Technical writing on AI governance, SOC 2 compliance, and building enterprise-grade agent infrastructure.
A practical guide for enterprise teams deploying AutoPIL self-hosted — ECS, RDS, PrivateLink to Databricks Serverless, the architectural decisions that keep enforcement inside your perimeter, and the gotchas that aren't in the documentation.
Read post →Agent policy tells you what a role is permitted to do. It doesn't tell you who is actually behind the call. Here's why we added the principal to every audit event and what it changes about how enforcement works in practice.
Read post →A deep look at the five credential types — api_key, jwt_oidc, mtls, spiffe, conjur — how key binding works in both directions, and why the identity_method on every audit event is the difference between a defensible audit trail and a marketing page.
Read post →The industry has a vocabulary problem — and it's hiding a real risk. Here are the four questions every enterprise AI deployment has to answer in writing before agents go to production.
Read post →135 pre-built policies across 12 industries, a tamper-evident audit chain, and integrations for every major framework. What we built, what building it taught us, and what we're opening up ahead of a public launch in May.
Read post →Every AI governance framework focuses on what agents can do. The real risk is what they can see. Context is where the sensitive data lives — and governing it is the only path to genuine trust.
Read post →At five agents, baking governance into each one looks manageable. At fifty, you have fifty different failure modes and no single lever to pull when policy changes.
Read post →When agents hand work to other agents, your governance surface doesn't add — it multiplies. Governing each agent individually is not governance. It's sampling.
Read post →Most teams treat SOC 2 as a paperwork exercise. Here's what CC6.1 and CC6.3 actually demand — and why your API key strategy needs to change before your next audit.
Read post →