The ArcaKey Defensibility Audit

An independent, founder-signed assessment of your AI exposure under Title 21. Delivered in 30 days. Reviewed by a credentialed external expert before delivery. Backed by our regulator-acceptance commitment.

Applications opening soon — the first cohort begins May 2026. To register interest in advance, write to randall@arcakey.ai.

Why now

Regulatory affairs work runs on AI now. Protocol amendments are drafted with general-purpose models. IND chemistry sections get pasted into ChatGPT. FDA correspondence is reviewed against guidance documents an LLM has never been trained on.

None of this is reckless — it is how the work gets done in 2026 — but very little of it is documented in a way that holds up under FDA scrutiny, audit committee review, or a sponsor's due diligence.

If your firm bills regulated work and uses AI in any part of the submission pipeline, three questions are now asked of you regularly:

• ·Can you produce a written defensibility statement for the AI components of your workflow?
• ·Can you cite the exact post-quantum, encryption-at-use, and audit-chain standards your AI stack meets?
• ·Can you show a regulator a reviewed methodology when they ask?

Most firms cannot. The ArcaKey Defensibility Audit is the answer.

What you receive

A 16–22 page written memo, founder-signed, independently reviewed before delivery. Suitable for inclusion in your AI governance file, your sponsor due-diligence packet, your internal compliance archive, or a regulatory submission appendix.

Executive Summary

Written for your board or client, not for technologists.

Scope and Methodology

The named regulatory frameworks and technical standards used (Title 21 Subparts B, C, D, E; ICH-GCP; NIST FIPS 203 ML-KEM; FIPS 204 ML-DSA; NIST SP 800-204D; NIST AI RMF).

Current State Assessment

The AI systems and data flows in your current submission pipeline, mapped.

Cryptographic Posture Analysis

Encryption at rest, in transit, and in use; key management; audit-log integrity.

Regulatory Mapping

Your obligations under Title 21 vs. your current state.

Gap Analysis

Named gaps with severity ranking (Critical, High, Moderate, Observational).

Remediation Roadmap

Prioritized, with effort estimates.

Vendor Comparison Matrix

Including ArcaKey, with explicit disclosure (see Objectivity below).

Independent Reviewer Statement

Signed by the named external expert.

Appendices

Cite-checked references, NIST and FDA citations, methodology bibliography.

How it works

A 30-day engagement, fixed scope, fixed fee.

1. Day 0

   Application and acceptance

   You apply via the form (or by email during the pre-launch window). We respond within 5 business days with acceptance and a Statement of Work.

2. Day 1–3

   Kickoff

   90-minute working session. We scope the audit to your single regulatory framework and identify the workflows in scope.

3. Day 4–14

   Data review

   We review your AI tooling inventory, sample workflow outputs, current vendor agreements, and data-flow documentation under NDA.

4. Day 15–22

   Cryptographic and regulatory analysis

   We map your current state against the named technical and regulatory standards.

5. Day 23–28

   Drafting and independent review

   We draft the memo. Your external reviewer reviews methodology and findings before delivery.

6. Day 29–30

   Delivery and closeout

   60-minute closeout call. Final memo delivered, signed by founder and reviewer. You keep the memo permanently regardless of any future relationship with ArcaKey.

Methodology

Our audit methodology is published. We use the following named external standards as the basis for every assessment:

FDA 21 CFR

Part 312 (IND), Part 314 (NDA), Part 11 (Electronic records / signatures).

ICH E6(R3)

Good Clinical Practice.

FDA 2024 guidance

Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products.

NIST FIPS 203

ML-KEM-768 — post-quantum key encapsulation.

NIST FIPS 204

ML-DSA — post-quantum digital signature.

NIST SP 800-204D

Strategies for the integration of software supply chain security.

NIST AI RMF 1.0

AI Risk Management Framework, and the Generative AI Profile (NIST AI 600-1).

HIPAA

Privacy and Security Rules where applicable.

We do not invent proprietary scoring rubrics. We map your current state against the named external standards above and report what we find.

Independent reviewer

Every audit is independently reviewed by a credentialed external expert before delivery. Reviewers are credentialed in either post-quantum cryptography or regulatory law and are paid by ArcaKey out of the audit fee. Reviewers hold no equity in ArcaKey, have no advisory role beyond the review, and have full authority to require revisions before signing.

Your reviewer is named on your Statement of Work before the engagement begins. You may decline a specific reviewer and request an alternative.

Objectivity disclosure

ArcaKey AI sells an encrypted private-AI workspace as a commercial product. The Vendor Comparison Matrix in your audit memo may include ArcaKey alongside other vendors. The audit findings are not engineered to recommend ArcaKey — we are prepared to deliver memos where the recommendation is “your current setup is adequate; no vendor change required.” You may publish your memo at your discretion. We may publish anonymized excerpts only with your written permission.

Three commitments

1. 1.

   Scope commitment

   We define scope in writing before kickoff. If we discover during the engagement that scope is wrong, we expand at no charge or refund proportionally.

2. 2.

   Independent-review commitment

   Every audit is reviewed by a credentialed external expert before delivery. If their review identifies methodology errors, those are corrected at no charge.

3. 3.

   Regulator-acceptance commitment

   If you submit your audit memo to FDA, SEC, HHS OCR, FINRA, or the Office of the Privacy Commissioner of Canada as part of your AI governance documentation, and the regulator finds the memo insufficient, we will revise it at no charge until they accept it. Full terms in your Statement of Work.

Pricing

Three tiers. Flat fees. No negotiation.

What is not included

• ·Implementation work. The audit produces a memo and a roadmap. We do not build, integrate, or operate replacement systems as part of the engagement.
• ·Legal advice. The audit is technical and regulatory in nature; it is not legal counsel. Where a finding requires legal interpretation, we cite it as such and recommend you engage counsel.
• ·Ongoing monitoring. The audit is a snapshot at the date of delivery. Annual re-audits are available at the same fee.

About ArcaKey

ArcaKey AI builds the encrypted private-AI workspace for regulated professional work — Title 21 cite-checking for biotech submissions, Bill 25 contract review for Quebec law, Reg S-P-aligned advisory work, PHIPA-aware healthcare summarization. Anthropic and OpenAI Zero Data Retention contracts active since April 2026. Operator-blind by design. Founded by Randall Ausenhus, who builds the platform, signs every audit, and answers the phone.

Apply

The first cohort opens May 2026. Application takes 8–10 minutes once the form is live. While the form is being finalized, you can register interest by email and we will reply within 5 business days with the Statement of Work and reviewer information.

Confidential by default. Mutual NDA available before application.

The ArcaKey Defensibility Audit is a written technical and regulatory assessment. It is not legal counsel and does not constitute a legal opinion or a regulatory submission. ArcaKey AI is not a law firm and does not practice law. Where a finding requires legal interpretation, the audit memo will explicitly recommend that the customer engage independent legal counsel. The Regulator-Acceptance Commitment covers revision of the Memo at no additional fee in the event a regulator finds the Memo insufficient as documentation; it does not warrant any specific regulatory outcome.