<![CDATA[Deploy Securely]]>Manage risk at the junction of artificial intelligence and software security.

]]>https://www.buzzsprout.com/2266002Riverside.fm (https://riverside.com)Sun, 10 May 2026 01:38:36 GMTTue, 03 Feb 2026 13:36:30 GMT60StackAware<p>Manage risk at the junction of artificial intelligence and software security.</p>episodicStackAwarewalter@stackaware.comno<![CDATA[Aware AI - April 2026]]>Cameron and I talked about:

- How large does a company have to be to recommend ISO 42001?
- How do you avoid constant turnover of your AI inventory (you don't)?
- What minimum documentation is needed per AI use case? (or before bringing on an AI system or vendor?)
- What’s a realistic training and awareness program about AI for non-technical staff?
- Are the following over- / under- / properly-hyped?
-- Running AI locally
-- AI Governance Tools/Platforms
-- Model eval benchmarks (SWE‑bench, red‑team scores, "safety" leaderboards)
-- “Innovation‑first,” light‑touch approach to AI Governance
-- Claude Mythos

]]>2b02dba4-fa35-406d-9c2c-e0819bc59b66Wed, 29 Apr 2026 15:29:14 GMT<p>Cameron and I talked about:<br /><br />- How large does a company have to be to recommend ISO 42001?<br />- How do you avoid constant turnover of your AI inventory (you don't)?<br />- What minimum documentation is needed per AI use case? (or before bringing on an AI system or vendor?) <br />- What’s a realistic training and awareness program about AI for non-technical staff?<br />- Are the following over- / under- / properly-hyped?<br />-- Running AI locally<br />-- AI Governance Tools/Platforms<br />-- Model eval benchmarks (SWE‑bench, red‑team scores, "safety" leaderboards) <br />-- “Innovation‑first,” light‑touch approach to AI Governance<br />-- Claude Mythos</p>no00:29:57Aware AI - April 2026full<![CDATA[ISO 42001 deep dive]]>I talked with David Forman, CEO of Mastermind. The company is the only pure-play ISO certification body in the U.S. and was the first worldwide to issue an ISO 42001 certificate. We discussed:

- Misconceptions (and reality) about the standard

- How to scope the AIMS (and audit)

- Traveling the world as a founder

- Surveillance pricing (side quest)

]]>bd0d2a18-66fa-4ad6-9260-6ec6c737ff73Sat, 21 Mar 2026 12:45:18 GMT<p>I talked with David Forman, CEO of Mastermind. The company is the only pure-play ISO certification body in the U.S. and was the first worldwide to issue an ISO 42001 certificate. We discussed:</p><p></p><p>- Misconceptions (and reality) about the standard</p><p>- How to scope the AIMS (and audit)</p><p>- Traveling the world as a founder</p><p>- Surveillance pricing (side quest)</p>no00:48:05ISO 42001 deep divefull<![CDATA[Audit-ready AI]]>I spoke with Danny Manimbo, Managing Principal at Schellman, who leads the firm’s AI governance and ISO assurance services. Danny and I talked about:

  • What firms miss when preparing for ISO 42001 audits.
  • How they continually improve and what metrics they track.
  • The role that ultra-marathon running played in Danny’s personal and professional life.
]]>b9e5e89b-2054-4356-84f9-9b1fbe9ee6f5Mon, 09 Mar 2026 20:26:17 GMT<p>I spoke with Danny Manimbo, Managing Principal at Schellman, who leads the firm’s AI governance and ISO assurance services. Danny and I talked about:</p><p></p><ul><li>What firms miss when preparing for ISO 42001 audits.</li><li>How they continually improve and what metrics they track.</li><li>The role that ultra-marathon running played in Danny’s personal and professional life.</li></ul>no00:51:23Audit-ready AIfull<![CDATA["High-risk" AI, vibe coding, and regulatory gymnastics]]>Cameron Gaudet and I chatted on the Aware AI Brief about:

  • How do you determine "high-risk"? (Additionally WHO determines a "high-risk" AI system?)
  • What does "AI Bias" actually mean? What is being evaluated and measured?
  • Is vibe coding "good"?

Here is the reference database we discussed: https://reference.stackaware.com/

]]>07935419-b114-4243-8e63-9e6ca366d9c2Fri, 06 Mar 2026 19:58:07 GMT<p>Cameron Gaudet and I chatted on the <b>Aware AI Brief</b> about<b>:</b></p><p></p><ul><li>How do you determine "high-risk"? (Additionally WHO determines a "high-risk" AI system?)</li></ul><ul><li>What does "AI Bias" actually mean? What is being evaluated and measured?</li><li>Is vibe coding "good"?</li></ul><p></p><p>Here is the reference database we discussed: <a rel="noopener noreferrer nofollow" href="https://reference.stackaware.com/" target="_blank">https://reference.stackaware.com/</a></p>no00:25:12"High-risk" AI, vibe coding, and regulatory gymnasticsfull<![CDATA[Anthropic, AI;DR, and (more) slop - Steve and Walter talk AI, March 2026]]>To kick off March 2026, Steve and I talked:

- Anthropic's big moves when it comes to:
-- ​Claude Code Security​: https://www.anthropic.com/news/claude-code-security
-- Facing ​off​ against the Department of War: https://www.anthropic.com/news/statement-comments-secretary-war

- The emergence of "​AI;DR​" as a phrase: https://futurism.com/artificial-intelligence/aidr-meaning

- Citrini Research's doomsday ​report​: https://www.citriniresearch.com/p/2028gic

