Independent diagnostic, audit and advisory services for organisations deploying AI-based automation in operational processes and decision-making.
For commercial banks, fintech companies, insurance organisations and large state enterprises where AI systems already participate in operational processes, data analysis and processing, risk assessment and consequential decision-making.
Organisations are deploying AI rapidly. Efficiency metrics improve. Reporting looks clean. But behind this façade, a risk accumulates that is invisible from within: the real capacity to control the system, explain its decisions and stop it when necessary — gradually erodes. Not through a single directive. Through a series of small delegations, each of which seemed reasonable at the time.
The central question: Does your organisation genuinely control these AI systems — or is control quietly shifting to the AI?
Which of these scenarios describes your situation?
Scenario 1. The system works — but no one can explain its decisions
AI participates in lending, risk assessment, fraud detection or operational processes. The system produces outputs. Reports are generated. But if a regulator, Supervisory Board or client asks a specific question — why did the system reach this particular decision — a substantive answer is impossible. The system’s logic is undocumented. The decision log does not exist. Independent verification has never been conducted. The report was signed. The decision is unexplainable.
Scenario 2. Knowledge about the system resides in people, not in processes
The system was built by an internal team or a subsidiary structure. While key staff are in place, everything functions. But the architecture is undocumented, knowledge transfer is not planned, and internal audit checks outcomes rather than logic. When two or three specialists leave, the organisation is left with a working system that no one understands — and no one can modify or stop in a controlled way.
Scenario 3. AI tools are in use but are not accounted for as part of decisions
Staff use AI assistants, application programming interfaces (APIs) and off-the-shelf AI tools in daily work: data analysis, decision preparation, processing requests, document evaluation. Formally, a human makes the decision. In practice, it is shaped by the system. Nowhere is it recorded: what data is being transmitted to external service providers, how the tool’s behaviour changes when the provider updates its model, and to what extent the organisation depends on its availability.
Scenario 4. Emergency procedures exist on paper — not in practice
Regulations contain procedures for operating when the system fails. In practice, they have not been tested since launch. Staff have lost manual skills — not through negligence, but because the need for them never arose. In the event of system unavailability, a change of provider or a regulatory requirement to suspend operations, the organisation will discover: returning to manual mode requires time and resources that are not available.
Scenario 5. Deployment happened — dependency assessment did not
The decision to deploy was made on the basis of efficiency metrics. No one assessed: how deep dependency on the system would become in two to three years, what the cost of exit is, what happens when contract terms change or the subsidiary structure shifts, and what the organisation’s regulatory position looks like in the event of an incident. The system became part of operational reality before any architecture of control over it was established.
What we typically find
In organisations that have already deployed AI, the same patterns recur:
| Control exists formally | The procedure for overriding the system’s decisions exists in the regulations. In practice, it has never been applied. |
|---|---|
| Competence is concentrated | Understanding the system’s logic is possible for one or two staff members. When they leave — a real gap in oversight. |
| Emergency mode has not been tested | Manual operating procedures have not been verified since launch. No one knows whether they work. |
| Single source of answers | Explaining why the system reached a specific decision is only possible by contacting the developer or provider. |
| Cost of exit is unknown | No one has calculated what it costs to abandon the system or transition to an alternative. |
| Regulatory position has not been reviewed | Compliance with Law No. ZRU-1115 and regulator requirements has not been analysed since AI deployment. |
Each of these is not a theoretical risk. It is a specific question that will be asked during an inspection or after an incident.
Questions regulators ask after an incident
| 1. The deployment decision | Who authorised deployment of the system — and was an independent risk assessment conducted before launch? |
|---|---|
| 2. Control over the system | Who verified the system’s operation independently of its developer? Are there documented instances of a human overriding the system’s decision — and on what grounds? |
| 3. Logic and reproducibility of decisions | Can the logic of a specific decision be reproduced? Who within the organisation is able to explain it without engaging the developer? |
| 4. Data and model behaviour | Were the training data checked for systemic bias before launch? Is the system’s behavioural drift being tracked over time? |
| 5. Operational resilience | Were emergency procedures tested after approval? Have staff retained manual skills for processes transferred to the system? |
| 6. Accountability | Who bears personal responsibility for decisions made by the system? Have clients been informed that decisions concerning them involve AI? |
| 7. Dependency and exit | What is the cost of discontinuing the system? Does a transition plan exist if the provider ceases operations? |
Why this matters now
The regulator is forming requirements. The question is not whether this will happen — but what position your organisation will be in when it does: with a functioning control architecture already in place, or in the process of building one under pressure.
