{ "version": "https://jsonfeed.org/version/1.1", "title": "Michael York — Field Notes", "home_page_url": "https://ypro.dev/", "feed_url": "https://ypro.dev/feed.json", "description": "Security, DevOps, and AI governance — what's actually working.", "authors": [ { "name": "Michael York", "url": "https://ypro.dev/" } ], "items": [ { "id": "https://ypro.dev/writing/security-program-is-a-sales-asset", "url": "https://ypro.dev/writing/security-program-is-a-sales-asset", "title": "Your Security Program Is a Sales Asset. Start Treating It Like One.", "content_text": "Why provable security closes deals in regulated industries — and why the next budget conversation should lead with revenue, not fear.", "date_published": "2026-06-10T12:00:00.000Z", "tags": [ "Security Strategy", "Fintech", "GRC", "Leadership" ] }, { "id": "https://ypro.dev/writing/the-boundary-layer-is-the-actual-ai-control", "url": "https://ypro.dev/writing/the-boundary-layer-is-the-actual-ai-control", "title": "The Boundary Layer Is the Actual AI Control", "content_text": "Every AI governance framework describes the same controls. The one that actually matters is a single design decision: does this output get acted on, or interpreted first?", "date_published": "2026-05-22T12:00:00.000Z", "tags": [ "AI Governance", "NIST AI RMF", "ISO 42001", "CCPA" ] }, { "id": "https://ypro.dev/writing/aws-cost-levers-that-moved-the-needle", "url": "https://ypro.dev/writing/aws-cost-levers-that-moved-the-needle", "title": "AWS Cost Levers That Actually Moved the Needle", "content_text": "Cutting ~35% off a multi-region AWS footprint with no capability loss — the levers in the order they paid back, best first.", "date_published": "2026-05-06T12:00:00.000Z", "tags": [ "AWS", "Cloud", "FinOps", "DevOps" ] }, { "id": "https://ypro.dev/writing/what-ai-changes-for-attackers", "url": "https://ypro.dev/writing/what-ai-changes-for-attackers", "title": "What AI Actually Changes for Attackers (and What It Doesn't)", "content_text": "Cutting through the threat inflation: what genuinely shifts for attackers, what doesn't, and where to harden.", "date_published": "2026-04-18T12:00:00.000Z", "tags": [ "AI", "Threat Intelligence", "Phishing", "Defense" ] }, { "id": "https://ypro.dev/writing/the-audit-passed-in-march", "url": "https://ypro.dev/writing/the-audit-passed-in-march", "title": "The Audit Passed in March. Is It Still True?", "content_text": "Point-in-time certification is the floor, not the goal. The case for continuous assurance over annual audits.", "date_published": "2026-03-30T12:00:00.000Z", "tags": [ "Compliance", "GRC", "Audit", "Fintech" ] }, { "id": "https://ypro.dev/writing/automate-the-boring-not-the-judgment", "url": "https://ypro.dev/writing/automate-the-boring-not-the-judgment", "title": "Automate the Boring, Not the Judgment", "content_text": "A framework for what security work to hand to machines, and the line you should never let automation cross.", "date_published": "2026-03-12T12:00:00.000Z", "tags": [ "Security Operations", "Automation", "AI", "Team Building" ] }, { "id": "https://ypro.dev/writing/report-risk-to-people-who-dont-speak-security", "url": "https://ypro.dev/writing/report-risk-to-people-who-dont-speak-security", "title": "How to Report Risk to People Who Don't Speak Security", "content_text": "Translating security for boards and investors — the three questions leadership actually asks, and how to answer them.", "date_published": "2026-02-20T12:00:00.000Z", "tags": [ "Leadership", "Risk Management", "Communication", "Board Reporting" ] }, { "id": "https://ypro.dev/writing/security-and-devops-under-one-roof", "url": "https://ypro.dev/writing/security-and-devops-under-one-roof", "title": "Security and DevOps Under One Roof: Why I Stopped Apologizing for It", "content_text": "The case for the dual mandate, and why org-chart distance doesn't create security.", "date_published": "2026-01-28T12:00:00.000Z", "tags": [ "DevOps", "Security", "Leadership", "Org Design" ] }, { "id": "https://ypro.dev/writing/model-selection-is-capacity-planning", "url": "https://ypro.dev/writing/model-selection-is-capacity-planning", "title": "Pick the Model Like You Size a Cluster, Not Like You Pick a Sports Team", "content_text": "Most teams pick a frontier model like a sports team and never revisit it — but model selection is a routing, capacity, and risk decision you already know how to make.", "date_published": "2026-06-16T12:00:00.000Z", "tags": [ "AI", "Model Selection", "FinOps", "Infrastructure" ] }, { "id": "https://ypro.dev/writing/the-control-plane-is-the-job", "url": "https://ypro.dev/writing/the-control-plane-is-the-job", "title": "The Agent Is the Easy Part. The Control Plane Is the Job.", "content_text": "Standing up an agent takes an afternoon; the control plane that lets it touch production safely is the actual engineering work, and almost nobody shows it.", "date_published": "2026-06-17T12:00:00.000Z", "tags": [ "AI", "AI Agents", "Security", "Platform Engineering" ] }, { "id": "https://ypro.dev/writing/stop-trying-to-patch-prompt-injection", "url": "https://ypro.dev/writing/stop-trying-to-patch-prompt-injection", "title": "Stop Trying to Patch Prompt Injection", "content_text": "Prompt injection isn't a bug a vendor will patch — it's a property of how models read