- More AI-generated ​slop: https://futurism.com/artificial-intelligence/ai-film-pulled-from-amc-theaters

]]>e0af53d6-2282-472e-9c02-d7dad2f00f3dTue, 03 Mar 2026 22:10:06 GMT<p>To kick off March 2026, Steve and I talked:<br /><br />- Anthropic's big moves when it comes to:<br />-- ​Claude Code Security​: <a rel="noopener noreferrer nofollow" href="https://www.anthropic.com/news/claude-code-security" target="_blank">https://www.anthropic.com/news/claude-code-security</a><br />-- Facing ​off​ against the Department of War: <a rel="noopener noreferrer nofollow" href="https://www.anthropic.com/news/statement-comments-secretary-war" target="_blank">https://www.anthropic.com/news/statement-comments-secretary-war</a><br /><br />- The emergence of "​AI;DR​" as a phrase: <a rel="noopener noreferrer nofollow" href="https://futurism.com/artificial-intelligence/aidr-meaning" target="_blank">https://futurism.com/artificial-intelligence/aidr-meaning</a><br /><br />- Citrini Research's doomsday ​report​: <a rel="noopener noreferrer nofollow" href="https://www.citriniresearch.com/p/2028gic" target="_blank">https://www.citriniresearch.com/p/2028gic</a><br /><br />- More AI-generated ​slop: <a rel="noopener noreferrer nofollow" href="https://futurism.com/artificial-intelligence/ai-film-pulled-from-amc-theaters" target="_blank">https://futurism.com/artificial-intelligence/ai-film-pulled-from-amc-theaters</a></p>no00:47:39Anthropic, AI;DR, and (more) slop - Steve and Walter talk AI, March 2026full<![CDATA[The State of AI Red Teaming in 2026]]>I spoke with Kujtim Kryeziu, Co-Founder and CEO of Sentry Security, about:

- How companies can tackle the biggest risks in their AI applications
- What he sees as the biggest blind spots in heavily-regulated spaces
- The future of AI red-teaming and the role for human experts

Here's the AI Risk Readiness Kit we discussed: https://kit.stackaware.com/

And here's the Sentry Security Research Blog: https://blog.sentry.security/

]]>706c2854-d046-420e-8fe2-8843522c7f0bWed, 11 Feb 2026 20:29:42 GMT<p>I spoke with Kujtim Kryeziu, Co-Founder and CEO of Sentry Security, about:<br /><br />- How companies can tackle the biggest risks in their AI applications<br />- What he sees as the biggest blind spots in heavily-regulated spaces<br />- The future of AI red-teaming and the role for human experts<br /><br />Here's the AI Risk Readiness Kit we discussed: <a rel="noopener noreferrer nofollow" href="https://kit.stackaware.com/" target="_blank">https://kit.stackaware.com/</a><br /><br />And here's the Sentry Security Research Blog: <a rel="noopener noreferrer nofollow" href="https://blog.sentry.security/" target="_blank">https://blog.sentry.security/</a></p>no00:22:17The State of AI Red Teaming in 2026full<![CDATA[AI governance at enterprise scale]]>I spoke with Oliver Patel, Head of Enterprise AI Governance at AstraZeneca, about how to run AI governance at global scale.

We will cover:

- How he builds AI governance that works across teams, tools, and regions
- The EU AI Act, in plain language, and what enterprises must do next
- Practical controls for AI risk, from model intake to ongoing monitoring
- How compliance, legal, and business leaders can share one playbook
- What he's learning while writing the book "Fundamentals of AI Governance"

]]>0b7d38eb-44cd-455a-8d79-19232f308656Thu, 05 Feb 2026 20:01:23 GMT<p>I spoke with Oliver Patel, Head of Enterprise AI Governance at AstraZeneca, about how to run AI governance at global scale.<br /><br />We will cover:<br /><br />- How he builds AI governance that works across teams, tools, and regions <br />- The EU AI Act, in plain language, and what enterprises must do next <br />- Practical controls for AI risk, from model intake to ongoing monitoring <br />- How compliance, legal, and business leaders can share one playbook <br />- What he's learning while writing the book "Fundamentals of AI Governance"</p>no00:38:36AI governance at enterprise scalefull<![CDATA[Steve and Walter talk AI - February 2026]]>This month Steve and I talked about:

- Clawdbot/Moltbot/OpenClaw security considerations: https://openclaw.ai/

- Rent-a-Human: https://rentahuman.ai

- Nvidia's imperiled $100B investment in OpenAI: https://www.wsj.com/tech/ai/the-100-billion-megadeal-between-openai-and-nvidia-is-on-ice-aa3025e3

- Svedka's AI Super Bowl Ad: https://www.mashed.com/2091485/svedka-super-bowl-ad-2026-ai-hellscape/

]]>876507ce-f356-4b4f-950a-8dcf44ad3657Tue, 03 Feb 2026 21:28:11 GMT<p>This month Steve and I talked about:<br /><br />- Clawdbot/Moltbot/OpenClaw security considerations: <a rel="noopener noreferrer nofollow" href="https://openclaw.ai/" target="_blank">https://openclaw.ai/</a><br /><br />- Rent-a-Human: <a rel="noopener noreferrer nofollow" href="https://rentahuman.ai" target="_blank">https://rentahuman.ai</a><br /><br />- Nvidia's imperiled $100B investment in OpenAI: <a rel="noopener noreferrer nofollow" href="https://www.wsj.com/tech/ai/the-100-billion-megadeal-between-openai-and-nvidia-is-on-ice-aa3025e3" target="_blank">https://www.wsj.com/tech/ai/the-100-billion-megadeal-between-openai-and-nvidia-is-on-ice-aa3025e3</a><br /><br />- Svedka's AI Super Bowl Ad: <a rel="noopener noreferrer nofollow" href="https://www.mashed.com/2091485/svedka-super-bowl-ad-2026-ai-hellscape/" target="_blank">https://www.mashed.com/2091485/svedka-super-bowl-ad-2026-ai-hellscape/</a></p>no00:48:30Steve and Walter talk AI - February 2026full<![CDATA[Accelerating AI governance at Embold Health]]>No sector is more in need of effective, well-governed AI than healthcare.

