Motion Consulting Group · a Kelly Services Co.

The AI Cornerstone — Every Company's First AI Decision.

Governance comes first. Without it, you're just deploying risk. The Cornerstone is MCG's outcome-based starting engagement — the foundation every AI initiative is measured against.

Start your Cornerstone How it works
Inside the Cornerstone

Your AI governance foundation

  • Governance framework
  • Risk register + impact matrix
  • Decision rights map
  • Use-case intake process
  • Vendor & tooling policy
  • Audit & measurement cadence
  • Executive summary memo
We don't deploy AI without a Cornerstone — neither should you. Start the conversation →

What the Cornerstone is

A 3–4 week outcome-based consulting engagement that produces the governance foundation your organization needs before any AI gets deployed at scale.

One deliverable. One document. One source of truth. The Cornerstone is the artifact your board, your auditors, your business units, and your AI engineers all reference. It defines what AI your company will use, what it won't, who decides, how risks are measured, and what evidence you'll keep. Every AI initiative downstream is gated against it — that's the point.

This is also where we discover what to build next. By the end of the Cornerstone, you'll have a prioritized view of which AI initiatives can ship safely, which need more work, and which shouldn't be touched. MCG owns the engagement end-to-end.

Why governance first

AI without governance compounds risk every time you deploy. AI with governance compounds value. The sequencing matters more than the speed.

The sequencing problem

Deploy AI without a governance framework and you'll retrofit one under pressure — typically after an incident, an audit finding, or a board question. The cost of retrofit is 5–10× the cost of starting from a Cornerstone. The Cornerstone exists so you never pay that tax.

The regulatory landscape is binding

The EU AI Act is law (2024), with penalties up to 7% of global revenue for high-risk system violations. Colorado, NYC, California, Illinois, Texas, and others have AI-specific laws on the books or in flight. "We didn't know" is no longer a defense.

EU AI Act NIST AI RMF ISO/IEC 42001 State + sector laws

Shadow AI is already in your org

Employees are using ChatGPT, Copilot, Claude, and dozens of vertical tools on company data right now — with or without your blessing. A Cornerstone surfaces the inventory, the exposure, and the policy gap before it becomes the headline.

The risk surface is wider than IT

AI risk touches legal (IP, copyright, contracts), HR (hiring tools, performance), security (data leakage, prompt injection), brand (hallucinations in customer channels), and ESG/reporting (model accuracy in disclosures). One framework, all surfaces.

Boards and insurers are asking

D&O policies are now adding AI-specific questions. Audit committees want evidence. The Cornerstone is the evidence — written, current, board-ready, and tied to a real intake process rather than a slide.

You can't outsource the strategy

The governance framework has to fit your operating reality — your regulatory posture, your risk appetite, your team's AI maturity, your customer commitments. The Cornerstone is a tailored engagement, not a checklist you download.

In practice — three representative engagements

Composite scenarios drawn from the kinds of organizations the Cornerstone is built for. Names and identifying details abstracted; the situation, the work, and the outcome are the shape of what we deliver.

Mid-cap E&P operator Post-merger

Post-merger AI inventory + EU AI Act exposure

The situation. Operator three months into integration after a $1.2B all-stock merger. Combined entity inherited 14 unsanctioned AI tools across the acquired business — a mix of marketing copy generators, eng Copilot seats, and a vendor-built customer-data summarization tool with EU data flows.

The Cornerstone outcome. Full shadow-AI inventory + risk register flagged the customer-data tool as high-impact EU AI Act exposure (Article 5 + Article 10 obligations). Intake process + vendor policy bound the inventory. Board received a 6-page summary memo at week 4. Two tools shut down, eight migrated to approved-vendor list, four cleared as low-risk. Total weeks: 4.

Series A SaaS Pre-enterprise sale

D&O attestation gap closed before a 7-figure deal

The situation. $30M ARR security-ops SaaS heading into a $2.5M ARR enterprise contract. The prospect's procurement team sent an AI-governance questionnaire two days into diligence. Founder's internal Copilot + ChatGPT usage was unaccounted for in customer-data flows; D&O renewal already had AI clauses pending.

The Cornerstone outcome. Framework + decision-rights map + vendor policy delivered to procurement on day 23. Audit committee received the executive summary memo on day 25. Deal closed six weeks after Cornerstone delivery; D&O carrier accepted the framework as the AI attestation. Total weeks: 4.

Energy services ITAR / CMMC scope

Autonomous-systems data overlay for defense partnerships

The situation. Energy services firm building an autonomous offshore vessel partnership with a defense-adjacent prime. ITAR-controlled data flowing through an AI inference pipeline; CMMC Level 2 attestation due before the contract could move to ATP. No existing governance framework on the AI layer.

The Cornerstone outcome. Risk register mapped AI components to CMMC controls. Decision rights structured a clear CTO / General Counsel / COO escalation path for cross-border data flows. Vendor policy excluded non-US-domiciled inference vendors. Executive summary became the AI-governance addendum on the partnership SOW. Total weeks: 4.

