Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.
AI governance training fails when it gets delivered as a single all-hands course. Each role inside the enterprise needs different content. Article walks through the role-specific training tracks the regulators and auditors expect, and where the curriculum meets the runtime evidence requirement.
Read post →AI governance certifications split into institutional certifications like ISO 42001 that examine the AI management system and professional certifications like IAPP AIGP that credential individuals. Article walks through what each program covers and where certification meets per-decision evidence.
Read post →AI governance software splits into policy-building, inventory, and runtime enforcement. Most products in the category cover policy and inventory and leave runtime evidence to whatever the engineering team builds. Article walks through the architectural layers and what to ask vendors before signing.
Read post →AI data governance fails when the classification engine runs on documents and not on prompts. The data lake is sorted, the AI request path is not. Article walks through the prompt-level classification, lineage, and disclosure architecture that satisfies the regulators asking new questions about model inputs.
Read post →AI model governance fails when it sits at the model registry layer alone. Model cards and versioning catalog the asset. Per-request enforcement governs how the model is actually used. Article walks through the runtime layer most model governance programs leave out.
Read post →Most AI governance policies are written for the auditor but cannot be evaluated at the request layer. A policy that lacks classification rules, identity definitions, and enforcement decision points is prose, not control. Article walks through what the policy has to specify to be enforceable.
Read post →AI governance fails when no single role owns the per-decision audit trail. The CISO, CRO, General Counsel, CTO, and platform engineering each hold a slice. Article walks through the seven stakeholder roles, what each owns, and where the handoffs break in practice.
Read post →AI governance audits turn on per-decision evidence. The auditor asks who initiated each request, what data was involved, what policy applied, and what the outcome was. Application logs collapse under those questions. Article walks through what an audit actually examines and the architecture that survives it.
Read post →NIS2 took effect at the Member State level by October 18, 2024. The directive covers essential and important entities across 18 sectors. AI used in those operations falls under Article 21 cybersecurity risk management and Article 23 incident reporting. Audit trail expectations are operational.
Read post →DORA took effect January 17, 2025. The regulation treats AI vendors as ICT third-party service providers. Financial entities must maintain a register of contractual arrangements, monitor concentration risk, and demonstrate exit strategies. AI inference sits squarely inside the obligation.
Read post →HIPAA Security Rule audit controls require recording activity in systems that contain PHI. AI deployments produce that activity at the prompt layer. OCR audits request per-request records of PHI exposure to AI services. Application logs fail. The architecture that survives is independent of the application.
Read post →ISO 27001 is the information security management system standard. ISO 42001 is the AI management system standard published December 2023. The two standards integrate at the controls layer. Annex A controls in ISO 27001:2022 cover the same evidence ISO 42001 expects for AI-specific risk treatment.
Read post →