Skip to content
IC Inline Code
Book a discovery call

Blog

Field notes on AI governance, written by a practitioner.

Long-form writing for risk, security, and board readers. Framework-anchored, regulator-literate, and informed by what actually happens in mid-market deployments.

Browse by topic

Identity 5 AI 3 APRA 3 CPS 230 3 Platform engineering 3 Agents 2 Cloud security 2 ISO 42001 2 Supply chain 2 Acceptable use 1 AI evals 1 AI governance 1

Incident response

Ransomware response, CPS 230, and the 24-hour decision

The technical incident response is the easier half. The harder half is the decision your executive will be asked to make at the 6-hour mark and again at the 24-hour mark, and whether your organisation has actually decided how to make it.

29 October 2025 · 6 min

Email security

AI-assisted phishing: what's actually new

The volume of AI-assisted phishing has gone up; the success rate per attempt has not changed as much as the headlines suggest. The substantive change is the resource asymmetry — and what it means for your defensive program.

8 October 2025 · 5 min

Privileged access

Just-in-time privileged access for mid-market

Standing administrative privilege is the largest avoidable risk in most mid-market environments. The fix is a procedural change supported by tooling you probably already own. The work is mostly the policy, not the technology.

17 September 2025 · 6 min

Information security

Secrets sprawl is the boring breach pattern that keeps working

The interesting attack chains get the conference talks. The pattern that actually wrecks regulated firms is unrotated credentials in code, in CI variables, in vendor portals, and in places nobody owns. The cleanup is unglamorous, and the savings are large.

3 September 2025 · 3 min

Third-party risk

Third-party risk after the supply-chain attack era

Most third-party risk programs in mid-market financial services are questionnaire factories. They produce paperwork; they do not produce risk reduction. After several years of supply-chain incidents, the realistic position has changed — here's what actually works.

26 August 2025 · 6 min

Cloud security

Cloud security baseline: the controls that actually matter

AWS, Azure, and GCP each have a hundred security knobs. Most mid-market organisations have configured fifteen of them, badly. The realistic baseline is closer to thirty controls — high-leverage, configurable in days, not months.

30 July 2025 · 6 min

Stay informed

Get new posts by email.

One email a fortnight. Long-form content only, no promotional sequences. Unsubscribe at any time.

Get started

Bring AI risk under board oversight in two weeks.

A thirty-minute discovery call costs nothing. We confirm fit, scope, and timing, then issue a fixed-fee statement of work within two business days.

Book a discovery call Free maturity assessment