenue engine
4–8 months Medium High — Gate 2 build, recurring revenue, regulatory mandated
2 CT / Virginia IVO Status
First-mover in US IVO certification market
12–18 months Medium Very High — only 5 CT IVO slots; start now or lose the window
5 OCC / Financial Services MRM
Bank model risk management — $200M+ market
6–12 months Medium High — largest B2B market; gen AI guidance coming 2027
1 EU Notified Body Accreditation
Mandatory conformity assessment for Annex III biometrics/infra
3–5 years Very High ($1M–$3M) Long-term moat; pursue via partnership now, direct designation later
Immediate action stack — do these now
30 DAYS Download SIG 2025 AI module + build vendor questionnaire response kit (Gap 7)
30 DAYS Implement RFC 3161 timestamping on all EQSB runs (Gap 4) — ~$500 cost
30 DAYS Build 6-law compliance matrix mapping EQSB dimensions to state law requirements (Gap 6)
30 DAYS Contact CT DCP + Senator Maroney re: IVO pilot rulemaking timeline (Gap 2) — relationship-building starts now
30 DAYS Read OCC Bulletin 2026-13 + map EQSB to MRM revised guidance (Gap 5)
30 DAYS Engage EU regulatory attorney to map Article 39 third-country pathway (Gap 1) — assess partnership vs. direct designation
Gap 1 · EU Notified Body Accreditation
EU Notified Body
Accreditation
Mandatory conformity assessment for Annex III biometrics & critical infrastructure
Bottom line: Direct EU Notified Body designation is a 3–5 year, $1M–$3M path — prohibitive for a pre-revenue startup pursuing this alone. The near-term play is a technical subcontractor partnership with an established notified body (TÜV SÜD, SGS, Bureau Veritas) that needs behavioral AI evaluation methodology. Start those conversations now while the EU AI Act designation ecosystem is still being built.
3–5 yrs
Full Designation
$1M–3M
Total Investment
5
EU entity required
~14
EU states lacking
competent authority
Key Requirements (EU AI Act Article 31)
Must be established as a legal entity in an EU Member State (or third country with Article 39 bilateral agreement — none exists with US yet). National accreditation (ISO 17065 or 17020) from the member state's notifying authority. Permanent staff with technical competence in AI/ML, relevant domain, and EU legal framework. Documented impartiality procedures. Professional indemnity insurance. Application via notifying authority → Commission → NANDO database listing.
Obstacles
ObstacleDifficultyNotes
Must be established in EU (no US-EU MRA for AI Act)Very HardRequires opening legal entity in EU member state; Ireland or Germany recommended
ISO 17065/17020 national accreditationHard12–24 months; documented QMS + witness audits by national accreditation body
Permanent EU-based technical staff (2–3 FTEs)Moderate-Hard$300K–600K/yr; must have AI/ML + domain expertise + EU law fluency
No harmonized standards published yetStructuralAssessment methodology can't be fully standardized until EU harmonized standards are out (late 2026+)
TÜV SÜD / SGS / BSI incumbencyModerateThese bodies are expanding into AI — but they lack behavioral methodology; ikwe.ai fills that gap
Action Items — 30/60/90 Days
    Named Contacts & Resources
    🏛️
    EU AI Office
    ai-office@ec.europa.eu · manages NANDO database + designation coordination
    🔗
    AI Act Service Desk
    ai-act-service-desk.ec.europa.eu · official resource for Article 29–31 procedures
    🇩🇪
    DAkkS (Germany)
    dakks.de · Germany's notifying authority; most active early mover for AI designation
    ⚖️
    WilmerHale EU AI Act Practice
    wilmerhale.com · published detailed EU AI Act standardization compliance guide
    🔍
    NANDO Database
    webgate.ec.europa.eu/single-market-compliance-space · track designated bodies as they appear
    🤝
    Fathom / Andrew Freedman CEO
    ivo.fathom.org · active in EU/US IVO alignment; potential partner for technical subcontractor model
    Gap 2 · Connecticut / Virginia IVO Status
    CT / VA Independent
    Verification Organization
    First-mover in the US IVO certification market — only 5 CT slots available
    Critical window: Connecticut HB 5222 caps the pilot at 5 IVO slots total. Fathom is the obvious first applicant — they testified before the legislature and shaped the law. ikwe.ai must start relationship-building with CT DCP and Senator Maroney now, before the MOU framework is published, to be in the conversation when applications open (expected Q1–Q2 2027).