The United States spends vastly more per person than any other nation, yet is in the middle of the pack when it comes to life expectancy.

That’s why I was so excited to work with Embold Health to measure and manage their AI-related cybersecurity, compliance, and privacy risk.

Recently I had the pleasure of speaking with their Chief Security and Privacy Officer, Steve Dufour, and Vice President of Engineering, Mark Blackham on the Deploy Securely podcast.

We went in depth on how they:

  • Deliver value with AI
  • Protect patient data and their intellectual property
  • Are thinking about the future of AI (governance) in healthcare

Need your own AI risk assessment and governance program build-out?

Book a call at https://contact.stackaware.com.

*** Show notes ***

At 20:58, Steve refers to the Society for Information Management (https://www.simnet.org/home).

At 34:10, Walter refers to an article about intellectual property risk management and AI (https://blog.stackaware.com/p/intellectual-property-artificial-intelligence).

]]>Buzzsprout-15381066Mon, 08 Jul 2024 18:00:00 GMT<p>No sector is more in need of effective, well-governed AI than healthcare.</p><p>The United States <a href="https://ourworldindata.org/grapher/life-expectancy-vs-health-expenditure" rel="noopener noreferrer nofollow">spends</a> vastly more per person than any other nation, yet is in the middle of the pack when it comes to life expectancy.</p><p>That’s why I was so excited to work with <a href="https://emboldhealth.com/" rel="noopener noreferrer nofollow">Embold Health</a> to measure and manage their AI-related cybersecurity, compliance, and privacy risk.</p><p>Recently I had the pleasure of speaking with their Chief Security and Privacy Officer, Steve Dufour, and Vice President of Engineering, Mark Blackham on the Deploy Securely podcast.</p><p>We went in depth on how they:</p><ul><li>Deliver value with AI</li><li>Protect patient data and their intellectual property</li><li>Are thinking about the future of AI (governance) in healthcare</li></ul><p>Need your own AI risk assessment and governance program build-out?<br /><br />Book a call at https://contact.stackaware.com.<br /><br />*** Show notes ***<br /><br />At 20:58, Steve refers to the Society for Information Management (https://www.simnet.org/home).<br /><br />At 34:10, Walter refers to an article about intellectual property risk management and AI (https://blog.stackaware.com/p/intellectual-property-artificial-intelligence).</p>no00:39:30Accelerating AI governance at Embold Healthfull<![CDATA[Code Llama: 5-minute risk analysis]]>Someone asked me what the unintended training and data retention risk with Meta's code Llama is.

My answer:

the same as every other model you host and operate on your own.

And, all other things being equal, it's lower than that of anything operating -as-a-Service (-aaS) like ChatGPT or Claude.

Check out this video for deeper dive?

Or read the full post on Deploy Securely: https://blog.stackaware.com/p/code-llama-self-hosted-model-unintended-training

Want more AI security resources? Check out: https://products.stackaware.com/

]]>Buzzsprout-14142560Wed, 13 Dec 2023 18:00:00 GMT<p>Someone asked me what the unintended training and data retention risk with Meta's code Llama is.<br /><br />My answer:<br /><br />the same as every other model you host and operate on your own.<br /><br />And, all other things being equal, it's lower than that of anything operating -as-a-Service (-aaS) like ChatGPT or Claude.<br /><br />Check out this video for deeper dive?<br /><br />Or read the full post on Deploy Securely: https://blog.stackaware.com/p/code-llama-self-hosted-model-unintended-training<br /><br />Want more AI security resources? Check out: https://products.stackaware.com/</p>no00:04:43Code Llama: 5-minute risk analysisfull<![CDATA[AI Action Plan, "tool-squatting" attacks, jobless college grads, and insurance for AI]]>Federal AI action plan: 
https://www.ai.gov/action-plan

Tool-squatting attack paper: https://arxiv.org/pdf/2504.19951

Burning Glass Institute report: 
https://static1.squarespace.com/static/6197797102be715f55c0e0a1/t/6889055d25352c5b3f28c202/1753810269213/No+Country+for+Young+Grads+V_Final7.29.25+%281%29.pdf

AIUC: https://aiuc.com

]]>Buzzsprout-17624864Wed, 06 Aug 2025 15:00:00 GMT<p>Federal AI action plan: <br />https://www.ai.gov/action-plan<br /><br />Tool-squatting attack paper: https://arxiv.org/pdf/2504.19951<br /><br />Burning Glass Institute report: <br />https://static1.squarespace.com/static/6197797102be715f55c0e0a1/t/6889055d25352c5b3f28c202/1753810269213/No+Country+for+Young+Grads+V_Final7.29.25+%281%29.pdf<br /><br />AIUC: https://aiuc.com</p>no00:37:14AI Action Plan, "tool-squatting" attacks, jobless college grads, and insurance for AIfull<![CDATA[Governing AI in a Fortune 500 (or 25!) healthcare firm]]>I was excited to host Rick Doten, a powerhouse in cybersecurity, to discuss:

