Writing on AI governance, evidence, and control
Plain-language explainers and positions for the people who have to answer for AI: what the terms mean, what the rules require, and where control actually belongs.
Agentic AI governance: control the action, not the prompt
Agents act on their own at machine speed. Why agentic AI governance must move to the action boundary, and why the signed record is the only witness.
Read the postJuly 4, 2026Position6 minAn AI acceptable use policy is not enforcement
Most institutions have an AI acceptable use policy. Few can show it held. AI policy enforcement means decisions at execution, plus a record that proves it.
Read the postJuly 4, 2026Compliance6 minCJIS compliance and AI: what Security Policy v6.0 requires before staff use AI tools
Officers already use AI. What CJIS Security Policy v6.0 requires before CJI touches an AI tool, what auditors will ask, and what a defensible record looks like.
Read the postJuly 4, 2026Compliance5 minIs ChatGPT HIPAA compliant? What healthcare teams need to know
No AI tool is HIPAA certified, because no such certification exists. What a business associate agreement covers, what it does not, and how PHI stays governed.
Read the postJuly 4, 2026Explainer6 minWhat is an AI audit trail, and what makes one trustworthy
An AI audit trail records who used which AI tool, what was sent and returned, when, and whether policy held. What separates evidence from a text file of logs.
Read the postJuly 4, 2026Explainer5 minWhat is shadow AI? A plain guide for regulated institutions
Shadow AI is the AI in use that no one approved and no one can see. Why it grows, why bans fail, and how shadow AI detection brings it under one policy.
Read the postQuestions a post did not answer?
Tell us your sector and what you need to prove. We will point you at the right document, or write the missing one.