Readiness for regulatory requirements and readiness for an incident are the same architecture. System failure, an erroneous decision affecting clients, a data breach, unexplainable model behaviour — all of this happens without warning and without a convenient moment.
Organisations with real control meet such a moment with established procedures, documentation and a clear chain of accountability. Those whose control architecture is only outlined or not yet formalised find themselves in a position where explaining what happened is impossible, stopping the consequences is too late, and accountability has already arrived.
What we offer
Independent diagnostic and advisory services across the full lifecycle of an AI system: before deployment, after launch, and continuously — for as long as the system makes decisions.
1. Express Diagnostic of AI Control (Agency Transfer Audit)
Is AI already in use — but is real control being maintained? A rapid diagnostic across three dimensions: operational continuity without the system, preservation of staff competencies, and actual practice of overriding system decisions. Covers all deployment models: internal team, subsidiary structure, external provider, off-the-shelf AI tools.
Duration: 5–7 working days.
Deliverable: written report with risk zone map.
→ Learn more about the Agency Transfer Audit
2. Full Operational Dependency Audit
For organisations where the express diagnostic has identified yellow or red zones — or where the scale of deployment requires a thorough assessment from the outset. Staff interviews, analysis of regulations and actual control practices — both declared and real — quantitative assessment of dependency depth, final report with a map of critical zones and specific recommendations, management briefing session.
Duration: 3–5 weeks.
Deliverable: report and management briefing.
3. Pre-Implementation Readiness Assessment
The right moment to assess risks is before launch — while the organisation retains maximum freedom of action. Analysis of institutional readiness: governance structure, competencies, oversight culture. Risk assessment across all deployment models: internal development, subsidiary structure, external provider, AI platforms and tools. Control architecture: who decides to override the system’s decision, on what grounds, with what documentation. Map of institutional risks before launch.
Duration: 2–3 weeks.
Deliverable: document for Supervisory Board approval or regulatory submission.
→ Learn more about the Pre-Implementation Assessment
4. Regulatory Position Assessment
For organisations that need to understand their position relative to Law No. ZRU-1115 and emerging regulatory requirements — before that position is determined for them in the course of an inspection. Analysis of ZRU-1115 compliance, assessment of gaps between declared and actual AI decision control, priority action map, documentation for regulatory engagement.
Duration: 2–3 weeks.
Deliverable: priority action map and regulatory documentation.
→ Learn more about the Regulatory Position Assessment
5. Central Bank Requirements Readiness Assessment
For commercial banks and microfinance banks
The Central Bank of Uzbekistan is developing requirements for financial recovery plans. Organisations using AI in critical processes will need to demonstrate a functioning recovery architecture with verifiable procedures — not merely a document. Analysis of compliance with the draft CBU regulation on financial recovery plans, assessment of AI systems’ role in the recovery architecture, gap identification, recommendations for integrating AI control into the recovery plan, preparation of CBU documentation.
Duration: 3–4 weeks.
Deliverable: readiness assessment and CBU documentation.
6. Methodological Support and Documentation Alignment
The diagnostic has revealed gaps — who will help close them? INVEXI accompanies the organisation from diagnosis to a functioning control architecture. Development or revision of internal regulations, policies and AI control procedures. Building operational procedures: decision logs, system override protocols, emergency regulations. Preparation of documentation for the regulator, Supervisory Board and external partners. Support for implementing recommendations.
Duration: 6–10 weeks.
Deliverable: functioning documentation and control procedures.
7. Ongoing Advisory Retainer
For organisations that need an independent adviser on a permanent basis — not for a one-off assessment, but to support decisions that cannot be delegated to internal services or the system provider. Monitoring of changes in the regulatory environment, written analytical materials for decision-making, support in selecting providers and renegotiating contracts, preparation of positions for the regulator, Supervisory Board and external partners.
Format: monthly, minimum 3 months.
8. Management Team Workshop
A structured working session for the senior leadership team or Supervisory Board: joint diagnostic of the real state of AI control, risk zone mapping, identification of first steps. Work with the organisation’s actual processes — not abstract scenarios. The team leaves with a clear understanding of its vulnerabilities and priorities.
Format: half-day, in person.
Deliverable: risk map and priority action protocol.