  • Key insights from his time as CISO at healthcare giant Centene
  • The ethical nuances of AI governance in the space
  • His experiences advising venture capital firms and cybersecurity startupsI was excited to host Rick Doten, a powerhouse in cybersecurity, to discuss: - Key insights from his time as CISO at healthcare giant Centene - The ethical nuances of AI governance in the space - His experiences advising venture capital firms and cybersecurity startups
]]>Buzzsprout-17893788Tue, 23 Sep 2025 19:00:00 GMT<p>I was excited to host Rick Doten, a powerhouse in cybersecurity, to discuss:</p><ul><li>Key insights from his time as CISO at healthcare giant Centene</li><li>The ethical nuances of AI governance in the space</li><li>His experiences advising venture capital firms and cybersecurity startupsI was excited to host Rick Doten, a powerhouse in cybersecurity, to discuss: - Key insights from his time as CISO at healthcare giant Centene - The ethical nuances of AI governance in the space - His experiences advising venture capital firms and cybersecurity startups</li></ul>no00:33:00Governing AI in a Fortune 500 (or 25!) healthcare firmfull<![CDATA[AI regulation ban, NVIDIA chip exports, and brain rot in LLMs]]>Steve Dufour and I had our monthly AI-related discussion, touching on:

]]>Buzzsprout-18329951Wed, 10 Dec 2025 09:00:00 GMT<p>Steve Dufour and I had our monthly AI-related discussion, touching on:</p><ul><li>The Trump Administration EO <a href="https://www.reuters.com/world/trump-says-he-will-sign-executive-order-this-week-ai-approval-process-2025-12-08/" rel="noopener noreferrer nofollow">​preempting​</a> state AI regulation</li><li>NVIDIA's H200 chip <a href="https://www.semafor.com/article/12/09/2025/trump-says-nvidia-can-sell-h200-ai-chips-to-china" rel="noopener noreferrer nofollow">​export​</a></li><li>"<a href="https://arxiv.org/pdf/2510.13928" rel="noopener noreferrer nofollow">​Brain Rot​</a>" in Large Language Models</li><li>Crowdsourced data poisoning [this <a href="https://www.reddit.com/r/TrueFactzOnly/" rel="noopener noreferrer nofollow">​site​</a> is fake news]</li><li>Apple's "<a href="https://www.bloomberg.com/news/articles/2025-12-09/apple-stock-surges-as-ai-weary-mood-grips-wall-street" rel="noopener noreferrer nofollow">​Slow​</a>" AI Strategy as a positive</li></ul>no00:42:28AI regulation ban, NVIDIA chip exports, and brain rot in LLMsfull<![CDATA[Getting patients to better doctors, faster with generative AI]]>The basics of healthcare can often be a nightmare:

- Finding the right doctor
- Setting up and appointment
- Getting simple questions answered

While these things might seem like an inconvenience, on the grand scale they cost a lot - of money, and unfortunately, lives.

That’s why the Embold Virtual Assistant (EVA) is such a breakthrough.

A generative AI-powered chatbot with access to up-to-date doctor listings and performance ratings, it’s literally a lifesaver.

StackAware was honored to conduct a pre-deployment AI risk assessment and penetration test for EVA on behalf of our client Embold Health.

Following up on our previous discussion, I sat down again with Steve Dufour and Mark Blackham to discuss the product’s development and rollout.

We chatted about:

- EVA’s performance metrics
- Cybersecurity, compliance, and privacy issues
- The future of AI governance and product development in healthcare

Bonus: Steve and I also presented on this work at HITRUST’s Collaborate Conference. Here is our deck: https://docs.google.com/presentation/d/1EedOula8X81WxzVkQim1amiDZWMM8Lh0

Need your own AI risk assessment and governance program build-out?

Book a call at contact.stackaware.com.

]]>Buzzsprout-16111059Fri, 15 Nov 2024 08:00:00 GMT<p>The basics of healthcare can often be a nightmare:<br /><br />- Finding the right doctor<br />- Setting up and appointment<br />- Getting simple questions answered<br /><br />While these things might seem like an inconvenience, on the grand scale they cost a lot - of money, and unfortunately, lives.<br /><br />That’s why the Embold Virtual Assistant (EVA) is such a breakthrough.<br /><br />A generative AI-powered chatbot with access to up-to-date doctor listings and performance ratings, it’s literally a lifesaver.<br /><br />StackAware was honored to conduct a pre-deployment AI risk assessment and penetration test for EVA on behalf of our client Embold Health.<br /><br />Following up on our previous discussion, I sat down again with Steve Dufour and Mark Blackham to discuss the product’s development and rollout.<br /><br />We chatted about:<br /><br />- EVA’s performance metrics<br />- Cybersecurity, compliance, and privacy issues<br />- The future of AI governance and product development in healthcare<br /><br />Bonus: Steve and I also presented on this work at HITRUST’s Collaborate Conference. Here is our deck: https://docs.google.com/presentation/d/1EedOula8X81WxzVkQim1amiDZWMM8Lh0<br /><br />Need your own AI risk assessment and governance program build-out?<br /><br />Book a call at contact.stackaware.com.</p>no00:38:27Getting patients to better doctors, faster with generative AIfull<![CDATA[Artificial Intelligence Risk Scoring System (AIRSS) - Part 2]]>What does "security" even mean with AI?

You'll need to define things like:

BUSINESS REQUIREMENTS

- What type of output is expected?
- What format should it be?
- What is the use case?

SECURITY REQUIREMENTS

- Who is allowed to see which outputs?
- Under which conditions?

