We turn governance frameworks into working systems, bringing regulated-sector rigour to any organisation that takes technology strategy, security, and risk seriously.
Fractional and interim engagements for organisations that need senior technology and governance capability without a permanent hire. Our background is regulated financial services — we bring that standard of rigour wherever we work.
Whether you're starting from scratch, working towards ISO 27001 readiness, maintaining a live ISMS, or building a trust centre for customer-facing compliance — and don't have the internal expertise to run it.
Shadow AI is a risk most organisations underestimate until it becomes a problem. The exposure from unmanaged AI tool use is greater than many businesses realise — and it's growing.
You have limited visibility beyond your immediate suppliers, no clear process for managing questionnaires at scale, and no reliable way to demonstrate vendor compliance when a regulator, investor, or client asks.
A breach, a serious outage, or a supplier failure has made clear that your governance wasn't where it needed to be. The time to build resilience is before the next one, not after it.
Cyber risk, AI exposure, supplier dependency — these are board-level conversations now. If your organisation doesn't have a credible answer prepared, that's a gap worth closing.
A fractional or interim engagement gives you the expertise when you need it — for a specific programme, a regulatory moment, or an ongoing advisory role — without the overhead of a full-time appointment.
Wolf Rock Tech provides fractional and interim technology governance to organisations that want senior capability without a permanent hire. We work across technology strategy, information security, AI governance, and supplier risk, operating as an embedded part of your team rather than external consultants reviewing from a distance.
Our approach is practical and evidence-led. We build governance frameworks designed to be used, not displayed - policies people can follow, controls that fit the way the business actually works, and assurance processes that hold up under scrutiny. We know what governance looks like when it works, and what it looks like when it just looks like it works.
Our experience spans regulated financial services, aviation, gaming, and defence, including senior technology leadership in environments where governance is not optional. Deep technical and engineering foundations underpin everything we deliver — rigorous thinking applied to practical problems.
We operate as a principal-led practice. Garry Leacock leads every engagement directly; larger programmes draw on a trusted network of specialist associates where additional capacity is required.
Engagements are structured to fit the organisation. Fractional work typically runs 2–4 days per month on a retained basis; defined programmes are scoped and fixed. We'll propose a structure after an initial conversation.
A regulated financial services business needed to build its information security programme from the ground up. With no prior InfoSec function in place, the organisation needed a structured path to ISO 27001:2022 readiness covering the full business - its M365 and MS Azure estate, physical sites, people, and an extensive supplier base.
We designed and delivered the programme across all four ISO 27001 control domains: organisational, people, physical, and technical. Where processes already existed, we documented and evidenced them - ISO 27001 is about saying what you do in policy, doing what you say via controls, and proving it with evidence. Where gaps existed, we introduced practical controls, including a full policy suite prepared for public-facing publication in a trust centre, and physical controls such as electronic visitor logging.
The programme was delivered over 18 months alongside normal business operations, without a dedicated internal team or business disruption. At completion, all core policies had been drafted and were moving through attestation, and the substantial majority of audit evidence was in place - a full readiness position achieved without pausing the business to get there.
The trigger was familiar: staff were experimenting with AI tools, the business wanted to innovate, and nobody had a clear picture of what was being used or how. Shadow AI represented a real risk, covering data handling, confidentiality, and regulatory exposure, and the organisation needed a framework that enabled responsible adoption rather than simply banning tools that people would use anyway.
We built a governance programme covering both internal AI tool use and AI in the product. On the internal side, this meant a safe usage policy covering tools including ChatGPT, Claude, M365 Copilot, and workflow automation platforms, an approved AI tools register, sensitive data handling guardrails, and secure configuration standards. We also conducted security reviews of Model Context Protocol (MCP) server implementations, emerging infrastructure at the time with no established industry standard, producing guidance where none yet existed.
On the product side, we led thorough due diligence on a customer-facing AI chatbot solution, assessing it across risk, data handling, model behaviour, and InfoSec governance requirements before sign-off.
The programme was built around a formal governance architecture: a charter, operating model, and roadmap, aligned to ISO 42001 and informed by emerging regulatory guidance on AI in financial services. Chosen tools were rolled out at organisational level with guardrails embedded and a governance structure in place to manage new tools as the landscape continues to evolve.
Delivered over 18 months from initial experimentation to full adoption, at a point when most organisations were still debating whether to have an AI policy at all.
The starting point was vendor sprawl with no formal management process in place. Vendors had been onboarded at pace as the business grew, with no consistent due diligence, no visibility of supply chain risk beyond the immediate supplier relationship, and regulatory pressure making the status quo untenable.
We built a third-party risk programme from scratch, starting with a tiering framework that categorised all vendors as Critical, High, Medium, or Low risk. Critical vendors, those on the path to BAU continuity, received the highest level of scrutiny, with active relationship management, redundancy planning, and disaster recovery testing in place for the most essential relationships.
To manage the programme at scale, we implemented a specialist TPRM platform providing a single pane of glass across the entire vendor base. The platform uses a shared questionnaire model, where vendors complete a single assessment visible to multiple customers, which significantly reduces completion friction and applies peer pressure to vendors who might otherwise deprioritise the process. It also provided supply chain visibility beyond the immediate vendor relationship, extending to fourth, fifth, sixth, and seventh-tier suppliers, an increasingly important requirement in a complex technology ecosystem.
The programme was built in alignment with ISO 27001, ensuring third-party risk controls were evidenced as part of the broader InfoSec framework. The main challenges were onboarding a large and growing vendor base at pace and persuading vendors to engage, both addressed through the platform's shared model and a structured onboarding process.
At maturity, all Critical and High-tier vendors had completed assessments with outstanding risks resolved and security scores of 90% or above. The business could demonstrate its supply chain posture at any point, query vendor status in real time, and respond quickly when a public threat or incident required immediate visibility across the supplier base.
Whether you're building a governance function from scratch, preparing for certification, or need senior InfoSec or AI risk capability on a fractional basis - we'd like to hear from you.
We aim to respond within one working day. A short introductory call is usually the best starting point.
Prefer email? info@wolfrocktech.co.uk