Writing

Operational knowledge, codified. Each piece translates direct enterprise experience into frameworks practitioners and executives can act on — from blog posts on emerging threats to published books and research articles.

Blog

Why AI Governance Fails at Runtime and What CISOs Must Do Now

Most organizations that claim to govern their AI systems are doing something closer to documentation theater. Policies, review boards, and risk registers are disconnected from what the AI system actually does at runtime. This post explains the enforcement gap, why detection and audits alone cannot close it, what the ACR Standard provides as a control framework, and the practical steps CISOs should take to deploy runtime control now.

Read article →

The OWASP Top 10 for Agentic Applications Gets a Lot Right. It Also Stops Where Real Control Has to Begin.

The OWASP Top 10 for Agentic Applications is a strong threat taxonomy. It is not a control model. It tells you what can go wrong with autonomous AI systems. It does not define the mandatory runtime conditions that make those systems governed. That is the gap the ACR Standard is built to close. This post walks through where OWASP gets it right, where it stops short, and provides a full crosswalk mapping each OWASP category to ACR control pillars.

Read article →

Why AI-Driven Vulnerability Discovery Breaks Cybersecurity’s Operating Model

Project Glasswing goes beyond faster vulnerability discovery. It eliminates the foundational constraints modern cybersecurity depends on. AI-driven vulnerability discovery collapses the time between exposure and exploitation to near-zero, rendering detection, prioritization, and patch-based models structurally insufficient. The only defensible model is control at runtime, enforced at machine speed.

Read article →

Runtime Governance Is the Only Governance That Counts

Why the Control Plane Is Non-Negotiable

If agentic AI can act without traversing a hardened enforcement boundary, you have policy theater — not risk management. Runtime governance requires a control plane that enforces policy at the moment an agent intends to act, provides auditable evidence, and constrains delegated authority. The gap between governance intent and governance effect is the largest unpriced risk in enterprise AI today.

Read article →

LiteLLM Compromised

What the PyPI Supply Chain Attack Means for Every Organization Running AI

LiteLLM versions 1.82.7 and 1.82.8 on PyPI were compromised with credential-stealing malware as part of a month-long campaign by TeamPCP that included Trivy, KICS, a self-propagating npm worm, and Kubernetes wipers with Iran-targeted destruction. The implications for AI governance are immediate.

Read article →

DNS as a Weapon

What the AWS AgentCore Sandbox Bypass Means for AI Governance

BeyondTrust Phantom Labs demonstrated a full sandbox escape from AWS Bedrock AgentCore using DNS-based C2. The implications for AI governance are significant, and most organizations are not accounting for this class of risk.

Read article →

From Standard to Enforcement

Inside the ACR Control Plane

The ACR Control Plane is now a working reference implementation—open source, deployable, and designed to prove that runtime AI governance is not theoretical. It is operational.

Read article →

Books

The ABCs of Agentic AI

The ABCs of Agentic AI

Featured

Controlling Autonomous Action at Runtime

The definitive guide to governing agentic AI in production. Covers the ACR Standard, runtime enforcement architecture, agentic threat defense, and evidence-first governance for enterprise environments.

Buy Digital Edition — $9.99
The ABC's of Cyber Security

The ABC's of Cyber Security

Total Cyber Security for Small and Medium Sized Businesses

Foundational enterprise security guidance — risk programs, incident response, and the operational controls that protect business infrastructure.

View on Amazon
Weaponization of Social Media

Weaponization of Social Media

Analysis of how social platforms are weaponized for influence operations, disinformation, and threat intelligence — applying the same analytical rigor used in security operations.

View on Amazon

Articles

AI's Crucial Role in Safeguarding Cryptography in the Era of Quantum Computing

Experts Exchange · 2023

Ensuring the Security of Large Language Models: Strategies and Best Practices

Experts Exchange · 2023

Leveraging GPT for Authentication: A Deep Dive into a New Realm of Cybersecurity

Experts Exchange · 2023

The Value of Threat Intelligence for Aiding in the Fortification of Industrial Control Systems

Experts Exchange · 2017

A Study of Chinese and Russian APTs

Experts Exchange · 2017

Code APT: An Examination of Advanced Persistent Threats

Experts Exchange · 2017

The Most Dominant 2016 Cyber Attack Vectors

Experts Exchange · 2017

The Three Greatest Threats Facing Data Loss in the Medical Industry

Experts Exchange · 2017

Subscribe via RSS

Get governance insights delivered

Runtime AI control strategies, enforcement architecture patterns, and ACR Standard updates — direct from the practitioner who built them.

No spam. Unsubscribe anytime.