Loading…
Thoughts on AI governance, cybersecurity leadership, emerging technologies, and what I'm learning along the way.
AI agent debt is the accumulation of abandoned, forgotten, or ungoverned AI agents that continue running with access nobody remembers granting and ownership nobody can identify. Organisations are deploying agents faster than they can govern them, and the lifecycle conversation has barely started.
Read article →
In March 2026, Meta experienced a SEV1 security incident caused by an AI agent. The agent gave flawed technical advice on an internal forum. An engineer acted on that advice, and sensitive company and user data became accessible to unauthorized employees for nearly two hours. The failure was not just a hallucination — it was a chain of trust without verification.
Read article →
Between March 31 and April 8, 2026, Palo Alto Networks Unit 42 published three separate research reports on AI agent security. Together they paint a clear picture: the near-term AI risk is not that models will produce bad content. It is that organizations will deploy AI-enabled systems with unsafe permissions, weak defaults, and incomplete controls.
Read article →
GlassWorm's 73 sleeper extensions, elementary-data's CI/CD pipeline hijack, and Cloudflare's non-human identity reframe all point to the same conclusion: your AI vendor questionnaire is asking about 2023 risks. Here are the questions you should be asking in 2026.
Read article →
The most dangerous cyber threat isn't a new zero-day. It's a target shift. For thirty years, cybersecurity was built around keeping bad actors out. The next wave of crime is about taking control of the systems we already trust — cars, homes, hospitals, satellites, and AI agents.
Read article →
Google's field data shows a 32% increase in prompt injection attacks in a single quarter. Two research papers, published the same day, converge on the same architecture: runtime controls, not better prompts, are the correct defense. Here's why your AI governance committee can't stop prompt injection — and what can.
Read article →
Most organizations do not have an AI governance problem because they lack ambition. They have a governance problem because they lack visibility. The first move is practical: find the AI usage, classify it, assign an owner, assess the risk, and keep the register alive. This article draws from Chapter 1 of my AI Governance Guide and outlines the six-step AI Inventory Audit every organization should complete.
Read article →
On April 14, 2026, Cloudflare published a framing of agents as non-human identity problems — exactly the right way to think about them. The industry is converging on a runtime-first defense model. Your vendor questionnaire should be updated to reflect this.
Read article →
MCP is becoming a critical dependency layer for AI systems. The real question is no longer what the model can do — it is what it can reach.
Read article →
AI Security in 2026: The shift from model intelligence to connected autonomy, tool use, and containment.
Read article →
Many future AI incidents may not start with attackers breaking in. They may start with trusted features doing exactly what they were allowed to do, inside workflows that were never governed tightly enough.
Read article →
AI has clearly entered the boardroom. Directors are asking harder questions. Regulators are raising obligations. Audit and risk committees increasingly want to know where AI is used, who is accountable, and what could go wrong. That is progress. But in many organizations, the visible maturity is still misleading. The board deck looks polished. The principles sound sensible. The policy exists. The steering committee has been announced. And underneath that, the operating model is still missing.
Read article →
Enterprise leaders say they expect a major AI agent security incident within the next year, but most still lack the governance, visibility, and accountability needed to manage that risk.
Read article →
The NCSC's clear signal to security leaders: AI-generated "vibe coding" is inevitable. The question isn't whether to adopt it, but how to control it before it scales insecurity across your organization.
Read article →
Stop treating AI governance like a spreadsheet exercise. Framework implementation is not a checklist—it is a transformation journey. And increasingly, it is a competitive differentiator.
Read article →
In December 2023, ISO/IEC 42001 became the world’s first certifiable AI management system standard. Here’s what it requires, how it relates to the EU AI Act and NIST AI RMF, and what boards should ask before pursuing certification.
Read article →
OWASP’s Top 10 for Agentic Applications is one of the clearest early frameworks for understanding how autonomous AI systems change the cybersecurity risk landscape. Here is why it matters for security leaders now.
Read article →
The good news is that effective AI governance does not require inventing entirely new frameworks. Organizations that have built robust cybersecurity governance already have the foundation. The challenge is extending those structures to address AI's unique risks.
Read article →
Something fundamental shifted in how boards must approach cybersecurity. Directors are now expected to understand cyber as a business resilience issue, a fiduciary responsibility, and increasingly, a personal liability concern. Here are the five questions that should now be standard in every boardroom.
Read article →
In 2023, Samsung employees inadvertently uploaded sensitive information to ChatGPT—becoming the most cited example of shadow AI. With 28% of employees now using unapproved AI tools at work, organizations need a Shadow AI Discovery and Response Programme. The EU AI Act now imposes fines up to €15 million for deploying high-risk AI without proper governance.
Read article →
Autonomous agents change the security model fundamentally. Why 2026 feels like an inflection point for AI governance, accountability, and agent security.
Read article →
The shift to agentic computing has begun, but security is still DIY. This week, five new vulnerabilities dropped for OpenClaw — five ways your AI agent can be turned against you. Just like early web commerce needed SSL and fraud protection to become mainstream, AI agents need security to achieve widespread adoption. Here's why early adopters must roll their own security — and what that means for leaders deploying OpenClaw today.
Read article →
Practical security best practices for OpenClaw deployments. Learn how to harden your AI agent setup with actionable tips for credentials, network security, and configuration management.
Read article →
OpenClaw is the fastest-growing AI agent framework. Here's why developers are flocking to it and what it means for the future of work, automation, and human-AI collaboration.
Read article →