Work
Outcomes That Move The Business
21+ years scaling security, DevOps, and platform teams. Real outcomes — HITRUST certifications, AI governance programs, vendor risk at scale — not slideware.
Request More Info
Case Studies & Practice
Deep dives on the programs and decisions behind the outcomes.
Experience
Case studies
Cloud, DevOps & infra
Fintech & finance
Now
Open Source
Code that's shipped to production.
GitHub repos
Writing
Field Notes On Security & Velocity
Essays, briefings, and short notes on what's actually working in security, AI governance, and high-velocity engineering teams.
Subscribe
Long Form
Essays and deep dives on security, AI, and growth.
All posts
Table of contents
By topic: AI & Governance
By topic: Security & GRC
By topic: Cloud & DevOps
By topic: Fintech & Finance
Short Form
AI news with my takes and the newsletter.
AI news + my takes
Newsletter archive
Subscribe
Get new pieces in your inbox or your reader of choice.
Email newsletter
RSS feed
JSON feed
AI
AI, Hands-On Not Hand-Wavy
Curated AI news with my takes, plus the free calculators and tools I use with CIOs and AI architects every week.
Explore the Tools
News & Commentary
What's shipping in AI, with an operator's take.
AI news + my takes
Interactive Tools
Calculators and pickers you can use right now.
All free tools
AI ROI calculator
LLM cost estimator
Model picker quiz
Ask & Search
Query my work directly or search the whole site.
Ask Michael (AI)
Search the site
About
Operator, Advisor, Builder
Security executive, UC Berkeley MICS, board advisor, and builder. Here's the background, credentials, and personal context behind the work.
Read Full Bio
Background
Bio, education, and how I got here.
Bio
Now
Credentials
Degrees, certifications, and advisory roles.
Education & certifications
Elsewhere
Open source and code outside of work.
GitHub
Connect
Let's Build Something Together
Intro calls, strategy sessions, advisory engagements, or a quick question — pick the channel that fits and we'll go from there.
Book a Call
Work Together
Start a conversation or book time directly.
Contact form
Book time
Direct Channels
Email and LinkedIn are the fastest ways to reach me.
Email
LinkedIn
Recruiters & Boards
The 60-second one-pager and advisory & board interest.
Executive one-pager
Advisory & board interest
Resume (PDF)

Open to board advisory and board seats — 2H 2026, then CY 2027–2028.· AI governance, security, and platform · Forward-looking interest — not a current board seat

See details →

SavvyMoney ·

Continuous, Provable Compliance

Moved from point-in-time certification to a continuous-assurance model — SOC 2 Type II, a CSA STAR Level II continuous-audit posture, and a NIST CSF maturity program scored above the industry average.

Back to all work

Attestation: SOC 2 Type II
Continuous audit: CSA STAR Level II
NIST CSF maturity: Above industry avg

The problem

Point-in-time certifications create a false sense of safety — the audit passes in March and the environment drifts by June. Partners and regulators increasingly want evidence that's current, not annual.

The approach

I built toward a continuous-assurance model: SOC 2 Type II for operating-effectiveness evidence over time, a CSA STAR Level II continuous-audit posture, and a NIST CSF-based maturity program to give a common language for where we are and where we're going.

The outcome

A compliance story that holds up under ongoing scrutiny rather than one that's only true on audit day — and a maturity score above the industry average to back it.

ComplianceSOC 2NIST CSF