Product Expansion
7 Product Gap
Opportunities
Opportunities
Prioritization principle: The fastest path to revenue is completing what's almost done. Gaps 4, 6, and 7 require no new product infrastructure — they are packaging and process additions to existing EQSB methodology. Do those first. Then invest in Gap 2 (IVO) relationship-building in parallel as a long-game move. Gaps 1 and 5 are high-value but require significant investment.
| # | Gap | Time to Revenue | Investment | Strategic Weight |
|---|---|---|---|---|
| 7 | Procurement Certification Vendor questionnaire response kit + attestation letter |
2–4 months | Low | High — near-term revenue, builds credibility with enterprise buyers |
| 6 | Multi-State Compliance Bundle Iowa + TX + IL + NYC + CO + CT in one product |
2–4 months | Low | High — premium pricing, faster close, leverages existing product |
| 4 | Cryptographic Audit Trail RFC 3161 timestamps + SHA-256 chain of custody |
1–3 months | Low | Medium-High — feature add-on, enables litigation and insurance markets |
| 3 | Continuous Monitoring Infrastructure Behavioral drift detection — recurring revenue engine |
4–8 months | Medium | High — Gate 2 build, recurring revenue, regulatory mandated |
| 2 | CT / Virginia IVO Status First-mover in US IVO certification market |
12–18 months | Medium | Very High — only 5 CT IVO slots; start now or lose the window |
| 5 | OCC / Financial Services MRM Bank model risk management — $200M+ market |
6–12 months | Medium | High — largest B2B market; gen AI guidance coming 2027 |
| 1 | EU Notified Body Accreditation Mandatory conformity assessment for Annex III biometrics/infra |
3–5 years | Very High ($1M–$3M) | Long-term moat; pursue via partnership now, direct designation later |
Immediate action stack — do these now
30 DAYS
Download SIG 2025 AI module + build vendor questionnaire response kit (Gap 7)
30 DAYS
Implement RFC 3161 timestamping on all EQSB runs (Gap 4) — ~$500 cost
30 DAYS
Build 6-law compliance matrix mapping EQSB dimensions to state law requirements (Gap 6)
30 DAYS
Contact CT DCP + Senator Maroney re: IVO pilot rulemaking timeline (Gap 2) — relationship-building starts now
30 DAYS
Read OCC Bulletin 2026-13 + map EQSB to MRM revised guidance (Gap 5)
30 DAYS
Engage EU regulatory attorney to map Article 39 third-country pathway (Gap 1) — assess partnership vs. direct designation
Gap 1 · EU Notified Body Accreditation
EU Notified Body
Accreditation
Accreditation
Bottom line: Direct EU Notified Body designation is a 3–5 year, $1M–$3M path — prohibitive for a pre-revenue startup pursuing this alone. The near-term play is a technical subcontractor partnership with an established notified body (TÜV SÜD, SGS, Bureau Veritas) that needs behavioral AI evaluation methodology. Start those conversations now while the EU AI Act designation ecosystem is still being built.
Key Requirements (EU AI Act Article 31)
Must be established as a legal entity in an EU Member State (or third country with Article 39 bilateral agreement — none exists with US yet). National accreditation (ISO 17065 or 17020) from the member state's notifying authority. Permanent staff with technical competence in AI/ML, relevant domain, and EU legal framework. Documented impartiality procedures. Professional indemnity insurance. Application via notifying authority → Commission → NANDO database listing.
Obstacles
| Obstacle | Difficulty | Notes |
|---|---|---|
| Must be established in EU (no US-EU MRA for AI Act) | Very Hard | Requires opening legal entity in EU member state; Ireland or Germany recommended |
| ISO 17065/17020 national accreditation | Hard | 12–24 months; documented QMS + witness audits by national accreditation body |
| Permanent EU-based technical staff (2–3 FTEs) | Moderate-Hard | $300K–600K/yr; must have AI/ML + domain expertise + EU law fluency |
| No harmonized standards published yet | Structural | Assessment methodology can't be fully standardized until EU harmonized standards are out (late 2026+) |
| TÜV SÜD / SGS / BSI incumbency | Moderate | These bodies are expanding into AI — but they lack behavioral methodology; ikwe.ai fills that gap |
Action Items — 30/60/90 Days
Named Contacts & Resources
EU AI Office
ai-office@ec.europa.eu · manages NANDO database + designation coordination
AI Act Service Desk
ai-act-service-desk.ec.europa.eu · official resource for Article 29–31 procedures
DAkkS (Germany)
dakks.de · Germany's notifying authority; most active early mover for AI designation
WilmerHale EU AI Act Practice
wilmerhale.com · published detailed EU AI Act standardization compliance guide
NANDO Database
webgate.ec.europa.eu/single-market-compliance-space · track designated bodies as they appear
Fathom / Andrew Freedman CEO
ivo.fathom.org · active in EU/US IVO alignment; potential partner for technical subcontractor model
Gap 2 · Connecticut / Virginia IVO Status
CT / VA Independent
Verification Organization
Verification Organization
Critical window: Connecticut HB 5222 caps the pilot at 5 IVO slots total. Fathom is the obvious first applicant — they testified before the legislature and shaped the law. ikwe.ai must start relationship-building with CT DCP and Senator Maroney now, before the MOU framework is published, to be in the conversation when applications open (expected Q1–Q2 2027).
