| A1 | DPIA (standard) One DPIA on a well-bounded processing activity, single-system, with existing data-flow documentation. | 5 days | ↑ GDPR Technical Compliance Sprint |
| A2 | DPIA (complex) One DPIA on cross-system, multi-vendor, special-category, or novel ML/AI processing - including supervisory-authority consultation prep. | 8–10 days | ↑ GDPR Technical Compliance Sprint |
| A3 | DPIA Bundle (×3) Three DPIAs across distinct processing activities, sequenced and cross-referenced. | 12–15 days | ↑ GDPR Technical Compliance Sprint |
| A4 | ROPA Build Article 30-compliant Record of Processing Activities for a single business unit or product line, structured for ongoing maintenance. | 5 days | ↑ GDPR Technical Compliance Sprint |
| A5 | Vendor DPA Review Sub-processor inventory + DPA gap-list + Standard Contractual Clauses status + transfer-impact assessment scoping. | 4 days | ↑ GDPR Technical Compliance Sprint |
| A6 | Breach Response Runbook 72-hour notification clock, decision tree, supervisory-authority drafting templates, internal communication plan, one tabletop exercise. | 4 days | ↑ GDPR Technical Compliance Sprint |
| A7 | Postmortem Facilitation Independent facilitator for a high-stakes incident postmortem; structured write-up; remediation register with owners. | 2 days | ↑ Engineering Health Check / Performance & Goals |
| A8 | Single Senior Interview Round One senior-round technical interview (panel participation + structured write-up + calibration debrief). | 0.5 days | ↑ Senior Engineering Hire Sprint |
| A9 | Vendor Selection (single decision) One vendor decision (observability / IAM / CDP / search / data warehouse / similar) - weighted matrix, TCO math, recommendation memo. | 3 days | ↑ Foundation Sprint / Tech Audit |
| A10 | Customer Compliance Questionnaire Response One enterprise security / DPA / vendor-risk questionnaire drafted, reviewed, returned with the supporting evidence pack. | 2 days | ↑ Compliance & DD Readiness Sprint |
| A11 | On-Call Health Check Audit on-call rota, paging discipline, incident-response posture, runbook coverage; prioritised remediation list. | 3 days | ↑ Engineering Health Check / Performance & Goals |
| A12 | LLM Vendor / Routing Decision One decision: OpenAI vs Anthropic vs open-source vs gateway routing - cost / latency analysis, recommendation, eval-gate plan; informed by WARRANT-Standard authorisation principles where agent behaviour is in scope. | 3 days | ↑ AI Integration Strategy Sprint |
| A13 | Data-Room Tech Section Audit Review of the tech section of a data room before opening to buyers - gap list, narrative coherence, risk pre-flagging. | 3 days | ↑ Acquisition Tech DD Sprint |
| A14 | ADR Facilitation One Architectural Decision Record-shaped engagement - option framing, weighted trade-off, design-review session, signed ADR artefact. | 3 days | ↑ Foundation Sprint |
| A15 | Vendor Portfolio Cost Review Review of the existing vendor / SaaS portfolio for overspend, overlap, renewal traps, and consolidation opportunities - quantified rationalisation plan with renewal-window calendar. | 4 days | ↑ Tech Audit / Engineering Health Check |
| A16 | Annual Tech Budget Advisory Pre-fiscal-year working session with CFO + CTO - tech budget model, headcount-vs-SaaS trade-offs, quarterly allocation, board-ready financial narrative and Q&A pack. | 5 days | ↑ Fractional CIO |
| A17 | Cloud Cost Architecture Review Architecture-led review of cloud spend - right-sizing, scaling patterns, environment hygiene, architectural inefficiencies driving cost. Not a line-item FinOps audit. | 3 days | ↑ Tech Audit / Engineering Health Check |
| A18 | SBOM & License Audit Software Bill of Materials across the codebase, open-source license inventory, copyleft/viral flagging, license-compatibility matrix, remediation list, regulatory-readiness note (EU CRA, enterprise procurement, M&A buyer-side legal). | 4 days | ↑ Acquisition Tech DD / Tech Audit |
| A19 | MCP Server Scaffold Bootstrap one MCP server for a single existing API or data source. Tool definitions with input schemas, /.well-known/mcp.json manifest, robots.txt allowance, Claude Desktop and Cursor smoke-test. Hand-over package: code + deployment notes + observable behaviour. | 5 days | ↑ MCP Server Implementation sprint |
| A20 | x402 Integration Pilot Wire one endpoint to x402 on Base Sepolia. Test wallet, facilitator setup, server-side 402 response with payment requirements, verify-and-settle flow, receipt header echoed back, tested 402-pay-retry end-to-end. Foundation for the full Agentic Payments sprint when scope grows. | 4 days | ↑ Agentic Payments sprint |
| A21 | Agentic Modernization Pilot Stand up the governed agent pipeline on one bounded legacy service. Dependency map, containerization (Docker), an agent-opened pull request under branch protection and a human merge gate, characterization smoke-test, and a structured audit trail of agent actions. Proof-of-concept for the full Agentic DevOps sprint. | 5 days | ↑ Agentic DevOps sprint |
| A22 | MCP Supply Chain Audit Inventory of every MCP server the company runs or consumes - first-party, third-party, registry-pulled. Per-server supply-chain audit: origin and publisher provenance, permissions surface, tool-call signing and message gating, secret-handling posture, kill-switch and revocation path. Findings mapped to OWASP MCP Top 10 and the current MCP-ecosystem CVE disclosure landscape. Deliverable: prioritised remediation memo with severity, owner, and fix-window. | 5 days | ↑ Agent & MCP Governance Sprint or MCP Server Implementation sprint |
