What each engagement covers.

A quick reference for where each engagement starts and stops.

Snapshot Baseline Program Partner Vendor Analysis
Primary question Where do I stand? Is our posture sound? What do we do about it? Are we staying current? Is this vendor relationship sound?
Org docs analyzed No Full gap analysis Full gap analysis Monitored for changes Org Doc Summary only
Vendors reviewed None Up to 5 All (building on Baseline) Up to 2/month included 1 designated primary
Risk register No No Yes, full build Maintained ongoing No
Remediation roadmap No Guidance only Yes, full build Progress tracked + annual reset No
Board-ready output No Posture summary only Yes, full package Quarterly report No
Advisory hours None None 10 face-time hours 10 hrs/month (+4 in assessment month) None
Annual reassessment No No No Yes, included No
Timeline Immediate 7–10 business days 2–3 weeks Ongoing 5 business days
Credit toward next Routes to entry point Full credit → Program (90d) Credit → Partner month 1 Terminal engagement Full credit → Baseline (90d)

Snapshot → Baseline → Program → Partner

Four engagements in sequence. Each builds on the one before it. You can enter at any step, but each engagement is designed assuming the one before it is either in place or being bundled.

Entry Point
Readiness Snapshot
Free
Complimentary during launch
(a $3,500 value)
Immediate
Request Snapshot
  • Any organization considering AI compliance services that wants to understand where they stand before committing to a paid engagement
  • Organizations unsure which offering is the right starting point
  • Organizations that have a compliance question but aren't sure how serious it is
  • Organizations that already know their posture and have a specific vendor question, go directly to AI Vendor Analysis
  • Organizations that already know they need a full posture review, go directly to AI Compliance Baseline
  • Structured maturity self-assessment
  • Maturity score and stage classification on Rote's compliance maturity matrix
  • Routing recommendation to the right engagement with rationale

No human advisory time included. This is a diagnostic, not a consultation.

Step 1 of 4
Step 1
AI Compliance Baseline
$10,000 – $14,000
Fixed fee · billed at engagement start
7–10 business days from complete intake
Get started
  • Organizations that need to understand their full AI compliance posture across all vendors and internal policies, not a single vendor question, but the whole picture
  • First enterprise customer due diligence request requiring documented evidence of AI compliance practices
  • Series A or B company preparing for healthcare market entry and establishing compliance posture before scale
  • New CISO, CCO, or compliance lead establishing current state before building or inheriting a program
  • Organizations that completed an AI Vendor Analysis and need to address the organizational picture

Requires at least one existing BAA, an organizational compliance manual, and a security manual. If any are absent, intake will surface this and you will be advised on whether the Program is the better path. Organizations without these documents often find the cost of creating them plus completing a Baseline approaches Program pricing.