CT Status — HB 5222 (Passed May 2026)
Connecticut DCP administers a multi-year IVO pilot. Up to 5 IVOs approved — hard cap. Pilot begins July 1, 2027. IVOs execute an MOU with DCP defining scope, methodology, reporting, and governance. Companies receiving IVO verification gain evidentiary support in civil litigation. UConn's Institute for Municipal and Regional Policy evaluates the pilot. MOU framework not yet published — rule-making period is open now. DCP has discretion to set technical requirements.
VA Status — HB797 (Signed April 13, 2026)
Study bill only. Directs JCOTS (Joint Commission on Technology and Science) to evaluate IVO feasibility. Report due to legislature November 1, 2026. Passed 84–14 House, 40–0 Senate — strong bipartisan signal. No operational IVO program until 2027 legislative session at earliest; operational program 2028 at earliest. File stakeholder input to JCOTS before November report.
Obstacles
| Obstacle | Difficulty | Notes |
|---|---|---|
| Only 5 CT IVO slots — competitive | High | Fathom is the dominant incumbent; has existing CT relationships; will almost certainly apply |
| No MOU framework published yet | Moderate | Creates opportunity to shape criteria + uncertainty about requirements |
| VA program is just a study | Timing | No VA IVO until 2028 at earliest — but the study shapes the national IVO standard |
| Pre-revenue status reduces credibility for state application | Moderate | First revenue by July 2026 + published research strengthens the application considerably |
Action Items — 30/60/90 Days
Named Contacts & Resources
CT Department of Consumer Protection
portal.ct.gov/dcp · administering agency for IVO pilot
Senator James Maroney (CT)
Chair, General Law Committee · architect of the IVO provision in HB 5222
UConn Institute for Municipal & Regional Policy
Designated evaluator for the CT IVO pilot — understand their evaluation criteria
JCOTS (Virginia)
studies.virginiageneralassembly.gov/studies/551 · submit stakeholder input before Nov 2026 report
Fathom (Andrew Freedman, CEO)
ivo.fathom.org · incumbent; testified before CT legislature; potential partner not just competitor
Gap 3 · Continuous Monitoring Infrastructure
Behavioral Monitoring
as Compliance Infrastructure
as Compliance Infrastructure
Differentiation: Every monitoring tool on the market tracks statistical drift (input distribution changes). None track behavioral drift — whether the AI's actual outputs on safety-relevant scenarios have changed since last evaluation. This is what regulators actually care about and what ikwe.ai uniquely provides. The gap is real and the market is building to fill it.
Regulatory Standards This Satisfies
| Standard | Requirement | ikwe.ai Product Feature |
|---|---|---|
| EU AI Act Annex III / Art. 9 | Post-market monitoring system — continuous data collection on behavioral performance | Automated EQSB scenario re-runs + timestamped behavioral drift reports |
| NAIC AI Model Bulletin (25 states) | Ongoing behavioral consistency evidence; quarterly monitoring results for examiners | Quarterly behavioral drift report module for insurance clients |
| OCC Revised MRM (Apr 2026) | Periodic revalidation for ML models; ongoing monitoring documentation | Model validation attestation letter tied to monitoring subscription |
| Colorado SB24-205 | Annual deployer review of high-risk AI | Packaged annual review report |
Technical Architecture (What to Build)
Re-run a representative subset of EQSB scenarios on a scheduled cadence (monthly/quarterly). Compare outputs against the original baseline evaluation using similarity scoring. Detect behavioral regressions in any of the 8 EQSB dimensions. Generate automated drift reports with timestamps and cryptographic attestation (links to Gap 4). Alert thresholds trigger mandatory re-assessment. This is proprietary — statistical monitoring tools (Evidently AI, Arize, NannyML) do not do this.