9. Independent Assessment for the Supervisory Board
A standalone document: an independent evaluation of the state of AI control for presentation to the Supervisory Board, shareholders or Board of Management. Distinguished from an internal report by the fact that it is signed by an independent adviser — which carries different weight in the event of a regulatory inspection or incident. Relevant for organisations where the Supervisory Board requires confirmation of real control, not only polished reporting.
Format: standalone document.
Duration: 2–3 weeks.
10. Expert Support in Provider or AI Platform Selection
A provider has given a presentation. The figures are convincing. But who will assess the control architecture, exit conditions and dependency risks before the contract is signed? INVEXI conducts an independent assessment of AI solution provider proposals: analysis of contractual terms, assessment of dependency scenarios, identification of hidden risks. The organisation makes its decision with full understanding of the consequences.
Format: targeted engagement.
Duration: 1–2 weeks.
11. Regulatory Inspection Preparation
An inspection has been announced — or is expected. There is no time for a full audit. INVEXI helps rapidly bring the organisation’s position into order: what to present, how to respond, which documents to prepare, where the critical gaps are. This is not a substitute for systematic work — but proper preparation materially changes the outcome of an inspection.
Format: short-term project.
Duration: 1–3 weeks depending on organisational readiness.
12. Training Module for Senior Leadership and Supervisory Board Members
Members of the Supervisory Board, Board of Management and senior management sign off on AI system decisions — but do not always understand what questions to ask providers and internal teams. A one-day programme: what real AI control looks like, how to read reports, what signals indicate loss of controllability, what accountability looks like after an incident. This format is not currently offered by any provider in Uzbekistan.
Format: one day, in person or online.
Languages: Russian, Uzbek, English.
13. Analytical Research and Policy Recommendations
For think tanks, international organisations, government institutions and leadership teams requiring an institutional perspective on AI governance from a non-Western vantage point. Analytical materials that account for the realities of developing markets, post-Soviet institutional patterns and the gap between formal control and operational reality.
Format and scope: determined per project.
Deliverable: policy brief, executive analysis or extended research paper.
14. Keynote Addresses and Closed Institutional Briefings
Addresses and briefings on AI governance, systemic transformation and institutional risks — for conferences, industry events and closed sessions for bank leadership and government structures. Particular focus: non-Western perspectives, Central Asian and CIS realities, and the gap between declared and real control.
Format: in person or online.
Languages: Russian, Uzbek, English.
Why we are trusted for these conversations
Most AI governance advisers operate either within a compliance logic — does the documentation meet the standards — or within a technical development logic. Their question: is the system configured correctly?
Our question is different: does your control actually work in practice — or only on paper?
The founder of INVEXI, Oybek Khodjaev, has been on both sides of this conversation: making decisions as a Deputy Chairman of a bank — and as a Deputy Governor of Samarkand Region, receiving explanations from the structures he was overseeing. He knows what a regulator looks for because he was one. He knows what a control gap looks like from the inside because he managed through systemic failures.
International AI governance frameworks require adaptation to the institutional reality of each country. We understand that reality in Uzbekistan: how decisions are actually made, where the gap lies between formal and actual architecture, and how to speak a regulator’s language.
INVEXI’s advisory practice in AI governance is grounded in a twelve-essay analytical series — Beyond Control: Theory of Limits of AI Governance — an examination of how governance becomes performative at precisely the moment it needs to be substantive.
→ Read the essay series: okhodjaev.com/essays/ or the analytical synthesis: okhodjaev.com/synthesis/
Who this is for
Our services are relevant for organisations where automated systems already participate in consequential decisions or are being considered for deployment:
- Commercial banks using AI in lending, scoring, fraud detection and risk management
- Fintech companies and payment organisations
- Insurance organisations with AI in underwriting and claims assessment
- State enterprises deploying AI in operational processes
- Organisations with internal development teams or subsidiary IT structures
- Supervisory Boards and Boards of Management who sign off on AI system decisions and bear accountability for them
- Think tanks, international organisations and government institutions working in AI policy
Next step
Start with a free preliminary diagnostic: three questions, ten minutes, an initial picture with no obligations.
If the diagnostic identifies yellow or red zones, we will conduct a 30-minute working meeting — not a presentation. A conversation about your specific situation and what can realistically be done.
Preliminary diagnostic (free): invexi.org/en/services/agency-transfer-audit/
Request a meeting: ok@okhodjaev.com | +998 90 352 83 50
All engagements are conducted under a Non-Disclosure Agreement (NDA).