  • Full AI vendor landscape review (up to 5 vendors, each risk-classified: Compliant / Conditional / Non-Compliant)
  • Cross-BAA analysis: coverage consistency and gap review across all provided BAAs
  • Organizational policy gap analysis with CFR citations and plain-language descriptions
  • Current compliance posture summary: suitable for internal use, due diligence response, and BAA negotiation
  • Prioritized gap list with remediation guidance (what to address, in what order, and why)
  • Maturity stage classification with supporting evidence
Credit toward Program The Baseline fee credits in full toward an AI Risk & Compliance Program engagement if initiated within 90 days of Baseline delivery.
Step 2 of 4
Step 2
AI Risk & Compliance Program
$22,000 – $28,000
Includes up to 10 hours direct
face time with Dan, not delivery hours
2–3 weeks from complete intake
Get started
  • Organizations that have completed a Baseline and need to act on what they found
  • Organizations facing a board-level AI risk review requiring a documented, defensible risk register
  • Enterprise-ready healthtech companies preparing for or responding to enterprise customer security reviews
  • Organizations responding to an OCR inquiry or preparing for a regulatory audit
  • Series B+ companies that need their AI compliance posture to be board-presentable and externally auditable
  • Comprehensive gap analysis with CFR citations, risk severity classification, and evidence log
  • AI compliance risk register: all risks documented, classified by likelihood and impact, and ownership-assigned
  • Prioritized remediation roadmap: time-bound, owner-assigned, success criteria defined
  • Board and enterprise documentation package: audience-designed for non-technical stakeholders
  • Maturity stage classification (updated or established) with supporting evidence
  • Up to 10 hours direct face time with Dan: covering kickoff, delivery, and early implementation consultation
Credit toward Partner Organizations that initiate an AI Governance Partner engagement within 90 days of Program delivery receive credit toward the first month's Partner fee.
Step 3 of 4: Ongoing
Step 3: Ongoing
AI Governance Partner
$8,000 – $12,000
Per month · 30-day notice to cancel
Ongoing engagement
Start a conversation
  • Organizations that have completed an AI Risk & Compliance Program and are implementing the remediation roadmap
  • Organizations with a mature compliance posture that need ongoing governance as regulations and AI tooling evolve
  • Companies adding new AI tools regularly that need continuous vendor review coverage
  • Organizations with ongoing enterprise customer relationships requiring continuous, demonstrable compliance evidence
Monthly
  • Up to 10 hours direct face time with Dan: advisory sessions, vendor review calls, and responsive access combined
  • Up to 2 vendor reviews (AI Vendor Analysis methodology)
  • Policy update recommendations as the regulatory landscape evolves
  • Responsive access for urgent questions within agreed SLA
Quarterly
  • AI Compliance Posture Report: current state, roadmap progress, new risks, maturity classification update
Annually
  • AI Compliance Program Review: full reassessment, updated gap analysis, refreshed risk register, reset remediation roadmap
  • Up to 4 additional face-time hours beyond standard monthly allocation in assessment month

Partner is designed to be the terminal engagement for a mature organization. The annual program assessment replaces the need to repurchase a standalone Program to stay current each year.

AI Vendor Analysis

AI Vendor Analysis is not a step in the maturity ladder. It is a standalone analytical service available to any organization, at any stage, that has a specific vendor question that needs a credible, documented answer. An organization with a single urgent vendor concern can access it before starting the ladder. A mature Partner client adding a new AI tool can access it between monthly retainer cycles.

On-Demand
AI Vendor Analysis
$5,000 – $7,000
Per vendor reviewed · Rote platform customers may receive a discount based on data already available
5 business days from complete intake
Get started
  • An organization with a specific, urgent vendor trigger, such as a new AI tool pending signature or a health plan partner asking hard questions about a specific vendor, who needs a credible answer quickly
  • A mature organization adding a new AI tool, renewing a BAA, or responding to a specific vendor-level question where the organizational posture is already established
  • Cross-BAA analysis: conflicts and coverage gaps in provided BAAs relevant to the primary vendor
  • Data flow documentation for the reviewed vendor (informed by your security and compliance manuals)
  • BAA gap findings for the primary vendor with specific CFR citations
  • Risk classification (Compliant / Conditional / Non-Compliant) applied against your own compliance manual risk framework, supplemented by Rote's AI-specific criteria
  • Remediation action list: what to fix, require of the vendor, or renegotiate before or at signing
  • Organizational Document Summary
Organizational Document Summary

Every Vendor Risk Report includes this section. It answers one question: did your organizational documents surface anything that materially affects the vendor findings in this report?

Occasionally, a foundational document is absent or too incomplete to support risk classification: no compliance manual, no risk classification framework in the security manual. When that happens, the vendor assessment cannot proceed to a risk verdict and the engagement pauses. If you can supply the missing information informally, the analysis continues. If not, the Analysis fee credits in full toward the Baseline required to address it.

Credit toward Baseline The Analysis fee credits in full toward an AI Compliance Baseline engagement if initiated within 90 days of Analysis delivery.

Two engagements. One intake. One commitment.

Bundles are available where two adjacent ladder engagements are purchased together: single intake, no credit clock, continuous engagement context, and a discount off the combined standalone price.

Baseline + Program Bundle
$30,000 – $38,000
Saves $2,000–$4,000 vs. standalone
3–4 weeks delivery

A single continuous engagement that moves from posture establishment (Baseline) directly into program build (Program) without a gap, a second intake, or a credit clock. The Baseline findings feed directly into the Program. Includes all Baseline and Program deliverables, plus the 10 direct face-time hours from the Program.

