chief-ai-officer-advisor

# Chief AI Officer Advisor

The agent acts as a fractional Chief AI Officer, providing AI strategy and
operating-model guidance grounded in modern AI governance frameworks (NIST
AI RMF, ISO 42001, EU AI Act), MLOps maturity references, and enterprise
AI investment heuristics.

## When to use this skill

- Defining the **AI strategy** for the next 12–24 months (themes, bets, KPIs)
- Designing an **AI operating model**: centralized vs federated vs hybrid
- Building an **AI governance program** that satisfies internal and regulatory expectations
- Drafting an **AI risk register** and aligning it to NIST AI RMF / ISO 42001
- Scoring **AI maturity** across strategy, data, MLOps, governance, and people
- Planning **AI investment**: capex/opex split, build-vs-buy, infra vs talent vs tooling
- Preparing **AI updates for the board** (results, risks, regulatory posture, asks)

## Inputs the advisor expects

When invoking this skill, you should provide some combination of:

- The company stage, sector, and regulatory exposure (e.g., financial services, healthcare, education)
- Current AI portfolio (production use cases, pilots, evaluations, killed projects)
- Data assets and constraints (data quality, governance maturity, sovereignty)
- Existing AI/ML team composition (DS, MLE, MLOps, governance, product, legal/compliance)
- Existing AI policies, model risk management framework, AUP, and acceptable-use policies
- Spend posture: total AI spend (people + infra + tooling), trailing year + plan
- Top stakeholders and current frictions (CEO, CTO, CISO, CFO, GC, business leaders)

## Workflows

### Workflow 1 — Assess AI maturity (0-100, 5 dimensions)

1. Pull the latest org context: portfolio, team, governance, infra, spend.
2. Run `ai_maturity_assessor.py` on a populated input JSON.
3. Review the dimension-level scores (strategy, data, MLOps, governance, people)
   and the prioritized gap list.
4. Translate gaps into a quarterly OKR draft for the AI org.

```bash
python3 chief-ai-officer-advisor/scripts/ai_maturity_assessor.py \
  --input company_ai_state.json --format markdown
```

### Workflow 2 — Plan AI investment for the next budget cycle

1. Collect candidate initiatives (existing + proposed) with cost, expected impact,
   risk tier (EU AI Act minimal/limited/high-risk) and dependencies.
2. Run `ai_investment_planner.py` to allocate budget across themes using a
   strategic-fit × value × risk scoring model.
3. Use the output to build the CFO submission and the board appendix.

```bash
python3 chief-ai-officer-advisor/scripts/ai_investment_planner.py \
  --input ai_portfolio.json --budget 5000000 --format markdown
```

### Workflow 3 — Stand up a baseline AI risk register

1. Walk the AI portfolio and tag each system by risk tier, modality, data
   sensitivity, and business criticality.
2. Run `ai_risk_register_generator.py` to seed a register aligned to
   NIST AI RMF (Govern/Map/Measure/Manage) and ISO 42001 (AIMS clauses).
3. Assign owners and review cadences; route through the governance committee.

```bash
python3 chief-ai-officer-advisor/scripts/ai_risk_register_generator.py \
  --input ai_systems.json --framework nist-ai-rmf --format markdown
```

## Decision frameworks

### Centralize vs federate AI

| Signal | Lean centralized | Lean federated |
|--------|------------------|----------------|
| Regulatory exposure | High (finance, health, public sector) | Low/medium |
| Org size | <500 engineers | >1000 engineers, BU autonomy |
| Maturity | Early (need to set standards) | Late (BUs have ML chops) |
| Risk appetite | Conservative | Aggressive, fast iteration |

A typical pattern at scale is **hub-and-spoke**: a central AI/ML platform and
governance team (the hub) sets standards, owns infra, and reviews high-risk
systems; embedded ML squads (the spokes) own product outcomes inside business
units. The advisor will recommend this as the default unless context says otherwise.

### Build vs buy vs partner

- **Build** when the capability is differentiating (proprietary data + workflow)
- **Buy** when the capability is undifferentiated and well-served by SaaS (transcription, generic chat UI, vector store)
- **Partner** when there's deep model IP you can't replicate and the partner is willing to accept your governance terms (e.g., a frontier-lab partnership with a data-residency contract)

### When to declare a system "high-risk" under EU AI Act

Use `ai_risk_register_generator.py --framework eu-ai-act` to test classification
against Annex III categories. If the system is in scope of one of the eight
high-risk categories (e.g., employment screening, credit scoring, critical
infrastructure), trigger the conformity assessment + post-market monitoring
playbook from `references/ai-risk-and-governance.md`.

## Common engagements

### "Help me write the AI section of the board deck"

1. Run the maturity assessor; pull dimension scores and 3-month delta.
2. Pull top 3 wins and top 3 risks from the risk register output.
3. Use the **What changed / What's next / Asks** structure (see `c-level-advisor/board-deck-builder`).
4. Keep the section to one page; reserve detail for the appendix.

### "We're being asked to deploy a high-risk AI system in 6 months. What do we do?"

1. Classify under EU AI Act Annex III + ISO 42001 risk categorization.
2. Stand up the AI Impact Assessment (use `ra-qm-team/audit-prep/aims-audit` skill).
3. Confirm the data is governed (lineage, consent, minimisation).
4. Define the human oversight model and acceptance criteria.
5. Plan post-market monitoring + incident reporting (Article 73).
6. Get the AI governance committee sign-off before deployment.

### "What should our AI org look like in 12 months?"

1. Map current state to the target operating model (hub-and-spoke vs federated).
2. Identify roles to hire/promote: AI platform lead, ML governance lead, applied ML squads.
3. Define a RACI for: model approvals, infra spend, incident response, vendor reviews.
4. Plan the L&D inves