Build Your
AI Operating System
Once different teams have bought their own copilots and model accounts, cost and access become hard to control. We build the shared layer underneath them so IT can govern identity, data, tools and usage without stopping useful work.
5 layers
ONE PLATFORM, NOT FORTY TOOLS
42001-mapped
EU AI ACT & ISO/IEC 42001 EVIDENCE
Logged
AI CALLS ATTRIBUTED AND COSTED
Forty AI subscriptions are hard to govern
Sales has ChatGPT. Marketing has Claude. Ops has a Zapier with a Gemini node in it. Engineering uses Cursor. Finance is pasting data into a tool nobody has audited.
Karpathy's LLM OS framing is useful. The mistake we keep seeing is buying AI one tool per problem, signed off by whoever asked first, with nothing underneath holding it together.
For our purposes, an AI operating system is the layer under all of it: identity, memory, models, tools, guardrails.
TODAY'S AI ESTATE
- Forty subscriptions, no single owner
- Company data pasted into chat windows
- Each team's prompts trapped in their tool
- No clear audit trail when a regulator asks
- Costs visible only on the credit card bill
AI ON A PLATFORM
- One platform, one owner, one bill
- Knowledge in one place AI can read
- Prompts and workflows reusable across teams
- Every call logged, attributable, replayable
- Cost and quality watched per team, per task
The layers underneath your AI tools
"Operating system" here means the shared layer underneath the apps. Once you can see the layers, the buying decisions stop being a guess.
Identity & access
Who's allowed to use which model on which data. SSO, role-based access, per-team budgets. A clean place for audit to start.
Memory
A company brain. Documents, tickets, Raq.com, transcripts, product data. Stored once, indexed once, retrieved by every AI workflow that needs it.
Models
A router in front of OpenAI, Anthropic, Google and an open model or two. Pick the cheapest one that's good enough per task. Swap providers without rewriting the app.
Tools
The things AI is allowed to do. Send the email, raise the invoice, refund the customer, write to the database. Each one defined, scoped and tested before the AI can reach it.
Guardrails
Evals, safety filters, human review on high-stakes calls, and an audit log you can hand to a regulator.
What the leadership team gets
The engagement combines operating decisions with the engineering needed for the first shared layer.
The first phase establishes the inventory, identity model, provider controls and one working integration. Further workflows move only after technology and data owners approve the pattern.
BOOK AN ADVISORY CALLAI estate audit
Every AI tool the company is using, who pays for it, what data it touches and what it is allowed to do. The first phase produces the agreed inventory, owners and risk categories.
Write the policy
What data can leave the company, which models are approved, which tasks need a human in the loop, who owns the bill. Short enough for the board to read, specific enough for engineering to enforce. Mapped to ISO/IEC 42001 and the EU AI Act so evidence is built as you go.
Build the platform
Identity, knowledge, model routing, tools and audit records are built into the existing stack with documentation and access for the internal technology team.
Move the workflows
One function at a time. Often sales, then support, then ops. Each workflow comes off its rogue subscription and onto the platform. The target is a single line item instead of credit-card chaos.
Hand it over
Runbook, training, on-call rota, evals that run on every release. We stay on a retainer if you want us, or we leave you the keys. Either way, your team owns the thing it depends on.
What regulators expect
If you wait until your insurer or your biggest customer asks for evidence, you'll be doing this work under a deadline.
The timetable moved, but the work remains.
EU AI Act obligations are being phased in. The AI Act Service Desk lists general-purpose AI model obligations from 2 August 2025 and Article 50 transparency rules from 2 August 2026. The Commission's 7 May 2026 AI omnibus agreement puts Annex III high-risk systems on 2 December 2027 and product-embedded high-risk systems on 2 August 2028.
A management system you can certify.
ISO/IEC 42001:2023 is the world's first AI management system standard. Certification bodies including BSI, DNV, TÜV SÜD and SGS publish certification services for it. A platform gives the evidence somewhere to live: roles, risk register, model approvals, evals and audit logs.
Accountability sits with the board.
The ICO's AI audit framework is aimed at senior management and compliance roles. It asks for completed DPIAs to be shared with senior management and signed off. SI 2026/425 came into force on 12 May 2026 and requires the Information Commissioner to prepare a code of practice on AI and automated decision-making.
Sources checked: European Commission AI Act timeline and 7 May 2026 AI omnibus release; ISO/IEC 42001:2023; BSI, DNV, TÜV SÜD and SGS certification pages; ICO AI audit framework; SI 2026/425.
Raq.com is the operating system behind our own AI work
It brings accounts, agents, business knowledge, tools, permissions and records into one environment. We use it for real work across our own companies, so the operating model is tested rather than theoretical.
When this is worth discussing
We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.
Usually a good fit
- An established UK business, usually with annual revenue above £10m
- A repeated process with a known cost, delay, error rate or capacity problem
- A senior sponsor and a day-to-day owner who understand the work
- Access to the relevant staff, systems, sample records and security requirements
We may point you elsewhere
- A standard product already covers the process well
- The requirement is a one-off small build with no wider operating case
- There is no owner or access to the people and data needed to test the result
- The plan relies on AI making high-impact decisions with nobody responsible for review
Questions before committing
Isn't this just buying ChatGPT Enterprise?
No. ChatGPT Enterprise gives you a governed chat workspace. This work covers the layer between your data and any model you choose to use. Buying one vendor's chat product solves one layer and leaves the other four on that vendor's roadmap.
We're too small for this, surely.
If you've already got AI in more than one team, you're not. You probably don't need a platform for ten users. You probably do for fifty, especially if any of them are touching customer data or finances. The earlier you do it, the less you'll have to unpick later.
Do we have to rip out everything our teams already use?
No. The platform sits underneath them. In the audit, we separate the tools that can route through your identity, memory and logging layers from the ones that need replacing.
Which models do you put behind the router?
Whichever ones earn their keep on your tasks. Usually a frontier model from Anthropic or OpenAI for reasoning, a fast cheap one from Google or OpenAI for high-volume work, and an open model on your own infrastructure for anything that can't leave the building. We retest the mix because pricing and quality keep moving.
How does this help with ISO 42001 or the AI Act?
The usual evidence set, including an audit log, a risk register, defined roles, evals and human oversight on high-stakes uses, becomes a property of the platform rather than a separate compliance project.
Who owns the code?
You do. We build it in your cloud and repositories, with your engineers involved, so the business doesn't depend on a platform it cannot control. We can host and operate it if you'd rather we did, but there's no lock-in.
What does it cost?
Audit and policy work is fixed price. Building the first version of the platform is priced per phase and quoted before we start. The usual savings are cancelled subscriptions, fewer rebuilds, and less compliance work done by hand.
Talk to us about the AI tools you already use
Send us the current list of AI tools, providers and systems they can reach. We will identify the first control layer worth standardising and the decisions your technology team needs to make before a build starts.