Skip to main content

Posts

AI Governance Deep Dive: Building the Committee That Actually Governs

The first AI governance committee meeting I ever sat in lasted two hours and accomplished almost nothing. We had twelve people in the room — IT, Legal, HR, a couple of business unit leaders, and a handful of security folks. Everyone had opinions. No one had authority. The agenda was a loose collection of topics someone had jotted down the night before. By the end, we had a list of things to think about and a follow-up meeting scheduled for three weeks out. That meeting was not a failure of technology or even a failure of intent. It was a failure of structure. The wrong people were making decisions, the right people were not in the room, and nobody had a clear mandate for what the governance body was actually supposed to do. I have seen variations of that same meeting play out at organizations of every size and in every industry. And I have seen what happens when it keeps repeating: AI deployments accumulate without oversight, risks go untracked, and eventually something goes wrong that...
Read more
Recent posts

Stop Scanning. Start Managing Exposure: The CISO's Guide to Continuous Threat Exposure Management

Picture this: It is a Tuesday afternoon. Your vulnerability management team pulls up the weekly report. Sixty-three thousand open vulnerabilities across your environment. Your patch team closes out five hundred this week — a solid sprint by any measure. Everyone nods. The meeting ends. You walk out feeling like you are making progress. Three weeks later, an attacker exfiltrates six months of customer data through a misconfigured cloud storage bucket. No CVE assigned. Not on any scan report. Not even on your radar. That gap — the one between what your vulnerability scanner sees and what an attacker actually exploits — is exactly the problem that Continuous Threat Exposure Management is designed to close. And if you are leading a security program today without a CTEM strategy in place, you are managing the wrong list. What CTEM Actually Is (And What It Isn’t) Gartner introduced the term Continuous Threat Exposure Management in 2022, and the security industry has been both energized and c...
Read more

White House National AI Policy Framework: What CISOs Need to Know and Do Now

The White House released its National Policy Framework for Artificial Intelligence on March 20, 2026, and every CISO needs to read past the headlines. The document is not a law. It is not a regulation. It is a set of legislative recommendations directed at Congress — non-binding by design — outlining how the Trump administration believes the federal government should approach AI governance. What it is, practically speaking, is the clearest signal yet of where federal AI policy is headed and how that trajectory should reshape your organization’s approach to AI risk management, compliance planning, and governance program design. The framework follows Executive Order 14365, signed in December 2025, which directed federal agencies to identify and challenge state AI laws that conflict with national AI strategy. Together, these actions set up the central tension that enterprise security leaders now have to navigate: a federal posture that is explicitly moving toward preempting state-level AI...
Read more

IAM Metrics in Practice: Real Numbers, Real Scenarios, Real Conversations

A companion post to: IAM Metrics That Actually Matter: Proving Risk Reduction and Value to Every Level of the Organization The previous post laid out the framework: which IAM metrics matter, why they matter, and how to use them to tell a risk reduction and value story that resonates at every level of the organization. But frameworks without numbers are just theory. Security leaders need to see what these metrics actually look like when you run them against a real environment — the before states, the after states, the calculations, and the language you use to present them. This post walks through each major metric category with concrete examples drawn from the kinds of environments I have seen across more than two decades in this field. The numbers are composites — realistic representations of what organizations at different maturity levels actually look like — not a single case study. But they are close enough to reality that you should be able to map them directly to your own en...
Read more