    5
    CT IVO Slots Total
    Jul 1, 2027
    CT Pilot Launch
    Nov 1, 2026
    VA JCOTS Report
    $15K–40K
    Application Cost
    CT Status — HB 5222 (Passed May 2026)
    Connecticut DCP administers a multi-year IVO pilot. Up to 5 IVOs approved — hard cap. Pilot begins July 1, 2027. IVOs execute an MOU with DCP defining scope, methodology, reporting, and governance. Companies receiving IVO verification gain evidentiary support in civil litigation. UConn's Institute for Municipal and Regional Policy evaluates the pilot. MOU framework not yet published — rule-making period is open now. DCP has discretion to set technical requirements.
    VA Status — HB797 (Signed April 13, 2026)
    Study bill only. Directs JCOTS (Joint Commission on Technology and Science) to evaluate IVO feasibility. Report due to legislature November 1, 2026. Passed 84–14 House, 40–0 Senate — strong bipartisan signal. No operational IVO program until 2027 legislative session at earliest; operational program 2028 at earliest. File stakeholder input to JCOTS before November report.
    Obstacles
    ObstacleDifficultyNotes
    Only 5 CT IVO slots — competitiveHighFathom is the dominant incumbent; has existing CT relationships; will almost certainly apply
    No MOU framework published yetModerateCreates opportunity to shape criteria + uncertainty about requirements
    VA program is just a studyTimingNo VA IVO until 2028 at earliest — but the study shapes the national IVO standard
    Pre-revenue status reduces credibility for state applicationModerateFirst revenue by July 2026 + published research strengthens the application considerably
    Action Items — 30/60/90 Days
      Named Contacts & Resources
      🏛️
      CT Department of Consumer Protection
      portal.ct.gov/dcp · administering agency for IVO pilot
      👤
      Senator James Maroney (CT)
      Chair, General Law Committee · architect of the IVO provision in HB 5222
      🎓
      UConn Institute for Municipal & Regional Policy
      Designated evaluator for the CT IVO pilot — understand their evaluation criteria
      🏛️
      JCOTS (Virginia)
      studies.virginiageneralassembly.gov/studies/551 · submit stakeholder input before Nov 2026 report
      🤝
      Fathom (Andrew Freedman, CEO)
      ivo.fathom.org · incumbent; testified before CT legislature; potential partner not just competitor
      Gap 3 · Continuous Monitoring Infrastructure
      Behavioral Monitoring
      as Compliance Infrastructure
      Gate 2 build · Recurring revenue engine · EU Annex III + NAIC + OCC mandated
      Differentiation: Every monitoring tool on the market tracks statistical drift (input distribution changes). None track behavioral drift — whether the AI's actual outputs on safety-relevant scenarios have changed since last evaluation. This is what regulators actually care about and what ikwe.ai uniquely provides. The gap is real and the market is building to fill it.
      $1.5K–8K
      Compliance MRR/client
      3
      Regulatory mandates
      Gate 2
      Already in roadmap
      Regulatory Standards This Satisfies
      StandardRequirementikwe.ai Product Feature
      EU AI Act Annex III / Art. 9Post-market monitoring system — continuous data collection on behavioral performanceAutomated EQSB scenario re-runs + timestamped behavioral drift reports
      NAIC AI Model Bulletin (25 states)Ongoing behavioral consistency evidence; quarterly monitoring results for examinersQuarterly behavioral drift report module for insurance clients
      OCC Revised MRM (Apr 2026)Periodic revalidation for ML models; ongoing monitoring documentationModel validation attestation letter tied to monitoring subscription
      Colorado SB24-205Annual deployer review of high-risk AIPackaged annual review report
      Technical Architecture (What to Build)
      Re-run a representative subset of EQSB scenarios on a scheduled cadence (monthly/quarterly). Compare outputs against the original baseline evaluation using similarity scoring. Detect behavioral regressions in any of the 8 EQSB dimensions. Generate automated drift reports with timestamps and cryptographic attestation (links to Gap 4). Alert thresholds trigger mandatory re-assessment. This is proprietary — statistical monitoring tools (Evidently AI, Arize, NannyML) do not do this.
      Action Items — 30/60/90 Days
        Named Contacts & Resources
        🔧
        AnchorDrift
        anchordrift.ai · most compliance-focused drift monitoring analysis; potential partner
        🔧
        Evidently AI
        evidentlyai.com · best open-source foundation for monitoring layer; free up to 10K rows/mo
        🏛️
        NAIC Big Data and AI Working Group
        content.naic.org · publishes model bulletins + evaluation tool documentation; 12-state pilot running now
        Gap 4 · Cryptographic Audit Trail
        Litigation-Grade
        Evidence Chain
        RFC 3161 timestamps + SHA-256 chain of custody · $500 implementation cost
        Quick win: This is primarily a technical infrastructure addition — not a new product. RFC 3161 timestamping costs ~$500 to implement. It upgrades every existing EQSB product into litigation-admissible evidence and opens insurance underwriting, law firm, and procurement markets simultaneously. Do this first.