Action Items — 30/60/90 Days
Named Contacts & Resources
AnchorDrift
anchordrift.ai · most compliance-focused drift monitoring analysis; potential partner
Evidently AI
evidentlyai.com · best open-source foundation for monitoring layer; free up to 10K rows/mo
NAIC Big Data and AI Working Group
content.naic.org · publishes model bulletins + evaluation tool documentation; 12-state pilot running now
Gap 4 · Cryptographic Audit Trail
Litigation-Grade
Evidence Chain
Evidence Chain
Quick win: This is primarily a technical infrastructure addition — not a new product. RFC 3161 timestamping costs ~$500 to implement. It upgrades every existing EQSB product into litigation-admissible evidence and opens insurance underwriting, law firm, and procurement markets simultaneously. Do this first.
Technical Requirements
SHA-256 hashing of every scenario input, model response, and evaluation output at moment of capture. RFC 3161 trusted timestamp from accredited timestamp authority (DigiCert or Sectigo — both commercially available). Digital signature using certificate from recognized CA. Append-only immutable log with cryptographic integrity verification. Chain-of-custody document template for each report (who ran evaluation, on what system, what time, what model version). Assessment staff must not have administrative access to modify logs after generation.
Applicable Standards
NIST SP 800-92 (log management + integrity), NIST SP 800-86 (forensic chain of custody), ISO/IEC 27001 Annex A 5.28 (evidence collection), ISO/IEC 27037 (digital evidence), RFC 3161 (trusted timestamping — legally recognized in EU under eIDAS Article 41, increasingly cited in US courts).
Action Items — 30/60/90 Days
Named Contacts & Resources
DigiCert Timestamp Authority
digicert.com · RFC 3161 timestamp services; commercially available
Sectigo
sectigo.com · alternative CA; RFC 3161 + code signing certificates
AXA XL AI Liability Underwriting
axaxl.com · underwriting AI liability risk; want documented pre-deployment testing evidence
Munich Re AI Risk Practice
munichre.com · major AI liability reinsurer; want chain-of-custody governance documentation
arXiv: Cryptographic Evidence for AI (2511.17118)
arxiv.org/pdf/2511.17118 · academic foundation for cryptographic AI evidence structures
Gap 5 · Financial Services / OCC Model Risk
OCC Model Risk
Management Expansion
Management Expansion
Strategic timing: The April 2026 revised interagency guidance explicitly excludes generative AI — pending a separate RFI expected in 2026/2027. This creates a window: banks are already deploying gen AI but have no regulatory framework for validating it. ikwe.ai can sell behavioral gen AI validation now as a preparedness product, and be positioned as the methodology when the formal guidance arrives.
What OCC Revised Guidance (April 17, 2026) Requires
OCC Bulletin 2026-13 (joint with Fed + FDIC, supersedes SR 11-7) applies to banks with $30B+ in assets (and smaller banks with significant model risk). Preserves: model inventory, conceptual soundness validation, ongoing monitoring, third-party model validation, performance benchmarking. What changed: more principles-based, uniform $30B threshold, generative AI and agentic AI explicitly carved out pending forthcoming RFI, increased board-level governance emphasis. Third-party models (AI vendors used by banks) must be incorporated into the bank's MRM framework regardless of source code access.
Entry Point: Gen AI Validation Gap
Gen AI is excluded from April 2026 guidance but banks are already deploying it. The OCC gen AI RFI (expected 2026) will likely lead to guidance requiring behavioral validation — ikwe.ai's EQSB methodology is more appropriate for gen AI validation than statistical SR 11-7 methods. Entry strategy: sell gen AI behavioral validation as a preparedness product at community and regional banks ($5B–$30B assets) that are underserved by Big Four validation firms.
Obstacles
| Obstacle | Difficulty | Notes |
|---|---|---|
| OCC examiner relationships take years to build | Hard | Examiners are the arbiter; they don't know ikwe.ai — needs time + OCC comment participation |
| SR 11-7 validation focuses on statistical methods | Moderate | Must educate bank model risk officers on behavioral scenario methodology vs. statistical metrics |
| Big Four incumbency at large banks | Moderate | Entry point is community/regional banks + gen AI (where Big Four has less presence) |
Action Items — 30/60/90 Days
Named Contacts & Resources
OCC Bulletin 2026-13
occ.treas.gov/news-issuances/bulletins/2026/bulletin-2026-13.html · revised MRM guidance
ACA Group
acaglobal.com · published definitive survey on AI validation gaps in financial services; potential partner
ModelOp
modelop.com · SR 11-7 focused AI governance platform; integration or referral partner
Lumenova AI
lumenova.ai · published SR 11-7 + NAIC guidance; competitive intelligence + potential partner
GARP / PRMIA
garp.com / prmia.org · model risk professional communities; target for awareness and referrals
Orrick AI Practice
orrick.com · published April 2026 revised guidance analysis; engagement target for referrals
Gap 6 · Multi-State Compliance Package
Multi-State AI Compliance
Bundle
Bundle
Quick win: This is a packaging play, not a new product. The compliance matrix (mapping EQSB dimensions to each law's requirements) is the critical artifact. Once built, it unlocks a product that prices at $12,500 — higher than any individual state scan — while being more efficient to deliver than 6 separate engagements.