Having these things spelled out is a hard requirement before you can start talking about the risk of a given AI model.

Continuing the build-out of the Artificial Intelligence Risk Scoring System (AIRSS), I tackle these issues - and more - in the latest issue of Deploy Securely.

Check out the written post as well: https://blog.stackaware.com/p/artificial-intelligence-risk-scoring-system-p2

Here is the pURL for the model I mentioned: pkg:generic/gpt-3.5-turbo@0613?ft=80Z1hDhg

]]>Buzzsprout-13927539Mon, 13 Nov 2023 12:00:00 GMT<p>What does "security" even mean with AI?<br /><br />You'll need to define things like:<br /><br />BUSINESS REQUIREMENTS<br /><br />- What type of output is expected?<br />- What format should it be?<br />- What is the use case?<br /><br />SECURITY REQUIREMENTS<br /><br />- Who is allowed to see which outputs?<br />- Under which conditions?<br /><br />Having these things spelled out is a hard requirement before you can start talking about the risk of a given AI model.<br /><br />Continuing the build-out of the Artificial Intelligence Risk Scoring System (AIRSS), I tackle these issues - and more - in the latest issue of Deploy Securely.<br /><br />Check out the written post as well: https://blog.stackaware.com/p/artificial-intelligence-risk-scoring-system-p2<br /><br />Here is the pURL for the model I mentioned: pkg:generic/gpt-3.5-turbo@0613?ft=80Z1hDhg</p>no00:10:46Artificial Intelligence Risk Scoring System (AIRSS) - Part 2full<![CDATA[Aware AI Brief - January 2026]]>In this inaugural episode of the Aware AI Brief, Cameron talks with Walter Haydock, founder of StackAware, about the practical aspects of AI governance.

This series aims to bridge the gap between theoretical AI governance discussions and actionable, real-world practices.

They discuss the importance of understanding a client's business objectives before implementing AI governance, identifying key stakeholders, and managing risks around intellectual property and shadow AI.

00:00 Introduction and Greetings
00:59 Introducing the Aware AI Brief Series
02:02 Starting AI Governance: First Steps
02:33 Understanding Client Needs and Objectives
06:02 Identifying Key Stakeholders
08:38 Intellectual Property and AI
15:51 Managing Shadow AI
22:23 Conclusion and Call for Questions

Blog post about IP risk with AI: https://blog.stackaware.com/p/intellectual-property-risk-compliance-indemnification-copyright-artificial-intelligence-governance

]]>Buzzsprout-18596026Fri, 30 Jan 2026 14:00:00 GMT<p>In this inaugural episode of the Aware AI Brief, Cameron talks with Walter Haydock, founder of StackAware, about the practical aspects of AI governance.<br /><br />This series aims to bridge the gap between theoretical AI governance discussions and actionable, real-world practices.<br /><br />They discuss the importance of understanding a client's business objectives before implementing AI governance, identifying key stakeholders, and managing risks around intellectual property and shadow AI.<br /><br />00:00 Introduction and Greetings<br />00:59 Introducing the Aware AI Brief Series<br />02:02 Starting AI Governance: First Steps<br />02:33 Understanding Client Needs and Objectives<br />06:02 Identifying Key Stakeholders<br />08:38 Intellectual Property and AI<br />15:51 Managing Shadow AI<br />22:23 Conclusion and Call for Questions<br /><br />Blog post about IP risk with AI: https://blog.stackaware.com/p/intellectual-property-risk-compliance-indemnification-copyright-artificial-intelligence-governance</p>no00:23:36Aware AI Brief - January 2026full<![CDATA[The state of AI assurance in 2024]]>I was thrilled to have a leading voice on AI governance and assurance on the Deploy Securely podcast: Patrick Sullivan.

Patrick is the Vice President of Strategy and Innovation at A-LIGN, a cybersecurity assurance firm. He’s an expert on the intersection of AI and compliance, regularly sharing expert insights about ISO 42001, the EU AI Act, and their interplay with existing regulations and best practices.

We chatted about what he's seen from his customer base when it comes to AI-related:

- Cybersecurity
- Compliance
- Privacy

Check out the full episode!

]]>Buzzsprout-15743399Thu, 12 Sep 2024 19:00:00 GMT<p>I was thrilled to have a leading voice on AI governance and assurance on the Deploy Securely podcast: Patrick Sullivan.<br /><br />Patrick is the Vice President of Strategy and Innovation at A-LIGN, a cybersecurity assurance firm. He’s an expert on the intersection of AI and compliance, regularly sharing expert insights about ISO 42001, the EU AI Act, and their interplay with existing regulations and best practices.<br /><br />We chatted about what he's seen from his customer base when it comes to AI-related:<br /><br />- Cybersecurity<br />- Compliance<br />- Privacy<br /><br />Check out the full episode!</p>no00:35:46The state of AI assurance in 2024full<![CDATA[AI governance for Health Information Exchanges]]>I recently spoke with Bezawit Sumner, CISO of CRISP Shared Services about:

  • How to address stakeholder concerns when rolling out AI in sensitive spaces like healthcare
  • Issues related to scoping and definitions being non-trivial for AI governance
  • The evolving AI regulatory landscape and what companies can do to adapt
]]>Buzzsprout-18133769Tue, 04 Nov 2025 20:00:00 GMT<p>I recently spoke with Bezawit Sumner, CISO of CRISP Shared Services about:</p><ul><li>How to address stakeholder concerns when rolling out AI in sensitive spaces like healthcare</li><li>Issues related to scoping and definitions being non-trivial for AI governance</li><li>The evolving AI regulatory landscape and what companies can do to adapt</li></ul>no00:30:51AI governance for Health Information Exchangesfull<![CDATA[Sensitive Data Generation]]>I’m worried about data leakage from LLMs, but probably not why you think.

