ServicesGovern & AssureFinance & TransactionsTransform & DigitizeOperate & Scale
FrameworkAI Policy DevelopmentResponsible AIData Governance
RegulationsGCC regulationsRegulations & standardsResearch & benchmarks
Insights
About
Contact
Book a consultation
About Thames Kay Consultancy LLC

Twenty-eight years of governance. One independent practice.

Thames Kay Consultancy LLC is an independent advisory practice led by two principals — a Chartered Accountant with twenty-five years in GCC banking, corporate finance and restructuring, and a career GRC practitioner who was most recently Head of GRC at the Dubai International Financial Centre. Our judgment stays independent: we do not build what we audit.

28+Years in governance, risk, compliance and audit practice
25+Years in GCC banking, corporate finance and restructuring
31Services across four pillars, delivered at partner level

Certifications

CISACRISCCRMACDPSEGRCPISO 27001 Lead Auditor

Areas of expertise

AI GovernanceAI Risk & ComplianceAI Audit & AssuranceAI SecurityAgentic AI SystemsGRCInternal AuditIT AuditEnterprise RiskBCMCorporate GovernanceRegulatory ComplianceBoard Reporting

Frameworks we map to

ISO/IEC 42001ISO/IEC 38507EU AI ActNIST AI RMFISO 31000COSO ERMISO 27001UAE PDPLDIFC Reg 10CBUAE Guidance
Leadership

Two principals. One standard of judgment.

Mustajab Ahmad

Mustajab Ahmad

Managing Director — Finance & Transactions

Senior financial advisor and Chartered Accountant with over 25 years across banking, corporate finance and restructuring in the GCC — specialising in complex distressed situations, multi-bank negotiations and turnaround execution. Led the turnaround of two UAE-based family conglomerates, managed corporate and credit portfolios exceeding AED 10bn, arranged private equity and private debt structures, and served as Group CFO across diversified business groups. His banking career spans corporate credit, risk management and special assets, including IFRS 9 implementation and risk-appetite framework design.

Chartered AccountantRestructuring & Special SituationsCapital RaisingLender NegotiationsCFO & Turnaround Leadership

Khurram Masood

Partner — GRC & AI Assurance

Career GRC practitioner with twenty-eight years across governance, risk, compliance, audit and information security — ten years in Big Four practice at KPMG, group risk and audit leadership at Emaar and across SEHA's 80-entity healthcare network, and most recently Head of GRC, Risk, BCM and Information Security at the Dubai International Financial Centre (2017–2025). Leads the Govern & Assure pillar, including the AI governance, risk, audit and security practices.

CISACRISCCRMACDPSEGRCPISO 27001 Lead Auditor
The arc

Where the judgement comes from.

The assurance practice draws on Khurram Masood's career inside the organisations our clients answer to — the auditor's seat, the risk owner's seat, and the regulator's own house.

1
KPMG

Ten years in Big Four practice

Audit and advisory foundations: how evidence is built, how findings are defended, and how professional scepticism becomes a habit.

2
Emaar

Risk & audit in regional scale

Governance and audit inside one of the region's largest developers — where controls meet construction-speed commercial reality.

3
SEHA

GRC across 80 healthcare entities

Group-level governance, risk and compliance across an 80-entity healthcare network — high stakes, federated structures, board-level reporting.

4
DIFC

Head of GRC, Dubai International Financial Centre

Leading governance, risk and compliance at the region's leading financial centre — the vantage point behind our GCC regulatory depth.

5
Thames Kay Consultancy

Independent practice

All of it brought to bear on one question: can your organisation's AI survive scrutiny — from your board, your auditors and your regulators?

How we work

Four commitments behind every engagement.

Independent, always

No implementation mandate on the systems we assess. When we test your AI, the only thing we have a stake in is the accuracy of the finding.

GCC-native depth

CBUAE, DIFC, ADGM, PDPL and DFSA aren't research topics for us — they're regimes we've worked inside. Regional regulation is read in the original, not summarised from afar.

Boardroom translation

Eight years of briefing boards and audit committees taught us the difference between a technical report and a decision-ready one. You get the second kind.

Partner-level attention

The person who scopes your engagement is the person who delivers it and the person who signs it. Nothing is handed down to a bench.

Board training: AI Governance & Security

Executive workshops that get directors fluent in AI risk, accountability and the regulatory landscape — delivered by someone who has sat on their side of the table.

Request a board session