Cybersecurity & AI governance advisory · Mid-market SaaS & fintech

Governance you can prove.

Independent advisory for the teams building under the 2026 AI regulatory wall. ISO 42001, ISO 27001, NIST CSF, and fractional CISO engagements — drafted, verified, and signed by a credentialed practitioner.

Request a 30-minute briefing Who runs Assay
A note on the name
as·say
/ə-ˈsā/ · verb · transitive

1.To determine the content, purity, or composition of a thing by systematic test.

2.To evaluate rigorously; to judge what something actually is.

An assay is how you tell real from counterfeit. That's the work. Most AI governance on the market generates evidence; an assay verifies it. Most vendor compliance paperwork claims coverage; an assay tests it. This firm is built around the distinction.

Engagements

Four ways I work with growth-stage teams.

01 / ISO
ISO/IEC 42001
AI Management System readiness assessments, full implementations, and certification support. For teams facing EU AI Act obligations, board-level AI governance mandates, or customer-driven certification pressure. Typical engagement runs 8–14 weeks from kickoff to certification-ready posture.
02 / ISO
ISO/IEC 27001
Information Security Management System design, certification preparation, and integration with existing SOC 2 programs. Includes mapping and integration work for teams extending ISO 27001 coverage to AI systems under 42001.
03 / NIST
NIST Cybersecurity Framework
Gap assessments against CSF 2.0 Functions and Categories, maturity scoring, and prioritized roadmaps. Common entry point for U.S. teams preparing for federal sales, regulated customer reviews, or first-time security program builds.
04 / Advisory
Fractional CISO
Retained advisory engagements for companies that need CISO-level judgment without the full-time role. Typical commitment: 8–12 hours per week, direct access to leadership, board-deck participation, and ongoing program stewardship.
How the work is different

The distinction lives in the deliverables.

I
Drafted and signed by a principal.
Every artifact carries a credentialed name on it. Not a logo. Not a template. Advisory work is done by someone whose professional reputation is on the page — and who will defend it under audit.
II
Citations on every factual claim.
Regulatory references, framework clauses, industry benchmarks — all cited inline to primary source. Unverifiable claims are flagged as such. Fluency is not a substitute for accuracy.
III
Evidence is tested, not fabricated.
Observed state gets documented. Absent state is reported honestly. No synthesized policy language standing in for actual controls. The artifact matches the operational reality — or it doesn't ship.
John Porter, founder of Assay Cyber
John Porter
The principal

John Porter

Founder · Assay Cyber

Twenty years building and certifying security and AI governance programs across Big Tech, Big 4 consulting, federal programs, and combat communications — AWS Security Assurance, PwC Public Sector, CACI, Mercedes-Benz R&D, NVIDIA, Uber. The work has run from hands-on control implementation to executive security strategy, and every phase of the ISO 27001 lifecycle from first gap analysis to surveillance audits.

Assay Cyber exists to do that work for the next generation of regulated companies — and to do it the way it should be done. Verified. Cited. Signed.

U.S. Army veteran. Virginia-based.

Active Credentials
CISSP CISA ISO/IEC 42001 Lead Implementer ISO/IEC 27001 Lead Auditor AWS Security Specialty AWS ML Engineer — Associate GIAC GSLC GIAC GSOM PMP Former TS/SCI

A short conversation is usually enough to tell.

hello@assaycyber.com
Thirty minutes. No pitch, no deck. A working session on what the EU AI Act actually requires for your use case, where the real exposure sits, and what's worth doing before the August 2026 deadline.
Or find me on LinkedIn.