Practical perspectives from practitioners who have operated at the expert level, not advisors who read the framework.
The Digital Omnibus consolidates incident reporting into one ENISA-run portal. The five underlying regimes do not go away. The work moves upstream, into the controls crosswalk.
On 19 May 2026 the European Commission published draft guidelines clarifying when an AI system is high-risk under Article 6. The exceptions are narrower than the market assumed.
McKinsey's Project Acorn shifts partner pay from cash toward equity: the first authoritative signal of a consulting partnership reset buyers must price in.
A US court let negligence claims against Bain Capital proceed for a portfolio company's breach. The cost of weak cyber diligence is no longer just a write-down, it's the sponsor named in the suit. A five-layer defense.
Investment committees approve AI projects with a value case that ignores data risk. A short checklist prevents the post-mortem finding.
The Model Context Protocol connects AI agents to external tools. Real 2026 CVEs show the attack surface is already being exploited.
AI coding tools are adopted team by team, below committee line of sight. Three questions separate oversight from assurance.
Boards approved AI principles. The next 18 months are about proving those principles operate as controls. The gap is where regulatory risk sits.
Deal teams are seeing more AI-intensive targets. The diligence process was not designed for agent sprawl, training data provenance, or vendor lock-in.
Most organizations have AI principles. Few have controls that execute at runtime. The gap between policy and enforcement is where incidents happen.
RoguePilot, CamoLeak, and Comment-and-Control attacks prove AI coding tools are a live attack surface. A practical control set for development teams.
Most boards hear the AI productivity pitch but not the identity, permission, and accountability model underneath. Three questions surface the gap.
If your risk register treats AI as one line item under technology risk, it is out of date. Shadow AI touches four risk categories at once.
AI agents, data governance, and regulatory enforcement are converging into a single challenge. Treating them separately creates blind spots.
Only 35% of organizations have full visibility into unstructured data. Without data discovery and classification, AI security controls have no foundation.
Machine identities will outnumber human identities in most enterprises this year. 78% have no formal policies for AI identity lifecycle management.
78% of employees bring their own AI tools to work. Only 36% have governance policies. A 10-day sprint closes the gap.
AI-assisted attack tools find vulnerabilities faster than organizations can patch. Framework compliance alone no longer defines adequate security.
Project Glasswing resets the baseline for cybersecurity assessment. When AI finds 27-year-old flaws, traditional assessment methodologies need to catch up.
Anthropic built Claude Mythos Preview and chose not to release it. The first frontier model withheld for cyber risk reshapes AI governance playbooks.
AI coding tools create bidirectional supply chain risk. The axios trojan and Claude Code leak hit the same day. Most security teams are not watching.
AI models that exploit vulnerabilities autonomously are here. Mythos and real-world LLM operations with 27-second breakout times demand a new threat model.
Anthropic shipped Claude Code's complete source in a routine npm update. With 41,500 forks and exposed feature flags, AI vendor risk needs rethinking.
NIS2, DORA, CRA, the revised CSA, and the EU AI Act each evaluate different dimensions of the same vendor. Running them as separate programs hides cross-framework exposure.
Computer-use agents that operate your desktop autonomously are here. The governance gap between copilots and autonomous colleagues is the next risk.
Single-vendor AI stacks create concentration risk enterprises don't yet see. A portfolio approach across cloud, open-source, and edge models is overdue.
AI platform loyalty can fracture overnight. The ChatGPT-Claude shift shows why vendor evaluation must now include political and reputational risk.
Browser AI assistants create high-value attack surfaces. The Chrome Gemini hijack shows why enterprises must rethink endpoint security for embedded AI.
Only 29% of organizations are prepared to secure AI agent deployments. A six-domain framework for deploying agents with controls mapped to ISO 27001 and DORA.
Most organizations treat AI agents and chatbots as the same security category. They are fundamentally different - and chatbot controls are not enough.
AI agent adoption is outpacing security infrastructure. Only 14.4% of deployed agents went live with full security approval. A present risk boards are missing.
AI agents are not a future capability. They are an operational tool that professionals and deal teams are using now to compress hours of skilled labor.
You do not need a technical background to use an AI agent. A paid subscription, a desktop app, and twenty minutes. A step-by-step setup guide.
The shift from AI that talks to AI that does is underway. A plain-language guide to what AI agents are, where the market stands, and why it matters.
A 1998-era SQL injection reportedly exposed McKinsey's AI platform Lilli. The vulnerability class is old. The consequences for enterprise AI are not.
Enterprise AI data concerns mirror cloud migration fears of 2010-2016. The governance discipline is identical, only the processing engine changed.
Large consulting firms have misaligned people, services, and technology. AI is making this fragmentation worse before it makes it better.
Every consulting firm has an AI strategy and AI partnerships. None has transformed its own delivery model - which is exactly what they sell to clients.
A three-tier framework for M&A cybersecurity due diligence - from 24-hour screening to post-close monitoring - with Expected Annual Loss quantification.
AI-powered attacks and deepfake fraud are the defining threats of 2026. A plain-language briefing for boards and CFOs, with the 12 controls that change the risk profile.
88% of organizations use AI but only 28% see measurable transformation. The gap is not a technology problem - it's why AI-native agencies outperform SaaS.
Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on 15 January 2026, shifting cybersecurity obligations to entity-wide scope with explicit management accountability requirements and fines up to €10M.
AI has automated junior analyst work faster than firms can redeploy. The consulting pyramid is under structural pressure - here's what replaces it.
Practical GenAI applications for tech and cyber due diligence in M&A, with the governance controls that keep deal-confidential data protected.
Document-only reviews miss up to 75% of material cyber risks. Technical validation gives underwriters 35-45% better loss ratios.
Material cybersecurity findings drive 8-25% valuation adjustments in M&A. Here's how diligence informs deal structure and protects buyer ROI.
Cybersecurity vulnerabilities, technical debt, privacy gaps, IP ambiguity, and integration complexity reduce IRR by 8-12 points in affected transactions.
72% of middle-market deals involve multiple bidders. External-only digital due diligence delivers comprehensive technology intelligence in 24-72 hours.
Most PE deal teams assess cybersecurity through questionnaires and limited-access reviews. Here's what that approach systematically misses, and why it matters at close.
Talk to a practitioner. We'll be direct about whether we can help and how.
Start Discussion