CompanyScope
by Janus Compliance

Michael K. Onyekwere, CIPP/E

AI governance for the agent era. Data Protection Officer, common law qualified lawyer, founder of Janus Compliance, and author of the AI Agent Incident Register — legal analysis of how AI agents fail and who is liable when they do.

What I do

I run an independent AI governance practice under the Janus Compliance name, focused on the questions agentic AI is forcing onto compliance and legal teams: who is accountable when an autonomous agent acts, and what governance holds. The work is split into two visible surfaces. The first is Janus DPO-as-a-Service, a fractional Data Protection Officer engagement for businesses procuring and deploying AI tooling without a full-time DPO on the headcount. The second is CompanyScope, the publishing arm: the AI Agent Incident Register (AI agent failures analysed legally), vendor compliance profiles, topic guides, and side-by-side comparisons, all CIPP/E-reviewed and dated.

The published work is the same compliance work clients pay for, written down so a prospective client can see how the practice thinks before deciding to engage. Each profile, hub, and comparison stays current on a quarterly refresh cadence.

Credentials

  • CIPP/E — Certified Information Privacy Professional / Europe (IAPP)
  • Common law qualified lawyer, practising as a Data Protection Officer

Experience

Ten years in compliance across financial services and corporate services:

  • Royal Bank of Scotland — financial services compliance
  • Fidelity Investments — asset management compliance
  • UnitedHealth Group — healthcare compliance
  • TMF Group — corporate services compliance and data protection

What I write about

  • AI agent incidents and liability — who answers when an autonomous agent causes harm (the AI Agent Incident Register)
  • Agentic AI governance — accountability, human oversight, and the EU AI Act / NIST AI RMF controls that map to it
  • GDPR and UK Data Protection Act 2018 in AI deployments
  • EU AI Act — provider and deployer-side obligations
  • Data Processing Addenda for AI vendors — what clauses actually decide the risk
  • Cross-border data transfers under SCCs and the UK Addendum
  • HIPAA and the BAA gate for US healthcare AI deployments
  • Nigerian NDPA / NDPC compliance for fintech and diaspora-founded businesses
  • The practical tradeoffs of choosing between OpenAI, Anthropic, Microsoft 365 Copilot, Google Gemini, Perplexity, ElevenLabs, and their enterprise alternatives

Browse the full output: everything published on CompanyScope.

How profiles are made

  1. Start from public documentation: DPA, subprocessor list, trust center, privacy policy, security pages.
  2. Cross-check against vendor blog posts and public regulatory filings.
  3. Apply the standard schema (data processed, DPA, subprocessors, training position, transfers, security docs, AI Act role, DPIA prompts, red flags).
  4. Flag every gap, contradiction, or recently-changed default explicitly.
  5. Date the review. Refresh on a quarterly cadence or when the vendor announces a material change.

What CompanyScope is not

  • It is not legal advice. Use it as research input, not as a sign-off.
  • It is not a vendor-paid directory. Vendors do not pay to be profiled, and a positive profile is not for sale.
  • It is not a snapshot guarantee. Vendor terms change. Last-reviewed dates show how fresh the research is.
  • It is not a marketing channel for the vendor. The profile reflects what the research finds, including what it does not find.

Get in touch

For ongoing AI compliance support or a CIPP/E-reviewed Vendor Risk Note on a specific decision, work with Janus Compliance directly.