While unintended training is a real risk that can’t be ignored, something else is going to be a much more serious problem: sensitive data generation (SDG).

A recent paper (https://arxiv.org/pdf/2310.07298v1.pdf) shows how LLMs can infer huge amounts of personal information from seemingly innocuous comments on Reddit.

And this phenomenon will have huge impacts for:

- Material nonpublic information
- Executive moves
- Trade secrets

and the ability to keep them confidential.

Check out the full post in Deploy Securely for a breakdown: https://blog.stackaware.com/p/sensitive-data-generation

]]>Buzzsprout-13928890Mon, 27 Nov 2023 12:00:00 GMT<p>I’m worried about data leakage from LLMs, but probably not why you think.<br /><br />While unintended training is a real risk that can’t be ignored, something else is going to be a much more serious problem: sensitive data generation (SDG).<br /><br />A recent paper (https://arxiv.org/pdf/2310.07298v1.pdf) shows how LLMs can infer huge amounts of personal information from seemingly innocuous comments on Reddit.<br /><br />And this phenomenon will have huge impacts for:<br /><br />- Material nonpublic information<br />- Executive moves<br />- Trade secrets<br /><br />and the ability to keep them confidential.<br /><br />Check out the full post in Deploy Securely for a breakdown: https://blog.stackaware.com/p/sensitive-data-generation</p>no00:06:40Sensitive Data Generationfull<![CDATA[Insuring AI in an agentic future]]>I spoke with Emil Bender Lassen, Standard Lead at the Artificial Intelligence Underwriting Company.

We talked about:

- What AIUC-1 requires from AI agents

- How the standard drives insurance rate

- Technical tips on preventing technical detail release and avoiding IP risk

- The future of AIUC-1 and how it complements ISO 42001, NIST AI RMF, and other frameworks

]]>Buzzsprout-18542654Tue, 20 Jan 2026 20:00:00 GMT<p>I spoke with Emil Bender Lassen, Standard Lead at the Artificial Intelligence Underwriting Company.<br /><br />We talked about:<br /><br />- What AIUC-1 requires from AI agents</p><p>- How the standard drives insurance rate</p><p>- Technical tips on preventing technical detail release and avoiding IP risk</p><p>- The future of AIUC-1 and how it complements ISO 42001, NIST AI RMF, and other frameworks</p>no00:40:50Insuring AI in an agentic futurefull<![CDATA[Real-world AI governance, from an auditor perspective]]>I had the chance to speak with Patrick Sullivan. Patrick is the Vice President of Strategy and Innovation at A-LIGN. He brings over 25 years of expertise in cybersecurity, compliance, and risk management to the healthcare and life sciences sectors.

We talked about:

- How companies are complying with a web of AI regulation
- Best practices for AI agent security and accountability
- Genomic data security and AI

]]>Buzzsprout-18509130Thu, 15 Jan 2026 11:00:00 GMT<p>I had the chance to speak with Patrick Sullivan. Patrick is the Vice President of Strategy and Innovation at A-LIGN. He brings over 25 years of expertise in cybersecurity, compliance, and risk management to the healthcare and life sciences sectors.<br /><br />We talked about:<br /><br />- How companies are complying with a web of AI regulation<br />- Best practices for AI agent security and accountability<br />- Genomic data security and AI</p>no00:30:40Real-world AI governance, from an auditor perspectivefull<![CDATA[Tackling AI governance with federal data]]>On this episode of the Deploy Securely podcast, I spoke with Kenny Scott, Founder and CEO of Paramify.

Paramify gets companies ready for the U.S. government's Federal Risk and Authorization Management Program (FedRAMP). And in this conversation, we talked about:

- Paramify "walking the walk" by getting FedRAMP High authorized
- How AI is impacting FedRAMP authorizations
- The future of AI regulation

]]>Buzzsprout-15823562Thu, 26 Sep 2024 20:00:00 GMT<p>On this episode of the Deploy Securely podcast, I spoke with Kenny Scott, Founder and CEO of Paramify.<br /><br />Paramify gets companies ready for the U.S. government's Federal Risk and Authorization Management Program (FedRAMP). And in this conversation, we talked about:<br /><br />- Paramify "walking the walk" by getting FedRAMP High authorized<br />- How AI is impacting FedRAMP authorizations<br />- The future of AI regulation</p>no00:36:15Tackling AI governance with federal datafull<![CDATA[3 AI governance frameworks]]>Drive sales, improve customer trust, and avoid regulatory penalties with the NIST AI RMF, EU AI Act, and ISO 42001.

