Blog

Field notes on AI governance, written by a practitioner.

Long-form writing for risk, security, and board readers. Framework-anchored, regulator-literate, and informed by what actually happens in mid-market deployments.

Browse by topic

Identity 5 AI 3 APRA 3 CPS 230 3 Platform engineering 3 Agents 2 Cloud security 2 ISO 42001 2 Supply chain 2 Acceptable use 1 AI evals 1 AI governance 1

AI · Risk

Evals are a risk control. Most AI deployments are missing them.

If you cannot quantify the failure rate of a deployed AI system, you cannot say what its residual risk is — and the regulators are starting to ask. Evals are the discipline that closes the gap, and they are simpler to start than the literature implies.

12 July 2025 · 3 min

APRA CPS 234

The APRA CPS 234 audit: what auditors actually look for

Most CPS 234 audit findings are not surprises to the audited entity — they are gaps the entity already knew about and chose to defer. The audit just makes them visible. Here's the structure of the audit and the findings that recur.

25 June 2025 · 7 min

Stay informed

Get new posts by email.

One email a fortnight. Long-form content only, no promotional sequences. Unsubscribe at any time.

Get started

Bring AI risk under board oversight in two weeks.

A thirty-minute discovery call costs nothing. We confirm fit, scope, and timing, then issue a fixed-fee statement of work within two business days.

Book a discovery call Free maturity assessment