# sitkastack

> Audit-ready AI for regulated mid-market. sitkastack builds and documents AI systems that hold up in front of auditors, regulators, and boards. Founded by Robyn Toor in December 2025.

## About

sitkastack is the AI advisory and build practice of Robyn Toor. It works with VPs of Operations, Compliance, Risk, and Technology at regulated mid-market companies where AI has to coexist with real audit and regulatory obligations. Operates remote-first across North America from British Columbia, Canada. British Columbia sole proprietorship.

## Tagline

Audit-ready AI for regulated mid-market.

## Positioning

The Framework, the implementation patterns, and the consulting practice are all built on the same operator-first principles: AI you can explain, defend, and govern. Not just demo.

## Services

Pricing is set on the intro call once the work is scoped. No fixed list prices.

### E-23 Readiness Sprint
Duration: 4-6 weeks. After the Sprint, your team can answer OSFI's accountability questions with documented evidence. Complete model inventory, decision surface map, accountability matrix per decision class, and audit-ready evidence artifacts mapped to E-23 principles. Adapts to SOX, SOC 2, NIST AI RMF, EU AI Act, or ISO 42001 readiness. Includes 30 days of post-completion advisory.

### 90-Day AI Build
Duration: 90 days fixed. One production-grade AI workflow with governance artifacts included by default. Always preceded by E-23 Readiness Sprint or scoping engagement.

### Fractional AI Lead retainer
Duration: 6-month minimum. Ongoing AI strategy and governance oversight. Available in three tiers based on engagement depth.

### AI Policy & Risk Pack
Duration: 3 weeks. Complete governance pack mapped to one regulatory framework (NIST AI RMF, EU AI Act, OSFI E-23, NAIC, or SR 11-7). Includes training session for the GRC team.

## The sitkastack Framework

The vendor-risk-triage framework is shipped at v1.0.5, eight phases complete, open source under Apache 2.0. 1,377 tests at 100% coverage across twelve packages. The open-source framework is a free reference implementation; it is deliberately not turnkey audit defense. Paid sitkastack engagements deliver the calibrated, client-specific, audit-ready version.

Eight shipped phases:

- Phase 0: Discovery & Risk Classification
- Phase 1: Data Contracts & Privacy
- Phase 2: Architecture & Threat Model
- Phase 3: Agent + RAG + Ingestion + Eval
- Phase 4: Eval Depth + Retrieval Quality
- Phase 5: Operational Hardening
- Phase 6: Production Polish
- Phase 7: Multi-tenancy + Schema Migration

Repo: https://github.com/sitkastack/vendor-risk-triage
Worked example: https://sitkastack.com/demo
Roadmap: https://sitkastack.com/roadmap

## Track record

The execution muscle behind the AI work.

- 15+ years shipping programs in fintech and SaaS
- $500M originated on platforms I led
- Refresh Financial: led the automation build behind the company's acquisition
- Currently shipping a national-scale integration platform across a US franchise network (Boomi, Solace, AWS), client unnamed

## Selected work

Pre-AI program work. Proof I ship real systems in high-stakes environments.

### Refresh Financial: sales and servicing automation
Fintech, Canada. A call-centre-dependent sales and servicing model that couldn't scale. I led the end-to-end automation build. Revenue grew 61.5%, and the company was acquired.

### Consumer lending platform launch
Financial services, North America. A North American financial services group with 600+ retail locations. They needed a new consumer lending product and had no platform to start from. I built the technology and the product line in 18 months. It still runs the lending business today. $500M+ originated.

### MarTech and customer data platform
Retail, Canada. A top-five Canadian grocer's $16M MarTech program. I built and integrated the customer data platform behind their marketing automation. The roadmap projects 40% higher engagement and 25% better marketing ROI. Projected 5-year customer lifetime value: $200M.

## What clients say

"Robyn is one of the very few non-engineers I've worked with who can genuinely engage in technical trade-offs while still keeping cross-functional teams aligned and moving forward." — Angela Zenner, Senior Engineering Manager, Wealthsimple. Worked with Robyn at Refresh Financial, where Angela was Director of Technology & Development.

## Tools I built and use myself

The same patterns I apply to client work.