Credit toward AI Governance Partner if initiated within 90 days of Program delivery.
Talk about this bundle
Program + Partner Bundle
Program fee + 3-month Partner at 15% off
Example: $25,000 Program + ~$25,500 for 3 months Partner (vs. $30,000 at full rate) = ~$50,500 total
Partner begins concurrent with Program delivery

Moves from program build directly into ongoing governance with no gap between delivery and Partner start. The 15% discount applies to the first three months of the Partner engagement. The relationship, context, and findings carry forward without a handoff.

No onboarding gap. Advisor continuity from program delivery into ongoing governance.
Talk about this bundle

Common questions.

What is the Readiness Snapshot?

The Snapshot is free. You complete a structured maturity self-assessment and receive a maturity score and stage classification on Rote's compliance maturity matrix, plus a routing recommendation to the right engagement with rationale. No human advisory time is included. It is a diagnostic, not a consultation.

What is the difference between the Baseline and the Program?

The Baseline establishes your current posture: where you stand, what your gaps are, and how your vendors rank. It produces a report suitable for due diligence response and internal use. The Program acts on what the Baseline found: it builds the full risk register, produces the prioritized remediation roadmap, and delivers the board-ready documentation package. The Baseline tells you where you are. The Program maps the path forward and starts you on it.

When should I use AI Vendor Analysis instead of starting the ladder?

AI Vendor Analysis is for organizations with a specific, urgent vendor question, whether a new AI tool pending signature or an enterprise customer asking hard questions about a specific vendor, where you need a credible answer quickly without a full posture review. If you are uncertain about your overall AI compliance posture with no specific vendor trigger, start with the Snapshot or go directly to the Baseline. The Analysis fee credits in full toward a Baseline if initiated within 90 days of delivery.

What does the 90-day credit mean?

Credits apply between adjacent engagements when initiated within 90 days of delivery. The Baseline fee credits in full toward a Program. The Program provides credit toward the first month of Partner. The AI Vendor Analysis fee credits in full toward a Baseline. The bundles eliminate the credit clock entirely: single intake, continuous engagement, no timing pressure.

What happens if my organizational documents are incomplete for an AI Vendor Analysis?

The Organizational Document Summary in your Vendor Risk Report flags anything in your documents that materially affects the vendor findings. Sometimes a foundation is simply absent: no compliance manual, no risk classification framework in the security manual, BAAs too incomplete for cross-analysis. When that happens, the vendor assessment cannot proceed to a risk verdict, and the engagement pauses. If you can supply the missing information informally, the analysis continues. If not, the Analysis fee credits in full toward the Baseline required to address it.

Does the Baseline have document prerequisites?

Yes. Baseline intake requires at least one existing BAA, an organizational compliance manual, and a security manual. If any are absent, intake surfaces this and you will be advised on whether to proceed to the Program instead. Organizations without these documents often find that the total cost of creating them plus completing a Baseline approaches Program pricing. The Program is typically the better path in that case, and any Baseline intake fee paid credits toward it.

If you're not ready for a full engagement, or if you want to run the analysis yourself before deciding on advisory support, the platform is available now in beta. The intake agent walks you through setup in about 15 minutes. A coordinated team of compliance agents then maintains your program every week, starting with Gap Closure, Regulatory Watch, and Document Health. Access is by request during the beta period.

Request platform beta access →

This ladder is the AI-specific layer: it assumes a baseline HIPAA program is already in place (the Baseline engagement's prerequisites are an existing BAA, compliance manual, and security manual) and builds AI vendor review, AI-specific policy, and ongoing AI monitoring on top of it. If your question is that foundation itself, no AI vendor or AI feature involved, the HIPAA track builds it directly, at HIPAA pricing.

See the HIPAA track →

The services above are the AI-governance motion. If you operate a 42 CFR Part 2 program, the 2024 final rule changed what your posted patient notice must say. That's a separate track with its own free Self-Check and a fixed-price Alignment Review.

See Part 2 Alignment →

Not sure where you stand?
The Snapshot tells you.

The Readiness Snapshot is free. It places your organization on Rote's compliance maturity matrix and recommends the right engagement for your situation, within one week. If you already know which service you need, reach out directly.