Writing
Searchable essays on AI governance, security, leadership, and platform engineering.
Featured
Your Security Program Is a Sales Asset. Start Treating It Like One.
Why provable security closes deals in regulated industries — and why the next budget conversation should lead with revenue, not fear.
The Boundary Layer Is the Actual AI Control
Every AI governance framework describes the same controls. The one that actually matters is a single design decision: does this output get acted on, or interpreted first?
AWS Cost Levers That Actually Moved the Needle
Cutting ~35% off a multi-region AWS footprint with no capability loss — the levers in the order they paid back, best first.
More posts
Bake the Audit Evidence Into Your AI Pipeline Before the Examiner Asks
Audit-defensibility isn't a document you write after the fact — it's a property you engineer into the AI pipeline so its normal operation emits evidence as exhaust.
The 2026 AI Regulatory Map That Fits on One Page
Everyone read 'EU AI Act deferred to 2027' and exhaled — but the part that fines you 3% of global revenue turns on in August. The four 2026 rules with teeth, on one page.
Design Your AI Inference Like the Model Could Vanish Tomorrow, Because One Just Did
A frontier model went dark three days after launch; here's how I make AI inference survivable on AWS when the provider is a dependency you don't control.
Your AI Bill Is the New Cloud Bill, and Nobody Is Watching the Meter
We spent a decade learning cloud FinOps and are repeating every mistake with LLM spend — here's the operating model that meters, routes, and caps it.
Your Agents Already Outnumber Your People. Nobody Is Governing Their Credentials.
Your agents already outnumber your people, they can authenticate but not prove they're authorized, and that's the gap SOC 2 and HIPAA were never built to close.
Stop Trying to Patch Prompt Injection
Prompt injection isn't a bug a vendor will patch — it's a property of how models read context, so design systems that stay safe even when the model is fully hijacked.
The Agent Is the Easy Part. The Control Plane Is the Job.
Standing up an agent takes an afternoon; the control plane that lets it touch production safely is the actual engineering work, and almost nobody shows it.
Pick the Model Like You Size a Cluster, Not Like You Pick a Sports Team
Most teams pick a frontier model like a sports team and never revisit it — but model selection is a routing, capacity, and risk decision you already know how to make.
The Eight-Domain Azure Security Review for Regulated Environments
An automated tool scores your Azure posture; an assessor walks your architecture. The eight domains I review, in the order an audit walks them, and the evidence each one has to produce.
What AI Actually Changes for Attackers (and What It Doesn't)
Cutting through the threat inflation: what genuinely shifts for attackers, what doesn't, and where to harden.
The Audit Passed in March. Is It Still True?
Point-in-time certification is the floor, not the goal. The case for continuous assurance over annual audits.
Automate the Boring, Not the Judgment
A framework for what security work to hand to machines, and the line you should never let automation cross.
How to Report Risk to People Who Don't Speak Security
Translating security for boards and investors — the three questions leadership actually asks, and how to answer them.
Security and DevOps Under One Roof: Why I Stopped Apologizing for It
The case for the dual mandate, and why org-chart distance doesn't create security.
Capital Allocation Governance: The Framework Companies Build Too Late
Mid-market capital allocation is rarely a strategy — it's individual capex, M&A, and debt decisions made in isolation. The governance framework that makes it programmatic.
Board Reporting That Drives Decisions, Not Status Updates
The fifty-page board pre-read is the artifact most responsible for meetings that produce no decisions. Three sections fix it.
The First 100 Days: A Post-Close Cyber Integration Playbook
The post-close decade is decided in the first 100 days. The eight cyber controls to ship by day 30, and the identity-sprawl audit every exit diligence will run.
Cloud FinOps for the Mid-Market: Where 25–40% of Spend Actually Hides
The press-release version of cloud savings cancels workloads and books compliance debt. The version that lasts is commitment management and SaaS rationalization.
