Countdown / TRAIGA AG complaint portal opens / Sept 1, 2026 / — days remain / Get TRAIGA-ready
5-Day Readiness Assessment

Know where you stand — before September 1.

The Texas AG complaint portal opens September 1, 2026. EU AI Act Annex III obligations activate August 2, 2026. Five working days, written output, honest recommendation about what to build first.

$5,000 · 5 working days · Fixed scope · Written report + executive debrief
/01 What the assessment answers

Three questions you'll have answers to.

By the end of week one, you have a written report mapping these three answers to your specific environment.

Q01

Where is AI in our workflows?

Most organizations cannot produce a complete inventory. Shadow LLM usage is more universal than leaders think. We turn structured discovery into a first-pass inventory that reflects reality, not hope.

Q02

What documentation would actually pass?

TRAIGA Sec. 552.105 substantial-compliance defense. EU AI Act Annex IV technical files. NIST AI RMF profiles. ISO 42001 Annex A controls. We assess each against your current state and quantify what's missing.

Q03

What is your exposure if disclosure happened tomorrow?

Exposure is not uniform. We map your specific regulatory surface — TRAIGA, EU AI Act, Title VII, ECOA, ADA, Section 1557, NIST AI RMF, ISO 42001 — and translate to concrete penalty ranges and evidence requirements.

/02 What you walk away with

Three written artifacts.

Not a slide deck. Not a Notion dashboard. Documents you can hand to your board, your regulator, or your defense counsel.

D01 / Gap Report

One-page executive gap report.

Current state mapped against the four frameworks that apply to you, with a color-coded readiness score per pillar and per regime.

~1 page · PDF · Color-coded
D02 / Tier Recommendation

Recommended engagement tier.

Tier 1 (Texas Ready), Tier 2 (Cross-Border Binder), or Tier 3 (Governance-as-a-Service) — with rationale specific to your environment.

Tier 1 · Tier 2 · Tier 3
D03 / Fix List

Prioritized fix list.

Ordered by risk exposure and time-to-remediate. Broken into "must have before September 1" and "next quarter" categories so the punch list is operational, not aspirational.

Must-have / Next-quarter
/03 The week, day by day

Five days. Day-by-day structure.

Fixed scope, fixed schedule, written output. From kickoff Monday morning to defensibility statement on Friday.

Day 01 / Kickoff
01

Kickoff call (60 min).

Monday · Executive sponsor + functional owners

We meet with your executive sponsor and functional owners — IT, legal, HR, operations, compliance — walk you through the framework, and collect initial inputs. Standard NDA signed before any data moves.

  • Executive sponsor + functional owner interviews
  • Standard mutual NDA before any data moves
  • Initial scope + timeline confirmed in writing
See the full framework 
Day 02–04 / Analysis
02–04

Structured analysis.

Tue–Thu · 3–5 functional-lead interviews

Structured 30-minute interviews with 3–5 functional leads. Review of your current AI policies, DPIAs, vendor questionnaires, and system-of-record entries. Mapping gap results against the four frameworks that apply to you.

  • Structured functional-lead interviews (30 min each)
  • Policy, DPIA, and vendor questionnaire audit
  • Four-framework artifact-state mapping
See the frameworks 
Day 05 / Delivery
05

Delivery + debrief.

Friday · 30-min executive readout

30-minute executive debrief with Matthew Bertram — Q&A on findings, tier recommendation, next-step sequencing. You walk away with a one-page Gap Report, a prioritized fix list, and a defensibility statement suitable for general counsel or board.

  • Color-coded readiness score for all nine DIG® artifacts
  • Must-have-by-September vs. 90-day prioritization
  • Written defensibility statement for counsel / board
Request the assessment 
/04 Who this is for

Operators who need it in writing.

Operators in regulated industries with AI-influenced decision workflows who need to know — in writing — whether their current governance holds up. Priced against the value of a single avoided regulatory exposure.

  • Texas operators facing TRAIGA enforcement on September 1, 2026 — with the AG complaint portal opening that day.
  • Organizations with EU customer base or AI-generated output consumed in the EU, where Article 2(1)(c) applies whether or not you have a European office.
  • Regulated-industry executives in healthcare, financial services, energy, and professional services where simultaneous TRAIGA + federal civil rights exposure compounds.
  • Boards and counsel who need a defensibility statement they can put in front of a regulator, an underwriter, or a plaintiff — not a slide deck.
Matthew Bertram
/ Who runs the readout

Matthew Bertram

President, ModalPoint · CEO, EWR Digital

Twenty-five years in energy commercialization. Author of the DIG® framework. NIST AI Cyber Profile + Zero Trust CoI member. Goldman Sachs 10KSB graduate.

