Skip to content
IC Inline Code
Book a discovery call

Blog

Field notes on AI governance, written by a practitioner.

Long-form writing for risk, security, and board readers. Framework-anchored, regulator-literate, and informed by what actually happens in mid-market deployments.

Browse by topic

Identity 5 AI 3 APRA 3 CPS 230 3 Platform engineering 3 Agents 2 Cloud security 2 ISO 42001 2 Supply chain 2 Acceptable use 1 AI evals 1 AI governance 1

ISO/IEC 42001

ISO 42001 readiness for mid-market organisations

What an ISO/IEC 42001 management system actually requires, and what it does not, for organisations under 500 staff. A pragmatic readiness path that does not require a dedicated AI governance team.

18 February 2026 · 6 min

Zero trust

Zero trust without vendor capture

Most zero-trust programs we review are vendor roadmaps in disguise — a sequence of product purchases dressed up as architecture. The actual zero-trust shift is a procedural one, and it doesn't need a million-dollar identity overhaul to start.

28 January 2026 · 5 min

Microsoft 365

Identity-first security for hybrid Microsoft 365 environments

If you run M365 with on-prem AD synchronised via Entra Connect, your security perimeter is the identity. Most mid-market environments have an Entra tenant configured in 2018 that hasn't been seriously revisited since. Here's the catch-up.

8 January 2026 · 5 min

Cryptography

Post-quantum cryptography: a planning timeline for mid-market

NIST published the first post-quantum encryption standards in August 2024. The migration is real, but the urgency depends on what you're protecting and how long it has to stay protected. A pragmatic planning timeline for organisations that aren't a national security agency.

15 December 2025 · 5 min

Regulatory horizon

The EU AI Act has reach. Australian firms should map exposure now.

The Act's territorial scope is broader than most Australian general counsel offices have appreciated. Two questions decide whether your AI deployment is in scope, and the documentation burden if it is, is non-trivial.

2 December 2025 · 3 min

Detection

Detection engineering for organisations without a 24/7 SOC

Most mid-market organisations don't have a 24/7 SOC and won't justify the cost of one for years. That's not a reason to give up on detection — it's a reason to be specific about what you actually need to detect, and how.

20 November 2025 · 5 min

Stay informed

Get new posts by email.

One email a fortnight. Long-form content only, no promotional sequences. Unsubscribe at any time.

Get started

Bring AI risk under board oversight in two weeks.

A thirty-minute discovery call costs nothing. We confirm fit, scope, and timing, then issue a fixed-fee statement of work within two business days.

Book a discovery call Free maturity assessment