All three are composite scenarios — representative of MCG's outcome-based AI engagement work, anonymized for confidentiality. Real client references available under NDA during scoping.

What's inside your Cornerstone

Seven artifacts. One bound document. Every page traceable to a decision you can defend.

1

AI Governance Framework

The policy document — principles, scope, definitions, and the rules of the road. Tailored to your industry, risk profile, and regulatory exposure.

2

Risk Register & Impact Matrix

Current and emerging AI risks scored on likelihood × impact, mapped to mitigations, ownership, and review cadence.

3

Decision Rights Map

Who approves what at which threshold. Clear escalation paths from individual use to enterprise-wide rollout.

4

Use-Case Intake Process

The gate every new AI initiative passes through — a repeatable workflow with documented criteria, not a back-room conversation.

5

Vendor & Tooling Policy

Approved providers, data-handling requirements, contract language, and the inventory of what's currently in flight inside your walls.

6

Audit & Measurement Cadence

What you measure quarterly, what you re-certify annually, and what evidence you keep when the auditor or board asks.

7

Executive Summary Memo

A 5–8 page synthesis written for your CEO, board, and audit committee — what's in place, what's next, and where MCG can help.

What a delivered Cornerstone looks like

One bound document. Roughly 40–60 pages depending on org complexity. Excerpts below show the shape of each artifact — actual content is tailored to your operating reality, regulatory exposure, and AI inventory.

▸ Cornerstone Document · v1.0 · CONFIDENTIAL
AI Governance Cornerstone — [Client Name]
Prepared by Motion Consulting Group · a Kelly Services Co. · [Date] · 47 pages
PAGE 3 · EXECUTIVE SUMMARY (EXCERPT)

[Client] currently operates 14 AI-touching tools across 6 business units, with 3 carrying high regulatory exposure (EU AI Act Article 5 + 10) and 2 requiring immediate vendor-policy remediation. The governance framework outlined in this document brings all 14 under a single decision-rights structure with a documented intake process and a quarterly audit cadence.

Of the 5 AI initiatives [Client] is planning in the next 12 months, 3 are cleared to proceed under the framework, 1 requires additional risk-register entries before scope is approved, and 1 is recommended for restructure to reduce data-flow exposure. The board-readiness assessment in Section 7 confirms the framework satisfies the AI clauses in the [Insurer] D&O renewal due 2026-09-30.

PAGE 18 · RISK REGISTER (1 OF 23 ENTRIES)
Risk ID
R-014
Description
Customer-facing LLM summarization tool processes EU resident PII without DPIA documentation.
Likelihood
HIGH
Impact
HIGH — up to 7% global revenue penalty under EU AI Act Article 99
Owner
VP Engineering + General Counsel (joint)
Mitigation
Intake-gate retro-review with DPIA + customer-data inventory mapping. Vendor contract addendum or replacement by 2026-Q4.
Review cadence
Monthly until closed; quarterly thereafter.
PAGE 27 · DECISION RIGHTS MAP (EXCERPT)
AI use class Approver Threshold
Internal productivity (Copilot-class) Department head Approved-vendor list only
Customer-facing inference VP Eng + Legal (joint) DPIA required; risk-register entry mandatory
High-risk decision automation Executive Committee Board notification for production rollout
EU / regulated jurisdiction data Executive Committee + GC DPIA + Article 9/10 review + board minute
PAGE 42 · PRIORITIZED NEXT-INITIATIVE VIEW
  • Approved to proceed — Internal Copilot rollout across Eng + Product (Q3 2026), Marketing copy assistant migration to approved vendor (Q3 2026), Sales-enablement summarization on internal data only (Q4 2026).
  • Conditional — Customer-support chatbot pending DPIA completion + vendor remediation (target Q4 2026).
  • Recommend restructure — Public-facing customer recommendation engine (current design exceeds risk appetite per Section 4; revised scope proposal in Section 9.3).
Mapped to: EU AI Act · NIST AI RMF · ISO/IEC 42001 · sector-specific obligations © Motion Consulting Group · CONFIDENTIAL

Excerpts are representative of the document structure. Actual page count, risk-register entries, and roadmap recommendations are tailored to each engagement.

How the engagement works

Three to four weeks. Four phases. One delivered Cornerstone document — owned by MCG, built with you.

Week 1

Discovery

Structured interviews with leadership, IT, legal, compliance, security, and key business units. AI inventory across the organization — what's in use, what's planned, where the exposure sits.

Week 2

Drafting

Governance framework draft, risk register, decision-rights model. Mapped to the regulatory landscape (EU AI Act, NIST AI RMF, ISO/IEC 42001) and your sector-specific obligations.

Week 3

Workshops

Working sessions with stakeholders to validate the framework, calibrate decision thresholds, and design the intake process so it lands in how your organization actually operates.

Week 4

Delivery

Final document, executive briefing, audit-committee-ready summary, and handoff. You leave with a Cornerstone in place and a prioritized view of what to build next.