Meet Matt 
/ Ready to start

Request your 5-day assessment.

We respond to every request within one business day. If we're not the right fit, we'll say so. If we are, we'll send a project brief with start dates and a fixed-fee letter.

Request Your Assessment
$5,000 · 5 working days · Fixed scope

/05 Operational questions

Running the 5-day Assessment.

Practical questions from operators preparing for the 5-day Governance Readiness Assessment.

Q01 What information do we need to provide before the 5 days start?
An hour-long scoping call before Day 1 to identify your decision categories, vendor stack, geographic exposure (US-only vs US+EU), and 2–3 stakeholders we'll talk to during the week. Optionally: an export of your AI vendor list (or contracts) and any existing AI policy. We don't need access to systems for the Assessment — only conversations and document review.
Q02 Does the Assessment require IT access to our systems?
No. The Readiness Assessment is a structured-interview engagement, not a technical penetration test. We talk to 4–6 people across leadership, compliance, IT, and line-of-business; we review existing artifacts (policies, contracts, training records); and we map findings against the four DIG™ pillars. IT access is only required if you later choose Tier 1+ to build the binder.
Q03 How do you handle confidentiality during the assessment?
Mutual NDA before the scoping call. All findings stay in your binder — ModalPoint never publishes operator-specific data without explicit written consent. The published Tamboran Resources case is the exception, not the default. Anonymized patterns may inform our market intelligence, but no identifying information leaves the engagement.
Q04 Can we run the Assessment without telling our AI vendors?
Yes — vendors are not party to the Assessment. We map your vendor-AI exposure from your contracts and your team's knowledge, not from vendor questionnaires. If the Assessment surfaces vendor-side gaps that need due diligence (e.g., an existing vendor without an AI risk addendum), the Tier 1 Vendor Due Diligence Kit handles those conversations later — on your timeline.
Q05 What changes after September 1, 2026 that makes this urgent?
September 1 is when the Texas Attorney General's online complaint portal for TRAIGA enforcement goes live. Before that date you can prepare; after that date any deployed AI in Texas becomes a potential Rule 552.105 target unless you can demonstrate substantial NIST AI RMF compliance. The 5-day Assessment tells you which side of that line you're on — in writing — in time to act.

/ Regulatory calendar

Five dates that shape your binder.

The 5-Day Assessment maps your current AI exposure against this calendar. Each date triggers a specific obligation; each row tells you what has to be in writing before it lands.

Apr 7, 2026 NIST opens AI RMF Critical Infrastructure Profile process. Concept note + Community of Interest. Energy is one of 16 critical infrastructure sectors. Federal anchor for "what good looks like." US Federal · NIST
Aug 2, 2026 EU AI Act Annex III high-risk obligations apply. Article 11 technical documentation, Article 12 automated logging, Article 14 human oversight, serious-incident reporting SOP. Reaches any third-country provider whose output is used in the Union. European Union
Sept 1, 2026 Texas AG online complaint portal goes live. TRAIGA enforcement trigger. Sec. 552.105 rebuttable presumption of reasonable care via NIST AI RMF substantial compliance. $10K–$200K per violation + $40K/day continuing. Texas · HB 149
Dec 9, 2026 EU Product Liability Directive applies to AI. AI becomes a "product" under strict liability. No negligence required — just defect and damage. Extra-territorial reach for AI outputs used in the EU market. European Union
Ongoing Title VII / ECOA / FHA / ADA / Sec. 1557. Federal civil rights statutes already attach to AI-driven employment, lending, housing, healthcare, and access on a strict-liability disparate-impact basis. TRAIGA's intent-only language does NOT preempt these. US Federal · Civil Rights
Reviewed by Matthew Bertram, President, ModalPoint · Certified AI Auditor (CAIA). Last reviewed July 2026.

/ Who you're engaging with

A Houston-based AI decision governance practice.

ModalPoint · Houston, TX · Operating in US + EU · Response within one business day · A division of EWR Digital

/ Credentials & affiliations

DIG® USPTO Serial No. 99559923 (application pending) — registered framework
NIST Cyber AI Profile + Zero Trust Communities of Interest
Texas HB 149 / TRAIGA active candidate, Texas AI Council
Goldman 10KSB graduate, April 2026 cohort
TAMU Corps of Cadets alumnus · Eagle Scout
IAPP AIGP candidate, Q3 2026 sit
OTC 26 Moderator, Ericsson AI panel · May 4, NRG Center
Case Tamboran Resources (NYSE/ASX: TBN) · energy proof case
AMA 2026 Crystal Awards Finalist — AI category
© 2026 ModalPoint · A division of EWR Digital · All rights reserved. Contact · EWR Digital · Houston, TX