Check out the full post on the Deploy Securely blog: https://blog.stackaware.com/p/eu-ai-act-nist-rmf-iso-42001-picking-frameworks

]]>Buzzsprout-15405849Fri, 12 Jul 2024 21:00:00 GMT<p>Drive sales, improve customer trust, and avoid regulatory penalties with the NIST AI RMF, EU AI Act, and ISO 42001.<br /><br />Check out the full post on the Deploy Securely blog: https://blog.stackaware.com/p/eu-ai-act-nist-rmf-iso-42001-picking-frameworks</p>no00:04:433 AI governance frameworksfull<![CDATA[The top 3 AI security concerns in healthcare]]>Buzzsprout-15349506Tue, 02 Jul 2024 17:00:00 GMT-no00:03:42The top 3 AI security concerns in healthcarefull<![CDATA[Big Beautiful AI Moratorium fails, ISO 42005, and automating yourself out of a job]]>Walter kicks off a recurring series with Steve Dufour, talking about:

- Trump's "Big Beautiful Bill" moving through the Senate and how a key AI-related provision was just removed.
- Some key court decisions related to generative AI training on copyrighted material
- ISO/IEC 42005:2025, which gives guidance on AI impact assessments
- Ways to (avoid) automating yourself out of a job

]]>Buzzsprout-17435918Wed, 02 Jul 2025 10:00:00 GMT<p>Walter kicks off a recurring series with Steve Dufour, talking about:<br /><br />- Trump's "Big Beautiful Bill" moving through the Senate and how a key AI-related provision was just removed.<br />- Some key court decisions related to generative AI training on copyrighted material<br />- ISO/IEC 42005:2025, which gives guidance on AI impact assessments<br />- Ways to (avoid) automating yourself out of a job</p>no00:50:55Big Beautiful AI Moratorium fails, ISO 42005, and automating yourself out of a jobfull<![CDATA[AI hardware killswitches, SB-205 troubles, ChatGPT connectors, and more]]>NVIDIA blog on killswitches: 
https://blogs.nvidia.com/blog/no-backdoors-no-kill-switches-no-spyware/

Colorado Legislative AI Task Force Report: https://leg.colorado.gov/sites/default/files/images/report_and_recommendations-accessible_1_0.pdf

SB-205 opposition: https://gazette.com/government/colorado-mayors-oppose-ai-regulation-law/article_0abe652f-a60a-583e-a138-e73fa45e9a03.html

AI Stethoscope: https://www.imperial.ac.uk/news/249316/ai-stethoscope-rolled-100-gp-clinics/

ChatGPT Connectors: https://help.openai.com/en/articles/11487775-connectors-in-chatgpt

]]>Buzzsprout-17775939Tue, 02 Sep 2025 21:00:00 GMT<p>NVIDIA blog on killswitches: <br />https://blogs.nvidia.com/blog/no-backdoors-no-kill-switches-no-spyware/<br /><br />Colorado Legislative AI Task Force Report: https://leg.colorado.gov/sites/default/files/images/report_and_recommendations-accessible_1_0.pdf<br /><br />SB-205 opposition: https://gazette.com/government/colorado-mayors-oppose-ai-regulation-law/article_0abe652f-a60a-583e-a138-e73fa45e9a03.html<br /><br />AI Stethoscope: https://www.imperial.ac.uk/news/249316/ai-stethoscope-rolled-100-gp-clinics/<br /><br />ChatGPT Connectors: https://help.openai.com/en/articles/11487775-connectors-in-chatgpt</p>no00:43:19AI hardware killswitches, SB-205 troubles, ChatGPT connectors, and morefull<![CDATA[Securely harnessing AI in financial services]]>I spoke with Matt Adams, Head of Security Enablement at Citi, about:

- The EU AI Act and other laws and regulations impacting AI governance and security
- What financial services organizations can do to secure their AI deployments
- Some of the biggest myths and misconceptions when it comes to AI governance

]]>Buzzsprout-15702520Thu, 05 Sep 2024 18:00:00 GMT<p>I spoke with Matt Adams, Head of Security Enablement at Citi, about:<br /><br />- The EU AI Act and other laws and regulations impacting AI governance and security<br />- What financial services organizations can do to secure their AI deployments<br />- Some of the biggest myths and misconceptions when it comes to AI governance</p>no00:40:12Securely harnessing AI in financial servicesfull<![CDATA[How Conveyor deploys AI securely (for security)]]>While using AI securely is a key concern (especially for companies like StackAware), on the flipside, AI has been supercharging security and compliance teams.

Especially when tackling mundane tasks like security questionnaires, AI can accelerate sales and build trust.

I chatted with Chas Ballew, CEO of Conveyor, about:

- How AI can help with customer security reviews
- What sort of controls Conveyor has in place
- What Chas thinks the future will look like
- The regulatory landscape for AI

Here are some resources Chas mentions in the show:

Deepmind Solving International Mathematical Olympiad problems
https://deepmind.google/discover/blog/ai-solves-imo-problems-at-silver-medal-level/

Prof. Geoffrey Hinton - "Will digital intelligence replace biological intelligence?" 
https://www.youtube.com/watch?v=N1TEjTeQeg0

Jim Keller on Lex Fridman
https://www.youtube.com/watch?v=G4hL5Om4IJ4

]]>Buzzsprout-15477665Thu, 25 Jul 2024 23:00:00 GMT<p>While using AI securely is a key concern (especially for companies like StackAware), on the flipside, AI has been supercharging security and compliance teams.<br /><br />Especially when tackling mundane tasks like security questionnaires, AI can accelerate sales and build trust.<br /><br />I chatted with Chas Ballew, CEO of Conveyor, about:<br /><br />- How AI can help with customer security reviews<br />- What sort of controls Conveyor has in place<br />- What Chas thinks the future will look like<br />- The regulatory landscape for AI<br /><br />Here are some resources Chas mentions in the show:<br /><br />Deepmind Solving International Mathematical Olympiad problems<br />https://deepmind.google/discover/blog/ai-solves-imo-problems-at-silver-medal-level/<br /><br />Prof. Geoffrey Hinton - "Will digital intelligence replace biological intelligence?" <br />https://www.youtube.com/watch?v=N1TEjTeQeg0<br /><br />Jim Keller on Lex Fridman<br />https://www.youtube.com/watch?v=G4hL5Om4IJ4</p>no00:37:43How Conveyor deploys AI securely (for security)full<![CDATA[4th party AI processing and retention risk]]>So you have your AI policy in place and are carefully controlling access to new apps as they launch, but then...