| A23 | Shadow Agent & Shadow AI Inventory Telemetry-backed discovery of agents and AI tools the company never centrally procured. Inputs: egress / DNS logs, SSO / IdP logs, repo SDK and dependency scans, expense-report keyword sweep, browser-extension audit. Output: a single inventory document - tool name, business unit using it, data classes touched, contract / DPA status, authorization posture, and a triaged risk register flagged against EU AI Act prohibited / high-risk categories and GDPR Article 28 / 30 obligations. | 5 days | ↑ EU AI Act Triage Sprint or GDPR Technical Compliance Sprint |
| A24 | Pre-Pitch Technical Credibility Pack (Agency) Agency-side mini for £200-600k pitches where the architecture narrative has to survive hostile AI and regulatory questioning in the room. Three-day artefact: architecture-and-approach one-pager, AI / agentic posture statement (WARRANT-aligned), regulatory pre-flight (GDPR / EU AI Act exposure call-outs), three anticipated hostile-question rehearsals with answers, optional named co-sign for the proposal. Scoping-call escape hatch if the pitch story doesn't hold. | 3 days | ↑ Pitch Support Sprint |
| A25 | AI Acquisition Verification Memo Buyer-side AI-washing detector for PE / VC tech DD when AI capability is material to the valuation thesis. Model inventory (proprietary vs wrapped third-party APIs), training-data lineage and licensing posture, reproducibility audit on the claimed model artefacts, and an eval-pipeline existence check. Output: signed memo with a go / no-go recommendation on the AI premium in the valuation, plus the three follow-on questions for the next IC meeting. Pairs with Sprint 13 - EU AI Act Triage when the target is EU-HQ. | 5 days | ↑ Acquisition Tech Due Diligence Sprint |
| A26 | Article 17 + Accountability Readiness EU AI Act Article 17 quality management system framework readiness for one high-risk AI system (provider or deployer). QMS documentation outline mapped to Article 17(1)(a)-(m) sub-clauses, accountability ownership map across product / engineering / legal / risk, NIST AI RMF Govern + Map function cross-walk, and a gap register with prioritized remediation. Not a 'named AI officer' deliverable - that is best-practice scaffolding, not the statute itself. | 6 days | ↑ EU AI Act Triage Sprint or Compliance & DD Readiness Sprint |
| A27 | GDPR Deletion-Readiness Register Article 17 right-to-erasure readiness for AI / ML estates. Inventory of every place personal data lands - operational stores, warehouses, embeddings, vector indexes, fine-tuning corpora, model checkpoints, prompt logs, eval sets, backups. Per-surface deletion mechanism (hard delete, tombstone, re-embed, re-train trigger, retention expiry) with owner and SLA. Gap register flagging surfaces where deletion is technically impossible today. | 5 days | ↑ GDPR Technical Compliance Sprint |
| A28 | DSAR-Against-LLM-Stack Article 15-22 readiness audit when embeddings, vector stores, fine-tunes, or RAG corpora are in scope - the layer where personal data leaves the relational world. Inventory of where data-subject personal data has landed; access, rectification, erasure, and portability paths per surface; controller / processor split across model and infra vendors; supervisory-authority defensibility note. Technical-readiness memo + DSAR-handling runbook for the LLM / vector layer. | 5 days | ↑ GDPR Technical Compliance Sprint or AI Integration Strategy Sprint |
| A29 | Agent-Generated Code AppSec Gate Design Design-only mini for the platform / AppSec team at a company where agent-generated code already merges to main. Signed gate specification, OWASP-Top-10-for-AI-output coverage matrix mapped to the existing pipeline, IaC permission-scope linting policy, and an eval-gate hookup design wired against the agent pipeline's PR stage. WARRANT-Standard-aligned authorization boundary. We design it; your platform team installs it. | 4 days | ↑ Agent & MCP Governance Sprint or Agentic DevOps Sprint |
| A30 | Agent Incident Tabletop & Runbook Tabletop exercise plus incident-response runbook for agentic-AI failures on production data: paging tree for agent-driven incidents, decision tree for pause / revoke / rollback of agent authority, communication templates, one facilitated tabletop, and a written runbook the on-call rota can actually execute at 03:00. WARRANT-Standard authorisation principles frame the revoke / contain decisions. €3,500 as a Sprint 14 follow-on; €4,500 standalone. | 4 days | ↑ Agent & MCP Governance Sprint or Fractional Chief AI Officer |
| A31 | Senior Hire 90-Day Board Readout Independent honest-reset on a new VP Eng / CTO at the 90-day mark, commissioned by the chair, lead investor, or PE operating partner - not the hiring CEO. Structured interviews with the new hire, direct reports, two peer executives, and the CEO; review of the first 90 days of artefacts (roadmap, hiring plan, architecture calls, on-call posture); written readout covering trajectory signal, three things going right, three things at risk, and the specific board-level decisions needed in the next 90 days. | 6 days | ↑ Tech Board Member / NED continuing engagement |