home experience thoughts

thoughts

ai Jun 8, 2026

Agentic AI governance starts with identity

The latest AI risk conversation is not only about prompts. Security teams need named agent identities, scoped tools, logs, and revocation paths.

security Mar 5, 2026

The EU AI Act delay does not remove the controls problem

The 2026 simplification package changes the timeline for some high-risk systems, but it does not change the work security teams need to do.

ai Mar 1, 2026

OWASP's agentic AI list is really an identity warning

Agents that read email, call APIs, and write to systems inherit access decisions. That makes agent security an IAM problem, not only a prompt problem.

security Feb 28, 2026

Service accounts need an offboarding process too

Machine identities now outnumber humans by a wide margin, but many programs still govern them like temporary exceptions.

security Feb 16, 2026

AI vendor reviews need technical evidence, not better questionnaires

Third-party AI risk is not solved by asking more questions. The useful signal is in logs, access boundaries, data use, model change control, and incident evidence.