- Executive delivery dashboard (internal tool): A Python pipeline that ingests Jira, Smartsheet, and timesheet data and uses the Claude API for RAG-based program insights, margin analysis, and forecast views. An internal tool I built and use to replace manual status compilation. Tech: Claude API, Python, Jira, Smartsheet.
- Fintech service ops triage (public demo): AI triage tool for service-operations decisions in regulated environments. Confidence-gated routing, PII redaction, prompt-injection mitigation, and structured audit logging. Tech: Claude API, Python, Tool use. Source: https://github.com/robyntoor/fintech-service-ops-triage-poc
- Multi-persona AI code review (independent build): Claude API pipeline running parallel code review across security, performance, readability, and architectural perspectives before commits land. Tech: Claude API, Prompt engineering.
- Daily briefing system (independent build, in daily use): Runs overnight. Surfaces what changed, what's at risk, what needs a decision. Tech: n8n, Claude API.

## Founder

Robyn Toor. 15+ years shipping systems in fintech and regulated industries, where the work has to hold up in production, not just demo well. sitkastack brings that standard to operationally complex mid-market companies. Founded December 2025.

Credentials: MBA, PMP, AIGP (in progress), CSM, CSPO, AWS Cloud Practitioner.

Location: British Columbia, Canada. Working with clients across North America.

## Writing cadence

Weekly LinkedIn newsletter (Wednesday), weekly Medium posts, LinkedIn posts Tuesday and Thursday.

## Security

sitkastack handles client data with the same discipline applied to the AI systems built for clients. SOC 2 readiness assessment is complete; SOC 2 Type 1 audit booked for Q4 2026 with report expected Q1 2027; SOC 2 Type 2 planned Q2 2027. Cyber liability insurance: $1M coverage. PII detection and redaction by default in any AI pipeline that processes client data. Synthetic test data only in public Framework reference implementations. Audit logging on all production AI systems built for clients. Full security posture: https://sitkastack.com/security

## Frameworks aligned to

NIST AI Risk Management Framework, EU AI Act, OSFI Guideline E-23 (Canadian regulated financial institutions), SOX and ICFR, SOC 2, ISO/IEC 42001, NAIC Model Bulletin on AI, SR 11-7 Model Risk Management, PIPEDA, GDPR where applicable.

Detailed mappings: https://sitkastack.com/frameworks

## Frequently asked questions

Q: Who does sitkastack work with?
A: VPs of Operations, Compliance, Risk, and Technology at regulated mid-market companies where AI has to coexist with real audit and regulatory obligations.

Q: What does sitkastack offer?
A: The E-23 Readiness Sprint (4-6 weeks) is the entry point, followed by the 90-Day AI Build, the Fractional AI Lead retainer (6-month minimum), and the AI Policy & Risk Pack (3 weeks). All engagements are scoped on a 30-minute intro call.

Q: How does pricing work?
A: Every engagement is scoped to the specific workflow or governance scope, so there is no fixed list price. Scope and price are set together on a 30-minute intro call.

Q: How is sitkastack different from a typical AI consultancy?
A: sitkastack builds and documents AI systems that hold up in front of auditors, regulators, and boards. Governance artifacts are included by default in Build engagements. The vendor-risk-triage framework is published under Apache 2.0 at github.com/sitkastack/vendor-risk-triage.

Q: What regulatory frameworks does sitkastack work with?
A: NIST AI Risk Management Framework, EU AI Act, OSFI Guideline E-23, NAIC Model Bulletin on AI, SR 11-7 Model Risk Management, SOX and ICFR, SOC 2, ISO/IEC 42001, PIPEDA, and GDPR where applicable. The AI Policy & Risk Pack maps to one regulatory framework per engagement.

Q: Where is sitkastack based?
A: British Columbia, Canada. Engagements run remote-first across North America.

## Contact

Email: robyn@sitkastack.com
LinkedIn (Robyn): https://linkedin.com/in/robyntoor
LinkedIn (sitkastack): https://linkedin.com/company/sitkastack
GitHub (framework repo): https://github.com/sitkastack/vendor-risk-triage
GitHub (personal): https://github.com/robyntoor
Full background: https://robyntoor.com
Security posture: https://sitkastack.com/security
Roadmap: https://sitkastack.com/roadmap