        ~$500
        Implementation Cost
        1–3 mo
        Time to Revenue
        $500–1K
        Add-on Price/Report
        Technical Requirements
        SHA-256 hashing of every scenario input, model response, and evaluation output at moment of capture. RFC 3161 trusted timestamp from accredited timestamp authority (DigiCert or Sectigo — both commercially available). Digital signature using certificate from recognized CA. Append-only immutable log with cryptographic integrity verification. Chain-of-custody document template for each report (who ran evaluation, on what system, what time, what model version). Assessment staff must not have administrative access to modify logs after generation.
        Applicable Standards
        NIST SP 800-92 (log management + integrity), NIST SP 800-86 (forensic chain of custody), ISO/IEC 27001 Annex A 5.28 (evidence collection), ISO/IEC 27037 (digital evidence), RFC 3161 (trusted timestamping — legally recognized in EU under eIDAS Article 41, increasingly cited in US courts).
        Action Items — 30/60/90 Days
          Named Contacts & Resources
          🔐
          DigiCert Timestamp Authority
          digicert.com · RFC 3161 timestamp services; commercially available
          🔐
          Sectigo
          sectigo.com · alternative CA; RFC 3161 + code signing certificates
          🏛️
          AXA XL AI Liability Underwriting
          axaxl.com · underwriting AI liability risk; want documented pre-deployment testing evidence
          🏛️
          Munich Re AI Risk Practice
          munichre.com · major AI liability reinsurer; want chain-of-custody governance documentation
          📄
          arXiv: Cryptographic Evidence for AI (2511.17118)
          arxiv.org/pdf/2511.17118 · academic foundation for cryptographic AI evidence structures
          Gap 5 · Financial Services / OCC Model Risk
          OCC Model Risk
          Management Expansion
          $200M+ market · Revised OCC guidance April 2026 · Gen AI RFI coming 2027
          Strategic timing: The April 2026 revised interagency guidance explicitly excludes generative AI — pending a separate RFI expected in 2026/2027. This creates a window: banks are already deploying gen AI but have no regulatory framework for validating it. ikwe.ai can sell behavioral gen AI validation now as a preparedness product, and be positioned as the methodology when the formal guidance arrives.
          $200M+
          Market Size (US)
          6–12 mo
          Time to Revenue
          $8K–40K
          Per Engagement
          $30B+
          Asset threshold
          for revised guidance
          What OCC Revised Guidance (April 17, 2026) Requires
          OCC Bulletin 2026-13 (joint with Fed + FDIC, supersedes SR 11-7) applies to banks with $30B+ in assets (and smaller banks with significant model risk). Preserves: model inventory, conceptual soundness validation, ongoing monitoring, third-party model validation, performance benchmarking. What changed: more principles-based, uniform $30B threshold, generative AI and agentic AI explicitly carved out pending forthcoming RFI, increased board-level governance emphasis. Third-party models (AI vendors used by banks) must be incorporated into the bank's MRM framework regardless of source code access.
          Entry Point: Gen AI Validation Gap
          Gen AI is excluded from April 2026 guidance but banks are already deploying it. The OCC gen AI RFI (expected 2026) will likely lead to guidance requiring behavioral validation — ikwe.ai's EQSB methodology is more appropriate for gen AI validation than statistical SR 11-7 methods. Entry strategy: sell gen AI behavioral validation as a preparedness product at community and regional banks ($5B–$30B assets) that are underserved by Big Four validation firms.
          Obstacles
          ObstacleDifficultyNotes
          OCC examiner relationships take years to buildHardExaminers are the arbiter; they don't know ikwe.ai — needs time + OCC comment participation
          SR 11-7 validation focuses on statistical methodsModerateMust educate bank model risk officers on behavioral scenario methodology vs. statistical metrics
          Big Four incumbency at large banksModerateEntry point is community/regional banks + gen AI (where Big Four has less presence)
          Action Items — 30/60/90 Days
            Named Contacts & Resources
            🏛️
            OCC Bulletin 2026-13
            occ.treas.gov/news-issuances/bulletins/2026/bulletin-2026-13.html · revised MRM guidance
            📊
            ACA Group
            acaglobal.com · published definitive survey on AI validation gaps in financial services; potential partner
            🔧
            ModelOp
            modelop.com · SR 11-7 focused AI governance platform; integration or referral partner
            🔧
            Lumenova AI
            lumenova.ai · published SR 11-7 + NAIC guidance; competitive intelligence + potential partner
            👥
            GARP / PRMIA
            garp.com / prmia.org · model risk professional communities; target for awareness and referrals
            ⚖️
            Orrick AI Practice
            orrick.com · published April 2026 revised guidance analysis; engagement target for referrals
            Gap 6 · Multi-State Compliance Package
            Multi-State AI Compliance
            Bundle
            Iowa + TX + IL + NYC LL144 + CO + CT · One assessment · $12,500 price point
            Quick win: This is a packaging play, not a new product. The compliance matrix (mapping EQSB dimensions to each law's requirements) is the critical artifact. Once built, it unlocks a product that prices at $12,500 — higher than any individual state scan — while being more efficient to deliver than 6 separate engagements.
