Twenty-eight years of governance. One independent practice.
Thames Kay Consultancy LLC is an independent advisory practice led by two principals — a Chartered Accountant with twenty-five years in GCC banking, corporate finance and restructuring, and a career GRC practitioner who was most recently Head of GRC at the Dubai International Financial Centre. Our judgment stays independent: we do not build what we audit.
Certifications
Areas of expertise
Frameworks we map to
Two principals. One standard of judgment.

Mustajab Ahmad
Managing Director — Finance & TransactionsSenior financial advisor and Chartered Accountant with over 25 years across banking, corporate finance and restructuring in the GCC — specialising in complex distressed situations, multi-bank negotiations and turnaround execution. Led the turnaround of two UAE-based family conglomerates, managed corporate and credit portfolios exceeding AED 10bn, arranged private equity and private debt structures, and served as Group CFO across diversified business groups. His banking career spans corporate credit, risk management and special assets, including IFRS 9 implementation and risk-appetite framework design.
Khurram Masood
Partner — GRC & AI AssuranceCareer GRC practitioner with twenty-eight years across governance, risk, compliance, audit and information security — ten years in Big Four practice at KPMG, group risk and audit leadership at Emaar and across SEHA's 80-entity healthcare network, and most recently Head of GRC, Risk, BCM and Information Security at the Dubai International Financial Centre (2017–2025). Leads the Govern & Assure pillar, including the AI governance, risk, audit and security practices.
Where the judgement comes from.
The assurance practice draws on Khurram Masood's career inside the organisations our clients answer to — the auditor's seat, the risk owner's seat, and the regulator's own house.
Ten years in Big Four practice
Audit and advisory foundations: how evidence is built, how findings are defended, and how professional scepticism becomes a habit.
Risk & audit in regional scale
Governance and audit inside one of the region's largest developers — where controls meet construction-speed commercial reality.
GRC across 80 healthcare entities
Group-level governance, risk and compliance across an 80-entity healthcare network — high stakes, federated structures, board-level reporting.
Head of GRC, Dubai International Financial Centre
Leading governance, risk and compliance at the region's leading financial centre — the vantage point behind our GCC regulatory depth.
Independent practice
All of it brought to bear on one question: can your organisation's AI survive scrutiny — from your board, your auditors and your regulators?
Four commitments behind every engagement.
Independent, always
No implementation mandate on the systems we assess. When we test your AI, the only thing we have a stake in is the accuracy of the finding.
GCC-native depth
CBUAE, DIFC, ADGM, PDPL and DFSA aren't research topics for us — they're regimes we've worked inside. Regional regulation is read in the original, not summarised from afar.
Boardroom translation
Eight years of briefing boards and audit committees taught us the difference between a technical report and a decision-ready one. You get the second kind.
Partner-level attention
The person who scopes your engagement is the person who delivers it and the person who signs it. Nothing is handed down to a bench.
Board training: AI Governance & Security
Executive workshops that get directors fluent in AI risk, accountability and the regulatory landscape — delivered by someone who has sat on their side of the table.
Request a board session