AskAjay.ai

Governance

How AskAjay Is Governed

An AI governance advisor whose own AI has published governance. Transparency is the foundation here, not a feature.

01

Document 1 of 8

AI Exponent LLC Structure

AskAjay.ai is the advisory and courses arm of AI Exponent LLC. Tools, open source governance code, runtime governance products, evidence pipelines, are at AiExponent.com under the same parent company. I keep the two arms editorially distinct on purpose: advisory is judgment work; tooling is engineering work. Mixing the two is how compliance theatre starts.

No automated data flow. I do not share data between the two arms without your explicit consent. If you submit an advisory enquiry that turns out to be about a specific tool, I forward the message to the AiExponent contact form myself, after telling you. There is no shared CRM, no analytics join across the two domains, and no automated routing between the two contact forms.

Cloudflare legacy redirects. A small number of legacy content paths on aiexponent.com redirect to askajay.ai via Cloudflare (pattern: aiexponent.com/<legacy-content-path> -> askajay.ai/<corresponding-path>). These exist for SEO continuity where editorial content moved between brands; they are deliberate and do not represent a merger of the two brands' voice or audience.

02

Document 2 of 8

How AskAjay Works

AskAjay is a retrieval-augmented generation (RAG) system, not a fine-tuned model. You are interacting with an AI system: when you ask a question, it retrieves relevant passages from Ajay's published work (61 articles, 5 signature frameworks, 255 Q&A pairs) and uses those passages as context for Anthropic's Claude model to construct a grounded response. Every answer is meant to have a source, and that source is meant to be traceable; the knowledge base sections below cover the cases where that has not held.

The system generates an embedding of your question using Fireworks AI's Qwen3-Embedding-8B model, performs vector similarity search against 1154 knowledge chunks in Supabase pgvector, retrieves the most relevant passages with source metadata, and constructs a response using Claude with instructions to stay grounded in the retrieved context and to say so when it cannot find relevant grounding, rather than filling the gap.

The knowledge base covers AI governance, enterprise AI strategy, agentic AI readiness, regulatory compliance (EU AI Act, NIST, GDPR, HIPAA), and measuring the value of responsible AI, all derived from Ajay's published frameworks and advisory work.

Rate limiting and input handling: AI endpoints are rate-limited per user, and user input is sanitized before being included in a model prompt, as a baseline defense against prompt injection through submitted text.

03

Document 3 of 8

Known Limitations

AskAjay cannot provide legal advice. For legal questions about AI compliance, regulatory interpretation, or contractual obligations, consult qualified legal counsel.

AskAjay cannot access real-time data. The knowledge base is updated periodically, not in real time. Regulatory landscapes change; verify time-sensitive information independently.

AskAjay cannot know your organizational context unless you provide it. Recommendations are framework-driven, not situation-specific. For organization-specific guidance, book a discovery call.

Canvas scoring rubrics are empirically informed but not statistically validated across large samples yet. I am transparent about the maturity of my methodology; see the Canvas Scoring Methodology document below for exactly how scoring works today.

Responses may not reflect the very latest regulatory changes. When a response cites a date or regulation, verify it is current.

The advisory boundary: AskAjay tells you when a question requires human judgment, organizational context, or legal expertise that goes beyond what frameworks can provide.

04

Document 4 of 8

Data & Privacy Policy

What I collect: queries you submit to AskAjay, Canvas assessment responses (for scoring and optional benchmarking), and email addresses for account identification.

How data is stored: Supabase PostgreSQL with Row Level Security, encrypted at rest. Conversation logs are retained for 30 days for quality improvement, then permanently deleted (a fixed TTL enforced by a scheduled database cleanup, not a manual process). I do not train models on your conversations.

Canvas data: assessment responses are anonymised and aggregated for peer benchmarking only when the sample exceeds 100 responses. No personally identifiable information appears in benchmarks. Canvas benchmark data itself is retained indefinitely in anonymised form; you may request deletion of your own underlying record at any time.

Sub-processors: your query text and, for Canvas, your assessment answers are sent to Anthropic's Claude API (US-hosted) to generate a response, and to Fireworks AI's embedding API (also US-hosted) to compute a search vector for your question. Account and session data is handled by Clerk. The application is hosted on Vercel (frontend) and Railway (backend). Error tracking is handled by Sentry, and transactional email by Resend. None of these providers receives more than the minimum data needed to perform their function, and none is authorized to use your data for any purpose beyond providing that function to AskAjay.

Anthropic's and Fireworks' own data-use terms, not a promise made on their behalf by this page, govern what each provider does with data sent to their API; this page states what AskAjay sends them, not what they contractually commit to, since only their own published terms can attest to that.

GDPR position: data processing is based on legitimate interest and explicit consent. You have the right to request deletion of all your data at any time by emailing [email protected].

Analytics: Plausible Analytics, cookie-free and configured to collect no personal data.

No data is sold to third parties. Ever. No exceptions.

05

Document 5 of 8

MVG Applied to AskAjay

I practice what I preach. Here is my own Minimum Viable Governance framework applied to AskAjay:

GOVERN: My AI inventory contains two scored systems (the 5-Pillar Canvas assessment and the Agentic/A7 module) plus the AskAjay chatbot itself. Risk register: hallucination (mitigated by RAG grounding and an instruction to disclose ungrounded gaps rather than fill them), outdated information (mitigated by periodic knowledge base refresh), over-confidence (mitigated by the advisory boundary in the system prompt), and content drift between what this page states and what the code actually does (the specific failure this page's own retraction log entry below documents, mitigated going forward by deriving factual claims from the codebase rather than hand-authoring them twice). Accountability: Ajay Pundhir, personally.