            $12,500
            Bundle Price
            2–4 mo
            Time to Revenue
            6
            Laws Covered
            vs. $18K+
            À la carte cost
            6 Laws in the Bundle
            LawStatusCore Compliance Requirement
            Iowa SF2417Jul 1, 2026Conversational AI: disclosure, anti-manipulation, self-harm protocols
            Texas TRAIGA HB149Active Jan 2026NIST RMF alignment → safe harbor from liability
            Illinois HB3773Active Jan 2026Employment AI: non-discrimination notice
            NYC Local Law 144Active Jul 2023Annual independent bias audit: adverse impact ratio calculation
            Colorado SB24-205Late 2026 enforcementAnnual impact assessment + anti-discrimination documentation
            Connecticut SB5Oct 1, 2026Employment AI disclosure + IVO prep
            The Critical Addition: NYC LL144 Adverse Impact Calculation
            NYC LL144 requires a specific adverse impact ratio calculation using the four-fifths (80%) rule — a quantitative measurement showing selection rates by gender and race/ethnicity. This is not currently in EQSB's scenario-based methodology. Building this module unlocks both NYC LL144 standalone engagements AND the multi-state bundle. This is the single most important product buildout for the bundle.
            Action Items — 30/60/90 Days
              Named Contacts & Resources
              🏛️
              NYC DCWP
              nyc.gov/site/dca/about/automated-employment-decision-tools.page · published LL144 implementation guidance + adverse impact methodology
              🔧
              VerifyWise
              verifywise.ai · compliance SaaS for multi-state AI laws; competitive intelligence + potential channel partner
              📄
              Transparency Coalition
              transparencycoalition.ai · comprehensive bill guides for SB5, TRAIGA, LL144; best source for staying current
              📊
              IAPP
              iapp.org · published TRAIGA compliance sample framework
              Gap 7 · Employer AI Certification for Procurement
              Procurement-Ready
              AI Certification
              Vendor questionnaire response kit + ISO 42001 alignment + attestation letter
              Market pull: Enterprise procurement teams are now routinely asking AI vendors about governance, safety, and compliance — and existing questionnaire frameworks (SOC 2, ISO 27001, SIG Lite) were not designed for AI-specific risks. An ikwe.ai EQSB Procurement Package gives AI vendors a standardized, credible answer to procurement questionnaires and closes deals faster.
              $7.5K–10K
              Package Price
              2–4 mo
              Time to Revenue
              $4–5K/yr
              Annual Refresh
              Top AI Questions Now in Enterprise Procurement Questionnaires
              Bias testing — can you provide third-party evidence?
              What is your model drift monitoring cadence?
              NIST AI RMF or ISO 42001 alignment?
              Third-party audit report of AI safety/fairness?
              Human oversight protocol for high-stakes decisions?
              Model registry with version tracking + provenance?
              Rollback capability if model update introduces harm?
              AI incident response process documentation?
              Product Structure — EQSB Procurement Package
              Core: Full Behavior Report ($5,000) — existing product
              + ISO 42001 alignment attestation letter (maps EQSB to ISO 42001 clauses 4–10)
              + NIST AI RMF alignment mapping document (MEASURE function)
              + Vendor Questionnaire Response Kit — pre-written answers to top 25 AI governance questions from SIG Lite
              + Annual refresh option ($4,000–$5,000/yr) to maintain current status
              Action Items — 30/60/90 Days
                Named Contacts & Resources
                📋
                Shared Assessments / SIG 2025
                sharedassessments.org · administers SIG questionnaire (most-used in financial services); contact re: AI module
                📋
                ANAB (ISO 42001 Accreditation)
                anab.ansi.org/accreditation/iso-iec-42001 · accreditation body for ISO 42001 certification bodies
                🔐
                A-LIGN
                a-lign.com · published ISO 42001 guide; potential certification body partnership for combined package
                🔐
                Schellman
                schellman.com · published ISO 42001 requirements explainer; potential certification body partnership
                🔐
                DNV
                dnv.us/services/iso-42001 · active ISO 42001 certification body; potential channel partner
                📄
                NIST AI RMF / ISO 42001 Crosswalk
                airc.nist.gov/docs/NIST_AI_RMF_to_ISO_IEC_42001_Crosswalk.pdf · official crosswalk document