This is the question I get asked more than any other, and it's the right one to ask. An assessment that just hands you a score and disappears isn't governance: it's a diagnosis with no treatment plan. What happens next depends on two things: where you land on the Verification Maturity Model, and which specific gaps the assessment actually surfaced. Both determine the pathway, not just the first one.
The assessment is Stage 1 of a five-stage engagement, not a standalone deliverable. Each stage has a different objective, a different cast of people involved, and a different definition of "done."
Stage 1: Readiness Assessment. A full gap and compliance analysis against the frameworks that actually apply to your organisation, not a generic checklist. This is where you get placed on the Verification Maturity Model (Ad Hoc, Structured Oversight, Systematic Verification, or Trust Factory), and where the specific named gaps get identified.
Stage 2: Embedded Planning. The gaps from Stage 1 become an actual design: policies, SOPs, and governance architecture built for your operating context, not off-the-shelf templates that need to be reverse-engineered to fit.
Stage 3: Champion Network. This is the answer to "what does the ecosystem look like." Internal AI and ESG leads get trained per department, so governance doesn't depend on one person remembering the rules, and where specialist depth is needed beyond generalist governance work, I draw on a two-decade network of associates: regulatory specialists, data engineers, sector-specific compliance experts. You're not getting one advisor. You're getting the parts of a team assembled for exactly what your gaps require.
Stage 4: Data & Culture. Systems, templates, and the internal engagement that makes governance survive contact with a normal Tuesday, not just the launch meeting. This is where most external consultants have already left, and where most governance programmes quietly die.
Stage 5: Independent Leadership. The organisation owns the governance system outright. I step back. This is the actual target: not a retainer that never ends, but a client who no longer structurally needs me for this specific capability.
The assessment doesn't just produce a maturity score: it names specific gaps, and different gaps point to different resources. The named frameworks across the Safe AI SME Series and The Verification Economy aren't background reading. They're the pathway, made specific to what's actually broken.
Most assessments surface more than one gap at once, which usually means more than one resource applies: a firm with shadow AI exposure often has a productivity-paradox problem sitting right behind it, because both are symptoms of adopting tools without designing the boundaries around them. When the gap isn't a specific point failure but the absence of any governance architecture at all, that's not a one-book problem: it's the full Operating Model from The Verification Economy, and the reason Stage 2 (Embedded Planning) exists as its own stage rather than a follow-up email.
The assessment tells you where you stand. The pathway (which stage, which resource, which people) is what actually closes the gap. That's the part that doesn't fit in a scorecard, and it's the part I stay embedded for.