MAP: Stakeholders are executives, governance teams, and AI leaders. Data sources are Ajay's published articles and Q&A pairs. Deployment context is a web application with no autonomous decision-making.

MEASURE: Performance baselines include response relevance, citation accuracy, and user satisfaction. Drift monitoring tracks knowledge-base freshness and, as of 2026-07-09, an automated check that this page's Canvas-scoring description matches the live scoring code.

MANAGE: Incident response: if AskAjay gives incorrect advice, or if this page itself is found to misstate how the system works, the retraction log is updated with a dated entry before or simultaneously with the correction, the knowledge base is corrected, and affected users are notified where identifiable.

The Family Test: "Would I be comfortable if this AI gave governance advice to my family's company?" This is the standard AskAjay holds itself to.

06

Document 6 of 8

Ethical Debt Report

Using our own Liability Ledger framework, here is AskAjay's current ethical debt self-assessment. The full Liability Ledger Audit is a structured worksheet, 5 categories scored across 25 dimensions, 25-125 point scale (see the Liability Ledger series for the full methodology). AskAjay has not yet run that full 25-dimension worksheet against itself; the assessment below is a category-level self-rating, not a scored audit, and should be read as directional rather than precise.

D1 Bias Debt: LOW. No user-facing decisions are made about people; this is a retrieval-based system, not a system that classifies, scores, or selects among users. The residual risk is retrieval bias: does vector search consistently favour certain articles or frameworks over others in response to neutral queries? Monitoring: quarterly review of retrieval distribution.

D2 Transparency Debt: LOW, with an open finding. Architecture is published on this page, limitations are documented, and Canvas scoring methodology is now published accurately (see below), correcting a prior version of this same page that mis-described it. That correction is itself evidence this category needs ongoing vigilance, not a closed question.

D3 Governance Debt: LOW. This governance page exists, MVG is applied (above), and this page's own retraction log is active and used, including for this page's own past inaccuracies.

D4 Privacy Debt: LOW. Minimal, purpose-limited data collection. 30-day retention on conversation logs. No PII in benchmarks. Sub-processors are now named explicitly (Data & Privacy Policy, above).

D5 Accountability Debt: LOW. Single accountable person, Ajay Pundhir. Escalation: [email protected].

Overall: category-level self-rating places AskAjay in or near the Debt Free band (25-40 on the full 125-point scale), on the low end given all five categories rate LOW, but this is not a claim of a specific computed score. Next full audit: 2026-10-09.

07

Document 7 of 8

Retraction Log

This log documents any corrections, retractions, or material updates to AskAjay's knowledge base, scoring methodology, or this governance page itself.

Policy: any factual error discovered is corrected within 48 hours. No silent edits; all material corrections are logged here with the date, what changed, why, and the impact, before or simultaneously with the correction going live.

2026-07-09: Two separate, independent findings, both corrected in the same pass. (1) Canvas report generator: the Pillar 2 (Data Infrastructure) and regulatory-exposure sections of every Canvas report queried the knowledge base using topic filters that had never matched any real content, so those two sections generated their narrative without knowledge-base grounding in every report since launch. Report scores were unaffected; they are computed directly from assessment answers, not retrieval. Fixed by removing the broken filter and adding an internal alert if a section ever returns ungrounded again. (2) This governance page: the Canvas Scoring Methodology document (this page) and the equivalent document embedded for the chatbot had each independently described a scoring system that does not match the actual implementation, including pillar names, maturity-level names, and the core scoring rule (both described a weighted sum; the actual system uses a weakest-pillar floor rule). Neither document had ever been correct. Both are now generated from one shared source, with the scoring facts checked against the live code rather than hand-typed, so this class of error is checked automatically going forward.

No retractions before 2026-07-09.

08

Document 8 of 8

Canvas Scoring Methodology

The 5-Pillar Canvas assesses AI readiness across 5 pillars: Strategic Alignment, Data Infrastructure, Talent & Culture, Operational Processes, and Ethics & Governance. Each pillar has 3 calibrated questions (15 total). Each question is scored 1-5; a pillar's score is the average of its 3 questions, rounded to the nearest 0.5.

Overall readiness is not the average of your five pillar scores. It is your weakest pillar score. An organization scoring 5-5-5-5-1 is not a "4.2"; it is a "1" with four strong capabilities and a fatal gap. This is the weakest-pillar rule, and it is deliberate: a strong strategy pillar does not protect you from a governance failure.

Maturity levels, applied to both individual pillar scores and the overall score: Ad Hoc (below 2), Emerging (2 to below 3), Defined (3 to below 4), Managed (4 to below 4.5), Optimized (4.5 and above).

A second, separate module scores agentic AI readiness specifically (the A7 framework): 7 questions map to 6 dimensions (Real-Time Data Readiness, Agent Infrastructure, Human Oversight, Agentic Workforce, Agent Security, and a combined Autonomy Calibration dimension). The same floor-rule philosophy applies: your agentic readiness equals your weakest A7 dimension, which maps to an autonomy level from L0 (no autonomy) to L4 (full autonomy). This module is separate from, and in addition to, the 5-pillar score above.

Scoring criteria for both modules are published and transparent; the specific numeric mapping from individual answer options to scores is kept internal to preserve assessment integrity, so a respondent cannot reverse-engineer the answer that maximizes their score rather than reflects their actual maturity.

The methodology was developed from 12+ organizational assessments conducted in advisory engagements.

Questions about our governance practices?

[email protected]

Last reviewed: 2026-07-09