Inside the four weeks — what actually happens day by day

A typical engagement broken down to the working-day level. Cadence flexes to your calendar; the structure stays the same.

Week 1 · Discovery Goal: complete AI inventory + stakeholder map by Friday
  • Mon–Tue: Kickoff with executive sponsor. Structured interviews — CEO, COO, General Counsel, Chief Risk Officer if applicable.
  • Wed: IT + Security interviews. Existing-tool inventory pull. Vendor list audit (procurement liaison).
  • Thu: Business-unit interviews — typically 4–6 BU leads. Shadow-AI surfacing questions.
  • Fri: Compliance + legal interviews. Sector-specific regulatory landscape locked. End-of-week status update to executive sponsor.
Week 2 · Drafting Goal: working draft of all 7 artifacts ready for client review
  • Mon–Tue: Governance framework v1 draft. Principles, scope, definitions tailored to interview findings.
  • Wed: Risk register populated. Each inventoried AI tool scored on likelihood × impact, mapped to a regulatory regime.
  • Thu: Decision rights map + escalation thresholds. Vendor & tooling policy draft.
  • Fri: Internal red-team review at MCG (advisor pass). Pre-workshop materials sent to client stakeholders.
Week 3 · Workshops Goal: framework validated, intake calibrated, scope decisions made
  • Mon: Workshop 1 — framework + risk-register walkthrough with executive sponsor and direct reports. Decisions logged.
  • Tue: Workshop 2 — intake-process design session with operations + IT. Threshold calibration.
  • Wed: Workshop 3 — vendor policy + audit cadence with procurement, security, internal audit.
  • Thu–Fri: Draft revisions incorporating workshop decisions. Executive summary memo first draft.
Week 4 · Delivery Goal: Cornerstone delivered, executive briefing complete, handoff signed
  • Mon–Tue: Final document polish. Cross-reference audit. Citation check against EU AI Act / NIST RMF / ISO/IEC 42001.
  • Wed: Executive briefing rehearsal. Audit-committee summary finalized. Roadmap recommendations sealed.
  • Thu: Executive briefing delivered (60–90 minutes). Q&A. Decision log updated. Audit-committee handoff packet sent.
  • Fri: Operational handoff to client team. 30-day check-in scheduled. Optional kick-off conversation for next-phase engagement (Quick Wins / Roadmap).

What you commit: roughly 14–18 hours of stakeholder time across the four weeks — concentrated in week 1 (interviews) and week 3 (workshops). Weeks 2 and 4 are mostly MCG-side work. Executive sponsor commits ~3–4 hours total.

What comes after the Cornerstone

The Cornerstone is the gate. Once it's in place, MCG can help you ship governed AI — and only governed AI.

Entry · 3–4 weeksThe AI Cornerstone
Governance framework, risk register, decision rights, intake process. The foundation. Required before anything else.
Discovery · 4–6 weeksAI Quick Wins + Bottleneck Map
Where AI moves the needle inside your organization — prioritized use cases, scoped for shipment in 30–90 days against the Cornerstone gates.
Plan · 6–8 weeksStrategic AI Roadmap
A 12-month plan tied to your operational priorities and capital cycle. Clarifies what to do now, what to stage later, and how to sequence governance, pilots, and scaled deployment.
Build · Engagement-scopedImplementation
MCG owns delivery against the Cornerstone gates — Agile, DevOps & DevSecOps, Managed Services, and AI & Data engagements scoped as outcome-based deliverables, not hours.

We don't ship AI without governance. Yours, or ours. The Cornerstone is how we start every engagement that touches AI — because it's the only way the work holds up.

Why MCG

Relationship Driven

Governance isn't a one-and-done. We engage at the pace of your decisions, with people who stay on the work from kickoff to handoff and remain available when something new lands on your desk.

Tailored Solutions

No shelf-ware. Every Cornerstone is scoped to your operating reality — your regulatory posture, your data landscape, your team's AI maturity, your sector's exposure profile.

Client-Centric

Outcome-based, deliverable-driven engagements we own end-to-end. You know what you're getting on day one, and we ship against it. Backed by Kelly Services (NASDAQ: KELYA).

Motion Consulting Group (MCG) is an IT consulting firm — part of Kelly Services, Inc. (NASDAQ: KELYA) — focused on Agile consulting and coaching, DevOps & DevSecOps, and Managed Services & IT Operations. The AI Cornerstone is our standard entry point for AI work: every initiative we touch sits on a Cornerstone, because that's the only way the work holds up.

Motion Consulting Group · a Kelly Services Co. · Headquarters: 501 Boylston St, 3rd Floor, Boston, MA 02116 · Website: motionrecruitment.com/consulting

Start your Cornerstone

Tell us a little about where you are today — what AI is in flight, what's worrying you, what your board has asked. We'll follow up with a focused next-step conversation.

v1 routes via your default email client. Production form handler pending.