Skip to content
IC Inline Code
Book a discovery call

Blog

Field notes on AI governance, written by a practitioner.

Long-form writing for risk, security, and board readers. Framework-anchored, regulator-literate, and informed by what actually happens in mid-market deployments.

Browse by topic

Identity 5 AI 3 APRA 3 CPS 230 3 Platform engineering 3 Agents 2 Cloud security 2 ISO 42001 2 Supply chain 2 Acceptable use 1 AI evals 1 AI governance 1

AI · Authorisation

MCP and the new authorisation surface nobody is reviewing

Model Context Protocol turns every internal API into a tool an agent can call on a user's behalf. The authorisation model most teams ship with is naïve, and the audit log usually proves it.

29 April 2026 · 3 min read · Mathew Sayed
Read the full piece

Digital employees

Digital employees, with the governance attached

Why most digital employee deployments fail their first audit, and what a governance-first build looks like — identity, data access, supervision, and the accountability question almost no-one is answering well.

22 April 2026 · 5 min

APRA CPS 230

Mapping APRA CPS 230 to your AI tooling: a practical checklist

Translating CPS 230 material service obligations to Microsoft 365 Copilot, ChatGPT Enterprise, and Claude deployments — what changes when an AI vendor becomes a material service provider.

2 April 2026 · 4 min

Platform engineering

Securing CI/CD pipelines without slowing engineering down

Pipeline security is the gap between policy and reality. Most regulated firms have written rules about code review and signed releases that the actual pipeline does not enforce — and the audit evidence is whatever the runner happened to print to stdout.

25 March 2026 · 3 min

Shadow AI

Shadow AI in financial services: discovery without panic

A staged discovery method for surfacing personal AI account usage without destroying staff trust or productivity. What to look for, what to ignore, and what to do with what you find.

12 March 2026 · 5 min

Platform engineering · Risk

Policy-as-code as the control plane your auditors will actually read

Half the controls in a typical APRA submission are statements about what should happen. The other half could be expressed as policy code that runs in the pipeline and produces the evidence automatically. The gap between the two is most of the audit conversation.

28 February 2026 · 3 min

Stay informed

Get new posts by email.

One email a fortnight. Long-form content only, no promotional sequences. Unsubscribe at any time.

Get started

Bring AI risk under board oversight in two weeks.

A thirty-minute discovery call costs nothing. We confirm fit, scope, and timing, then issue a fixed-fee statement of work within two business days.

Book a discovery call Free maturity assessment