6 Laws in the Bundle
| Law | Status | Core Compliance Requirement |
|---|---|---|
| Iowa SF2417 | Jul 1, 2026 | Conversational AI: disclosure, anti-manipulation, self-harm protocols |
| Texas TRAIGA HB149 | Active Jan 2026 | NIST RMF alignment → safe harbor from liability |
| Illinois HB3773 | Active Jan 2026 | Employment AI: non-discrimination notice |
| NYC Local Law 144 | Active Jul 2023 | Annual independent bias audit: adverse impact ratio calculation |
| Colorado SB24-205 | Late 2026 enforcement | Annual impact assessment + anti-discrimination documentation |
| Connecticut SB5 | Oct 1, 2026 | Employment AI disclosure + IVO prep |
The Critical Addition: NYC LL144 Adverse Impact Calculation
NYC LL144 requires a specific adverse impact ratio calculation using the four-fifths (80%) rule — a quantitative measurement showing selection rates by gender and race/ethnicity. This is not currently in EQSB's scenario-based methodology. Building this module unlocks both NYC LL144 standalone engagements AND the multi-state bundle. This is the single most important product buildout for the bundle.
Action Items — 30/60/90 Days
Named Contacts & Resources
NYC DCWP
nyc.gov/site/dca/about/automated-employment-decision-tools.page · published LL144 implementation guidance + adverse impact methodology
VerifyWise
verifywise.ai · compliance SaaS for multi-state AI laws; competitive intelligence + potential channel partner
Transparency Coalition
transparencycoalition.ai · comprehensive bill guides for SB5, TRAIGA, LL144; best source for staying current
IAPP
iapp.org · published TRAIGA compliance sample framework
Gap 7 · Employer AI Certification for Procurement
Procurement-Ready
AI Certification
AI Certification
Market pull: Enterprise procurement teams are now routinely asking AI vendors about governance, safety, and compliance — and existing questionnaire frameworks (SOC 2, ISO 27001, SIG Lite) were not designed for AI-specific risks. An ikwe.ai EQSB Procurement Package gives AI vendors a standardized, credible answer to procurement questionnaires and closes deals faster.
Top AI Questions Now in Enterprise Procurement Questionnaires
Bias testing — can you provide third-party evidence?
What is your model drift monitoring cadence?
NIST AI RMF or ISO 42001 alignment?
Third-party audit report of AI safety/fairness?
Human oversight protocol for high-stakes decisions?
Model registry with version tracking + provenance?
Rollback capability if model update introduces harm?
AI incident response process documentation?
Product Structure — EQSB Procurement Package
Core: Full Behavior Report ($5,000) — existing product
+ ISO 42001 alignment attestation letter (maps EQSB to ISO 42001 clauses 4–10)
+ NIST AI RMF alignment mapping document (MEASURE function)
+ Vendor Questionnaire Response Kit — pre-written answers to top 25 AI governance questions from SIG Lite
+ Annual refresh option ($4,000–$5,000/yr) to maintain current status
Action Items — 30/60/90 Days
Named Contacts & Resources
Shared Assessments / SIG 2025
sharedassessments.org · administers SIG questionnaire (most-used in financial services); contact re: AI module
ANAB (ISO 42001 Accreditation)
anab.ansi.org/accreditation/iso-iec-42001 · accreditation body for ISO 42001 certification bodies
A-LIGN
a-lign.com · published ISO 42001 guide; potential certification body partnership for combined package
Schellman
schellman.com · published ISO 42001 requirements explainer; potential certification body partnership
DNV
dnv.us/services/iso-42001 · active ISO 42001 certification body; potential channel partner
NIST AI RMF / ISO 42001 Crosswalk
airc.nist.gov/docs/NIST_AI_RMF_to_ISO_IEC_42001_Crosswalk.pdf · official crosswalk document