context, so design systems that stay safe even when the model is fully hijacked.", "date_published": "2026-06-18T12:00:00.000Z", "tags": [ "AI", "AI Security", "Prompt Injection", "AppSec" ] }, { "id": "https://ypro.dev/writing/governing-non-human-identity", "url": "https://ypro.dev/writing/governing-non-human-identity", "title": "Your Agents Already Outnumber Your People. Nobody Is Governing Their Credentials.", "content_text": "Your agents already outnumber your people, they can authenticate but not prove they're authorized, and that's the gap SOC 2 and HIPAA were never built to close.", "date_published": "2026-06-20T12:00:00.000Z", "tags": [ "AI", "Non-Human Identity", "IAM", "Cloud Security" ] }, { "id": "https://ypro.dev/writing/your-ai-bill-is-the-new-cloud-bill", "url": "https://ypro.dev/writing/your-ai-bill-is-the-new-cloud-bill", "title": "Your AI Bill Is the New Cloud Bill, and Nobody Is Watching the Meter", "content_text": "We spent a decade learning cloud FinOps and are repeating every mistake with LLM spend — here's the operating model that meters, routes, and caps it.", "date_published": "2026-06-21T12:00:00.000Z", "tags": [ "AI", "FinOps", "Cloud Cost", "LLMOps" ] }, { "id": "https://ypro.dev/writing/design-ai-inference-for-disappearance", "url": "https://ypro.dev/writing/design-ai-inference-for-disappearance", "title": "Design Your AI Inference Like the Model Could Vanish Tomorrow, Because One Just Did", "content_text": "A frontier model went dark three days after launch; here's how I make AI inference survivable on AWS when the provider is a dependency you don't control.", "date_published": "2026-06-23T12:00:00.000Z", "tags": [ "AI", "AWS", "Resilience", "AI Infrastructure" ] }, { "id": "https://ypro.dev/writing/the-2026-ai-regulatory-map", "url": "https://ypro.dev/writing/the-2026-ai-regulatory-map", "title": "The 2026 AI Regulatory Map That Fits on One Page", "content_text": "Everyone read 'EU AI Act deferred to 2027' and exhaled — but the part that fines you 3% of global revenue turns on in August. The four 2026 rules with teeth, on one page.", "date_published": "2026-06-25T12:00:00.000Z", "tags": [ "AI", "AI Governance", "Compliance", "NIST AI RMF" ] }, { "id": "https://ypro.dev/writing/audit-defensible-ai-pipeline", "url": "https://ypro.dev/writing/audit-defensible-ai-pipeline", "title": "Bake the Audit Evidence Into Your AI Pipeline Before the Examiner Asks", "content_text": "Audit-defensibility isn't a document you write after the fact — it's a property you engineer into the AI pipeline so its normal operation emits evidence as exhaust.", "date_published": "2026-06-27T12:00:00.000Z", "tags": [ "AI", "AI Compliance", "Audit", "NIST AI RMF" ] }, { "id": "https://ypro.dev/writing/azure-security-review-eight-domains", "url": "https://ypro.dev/writing/azure-security-review-eight-domains", "title": "The Eight-Domain Azure Security Review for Regulated Environments", "content_text": "An automated tool scores your Azure posture; an assessor walks your architecture. The eight domains I review, in the order an audit walks them, and the evidence each one has to produce.", "date_published": "2026-05-04T12:00:00.000Z", "tags": [ "Cloud Security", "Azure", "Audit", "Compliance" ] }, { "id": "https://ypro.dev/writing/cloud-finops-recovering-cloud-spend", "url": "https://ypro.dev/writing/cloud-finops-recovering-cloud-spend", "title": "Cloud FinOps for the Mid-Market: Where 25–40% of Spend Actually Hides", "content_text": "The press-release version of cloud savings cancels workloads and books compliance debt. The version that lasts is commitment management and SaaS rationalization.", "date_published": "2025-07-15T12:00:00.000Z", "tags": [ "FinOps", "AWS", "Azure", "Cloud Cost" ] }, { "id": "https://ypro.dev/writing/board-reporting-decisions-not-status", "url": "https://ypro.dev/writing/board-reporting-decisions-not-status", "title": "Board Reporting That Drives Decisions, Not Status Updates", "content_text": "The fifty-page board pre-read is the artifact most responsible for meetings that produce no decisions. Three sections fix it.", "date_published": "2025-08-26T12:00:00.000Z", "tags": [ "Leadership", "Board Reporting", "Governance", "Communication" ] }, { "id": "https://ypro.dev/writing/100-day-post-close-cyber-integration-playbook", "url": "https://ypro.dev/writing/100-day-post-close-cyber-integration-playbook", "title": "The First 100 Days: A Post-Close Cyber Integration Playbook", "content_text": "The post-close decade is decided in the first 100 days. The eight cyber controls to ship by day 30, and the identity-sprawl audit every exit diligence will run.", "date_published": "2025-08-05T12:00:00.000Z", "tags": [ "Security", "M&A", "Cloud Security", "Leadership" ] }, { "id": "https://ypro.dev/writing/capital-allocation-governance-board-framework", "url": "https://ypro.dev/writing/capital-allocation-governance-board-framework", "title": "Capital Allocation Governance: The Framework Companies Build Too Late", "content_text": "Mid-market capital allocation is rarely a strategy — it's individual capex, M&A, and debt decisions made in isolation. The governance framework that makes it programmatic.", "date_published": "2026-01-15T12:00:00.000Z", "tags": [ "Leadership", "Governance", "Board Reporting", "Risk Management" ] } ] }