https://ypro.dev/ Security, DevOps, and AI governance — what's actually working. en-us https://ypro.dev/writing/security-program-is-a-sales-asset https://ypro.dev/writing/security-program-is-a-sales-asset Wed, 10 Jun 2026 12:00:00 GMT Why provable security closes deals in regulated industries — and why the next budget conversation should lead with revenue, not fear. https://ypro.dev/writing/the-boundary-layer-is-the-actual-ai-control https://ypro.dev/writing/the-boundary-layer-is-the-actual-ai-control Fri, 22 May 2026 12:00:00 GMT Every AI governance framework describes the same controls. The one that actually matters is a single design decision: does this output get acted on, or interpreted first? https://ypro.dev/writing/aws-cost-levers-that-moved-the-needle https://ypro.dev/writing/aws-cost-levers-that-moved-the-needle Wed, 06 May 2026 12:00:00 GMT Cutting ~35% off a multi-region AWS footprint with no capability loss — the levers in the order they paid back, best first. https://ypro.dev/writing/what-ai-changes-for-attackers https://ypro.dev/writing/what-ai-changes-for-attackers Sat, 18 Apr 2026 12:00:00 GMT Cutting through the threat inflation: what genuinely shifts for attackers, what doesn't, and where to harden. https://ypro.dev/writing/the-audit-passed-in-march https://ypro.dev/writing/the-audit-passed-in-march Mon, 30 Mar 2026 12:00:00 GMT Point-in-time certification is the floor, not the goal. The case for continuous assurance over annual audits. https://ypro.dev/writing/automate-the-boring-not-the-judgment https://ypro.dev/writing/automate-the-boring-not-the-judgment Thu, 12 Mar 2026 12:00:00 GMT A framework for what security work to hand to machines, and the line you should never let automation cross. https://ypro.dev/writing/report-risk-to-people-who-dont-speak-security https://ypro.dev/writing/report-risk-to-people-who-dont-speak-security Fri, 20 Feb 2026 12:00:00 GMT Translating security for boards and investors — the three questions leadership actually asks, and how to answer them. https://ypro.dev/writing/security-and-devops-under-one-roof https://ypro.dev/writing/security-and-devops-under-one-roof Wed, 28 Jan 2026 12:00:00 GMT The case for the dual mandate, and why org-chart distance doesn't create security. https://ypro.dev/writing/model-selection-is-capacity-planning https://ypro.dev/writing/model-selection-is-capacity-planning Tue, 16 Jun 2026 12:00:00 GMT Most teams pick a frontier model like a sports team and never revisit it — but model selection is a routing, capacity, and risk decision you already know how to make. https://ypro.dev/writing/the-control-plane-is-the-job https://ypro.dev/writing/the-control-plane-is-the-job Wed, 17 Jun 2026 12:00:00 GMT Standing up an agent takes an afternoon; the control plane that lets it touch production safely is the actual engineering work, and almost nobody shows it. https://ypro.dev/writing/stop-trying-to-patch-prompt-injection https://ypro.dev/writing/stop-trying-to-patch-prompt-injection Thu, 18 Jun 2026 12:00:00 GMT Prompt injection isn't a bug a vendor will patch — it's a property of how models read context, so design systems that stay safe even when the model is fully hijacked. https://ypro.dev/writing/governing-non-human-identity https://ypro.dev/writing/governing-non-human-identity Sat, 20 Jun 2026 12:00:00 GMT Your agents already outnumber your people, they can authenticate but not prove they're authorized, and that's the gap SOC 2 and HIPAA were never built to close. https://ypro.dev/writing/your-ai-bill-is-the-new-cloud-bill https://ypro.dev/writing/your-ai-bill-is-the-new-cloud-bill Sun, 21 Jun 2026 12:00:00 GMT We spent a decade learning cloud FinOps and are repeating every mistake with LLM spend — here's the operating model that meters, routes, and caps it. https://ypro.dev/writing/design-ai-inference-for-disappearance https://ypro.dev/writing/design-ai-inference-for-disappearance Tue, 23 Jun 2026 12:00:00 GMT A frontier model went dark three days after launch; here's how I make AI inference survivable on AWS when the provider is a dependency you don't control. https://ypro.dev/writing/the-2026-ai-regulatory-map https://ypro.dev/writing/the-2026-ai-regulatory-map Thu, 25 Jun 2026 12:00:00 GMT Everyone read 'EU AI Act deferred to 2027' and exhaled — but the part that fines you 3% of global revenue turns on in August. The four 2026 rules with teeth, on one page. https://ypro.dev/writing/audit-defensible-ai-pipeline https://ypro.dev/writing/audit-defensible-ai-pipeline Sat, 27 Jun 2026 12:00:00 GMT Audit-defensibility isn't a document you write after the fact — it's a property you engineer into the AI pipeline so its normal operation emits evidence as exhaust. https://ypro.dev/writing/azure-security-review-eight-domains https://ypro.dev/writing/azure-security-review-eight-domains Mon, 04 May 2026 12:00:00 GMT An automated tool scores your Azure posture; an assessor walks your architecture. The eight domains I review, in the order an audit walks them, and the evidence each one has to produce. https://ypro.dev/writing/cloud-finops-recovering-cloud-spend https://ypro.dev/writing/cloud-finops-recovering-cloud-spend Tue, 15 Jul 2025 12:00:00 GMT The press-release version of cloud savings cancels workloads and books compliance debt. The version that lasts is commitment management and SaaS rationalization. https://ypro.dev/writing/board-reporting-decisions-not-status https://ypro.dev/writing/board-reporting-decisions-not-status Tue, 26 Aug 2025 12:00:00 GMT The fifty-page board pre-read is the artifact most responsible for meetings that produce no decisions. Three sections fix it. https://ypro.dev/writing/100-day-post-close-cyber-integration-playbook https://ypro.dev/writing/100-day-post-close-cyber-integration-playbook Tue, 05 Aug 2025 12:00:00 GMT The post-close decade is decided in the first 100 days. The eight cyber controls to ship by day 30, and the identity-sprawl audit every exit diligence will run. https://ypro.dev/writing/capital-allocation-governance-board-framework https://ypro.dev/writing/capital-allocation-governance-board-framework Thu, 15 Jan 2026 12:00:00 GMT Mid-market capital allocation is rarely a strategy — it's individual capex, M&A, and debt decisions made in isolation. The governance framework that makes it programmatic.