...you realize your already-approved tools are themselves starting to leverage 4th party AI vendors.

Welcome to the modern digital economy.

Things are complex and getting even more so.

That's why you need to incorporate 4th party risk into your security policies, procedures, and overall AI governance program.

Check out the full post with the Asana and Databricks examples I mentioned: https://blog.stackaware.com/p/ai-supply-chain-processing-retention-risk

]]>Buzzsprout-13929030Mon, 04 Dec 2023 12:00:00 GMT<p>So you have your AI policy in place and are carefully controlling access to new apps as they launch, but then...<br /><br />...you realize your already-approved tools are themselves starting to leverage 4th party AI vendors.<br /><br />Welcome to the modern digital economy.<br /><br />Things are complex and getting even more so.<br /><br />That's why you need to incorporate 4th party risk into your security policies, procedures, and overall AI governance program.<br /><br />Check out the full post with the Asana and Databricks examples I mentioned: https://blog.stackaware.com/p/ai-supply-chain-processing-retention-risk</p>no00:06:234th party AI processing and retention riskfull<![CDATA[Artificial Intelligence Risk Scoring System (AIRSS) - Part 1]]>AI cyber risk management needs a new paradigm.

Logging CVEs and using CVSS just does not make sense for AI models, and won't cut it going forward.

That's why I launched the Artificial Intelligence Risk Scoring System (AIRSS).

A quantitative approach to measuring cybersecurity risk from artificial intelligence systems, I am building it in public to help refine and improve the approach.

Check out the first post in a series where I lay out my methodology: https://blog.stackaware.com/p/artificial-intelligence-risk-scoring-system-p1

]]>Buzzsprout-13927233Tue, 07 Nov 2023 18:00:00 GMT<p>AI cyber risk management needs a new paradigm.<br /><br />Logging CVEs and using CVSS just does not make sense for AI models, and won't cut it going forward.<br /><br />That's why I launched the Artificial Intelligence Risk Scoring System (AIRSS).<br /><br />A quantitative approach to measuring cybersecurity risk from artificial intelligence systems, I am building it in public to help refine and improve the approach.<br /><br />Check out the first post in a series where I lay out my methodology: https://blog.stackaware.com/p/artificial-intelligence-risk-scoring-system-p1</p>no00:14:19Artificial Intelligence Risk Scoring System (AIRSS) - Part 1full<![CDATA[How should we track AI vulnerabilities?]]>The Cybersecurity and Infrastructure Security Agency (CISA) released a post earlier this year saying the AI engineering community should use something like the existing CVE system for tracking vulnerabilities in AI models.

Unfortunately, this is a pretty bad recommendation.

That's because:

- CVEs already create a lot of noise
- AI systems are non-deterministic
- So things would just get worse

In this episode, I dive into these issues and discuss the way ahead.

Check out the full blog post: https://blog.stackaware.com/p/how-should-we-identify-ai-vulnerabilities

]]>Buzzsprout-13875525Mon, 30 Oct 2023 20:00:00 GMT<p>The Cybersecurity and Infrastructure Security Agency (CISA) released a post earlier this year saying the AI engineering community should use something like the existing CVE system for tracking vulnerabilities in AI models.<br /><br />Unfortunately, this is a pretty bad recommendation.<br /><br />That's because:<br /><br />- CVEs already create a lot of noise<br />- AI systems are non-deterministic<br />- So things would just get worse<br /><br />In this episode, I dive into these issues and discuss the way ahead.<br /><br />Check out the full blog post: https://blog.stackaware.com/p/how-should-we-identify-ai-vulnerabilities</p>no00:07:19How should we track AI vulnerabilities?full<![CDATA[Generative AI and Unintended Training]]>🔐 Think self-hosting your AI models is more secure?

It might be...or not!

In this video, we dig into the topic of AI model security and introduce the concept of "unintended training."

▶️ Key Highlights:

- The myth that self-hosting AI models is necessarily better for security
- Decision factors when choosing between SaaS vs. IaaS
- Defining "Unintentional Training" and its implications

Read more about unintended training and AI Security: 
https://blog.stackaware.com/p/unintended-training

And for a deep dive on the security benefits of SaaS, check out this post:
https://blog.stackaware.com/p/declaring-a-truce-on-saas-security

Hit that subscribe button for more cutting-edge AI security insights! ✅

]]>Buzzsprout-13828165Mon, 23 Oct 2023 12:00:00 GMT<p>🔐 Think self-hosting your AI models is more secure?<br /><br />It might be...or not!<br /><br />In this video, we dig into the topic of AI model security and introduce the concept of "unintended training."<br /><br />▶️ Key Highlights:<br /><br />- The myth that self-hosting AI models is necessarily better for security<br />- Decision factors when choosing between SaaS vs. IaaS<br />- Defining "Unintentional Training" and its implications<br /><br />Read more about unintended training and AI Security: <br />https://blog.stackaware.com/p/unintended-training<br /><br />And for a deep dive on the security benefits of SaaS, check out this post:<br />https://blog.stackaware.com/p/declaring-a-truce-on-saas-security<br /><br />Hit that subscribe button for more cutting-edge AI security insights! ✅</p>no00:07:39Generative AI and Unintended Trainingfull<![CDATA[Who should make cyber risk management decisions?]]>It's a tougher challenge than many security folks talk about.

Who should have the final say about whether to accept, mitigate, transfer, or avoid risk?

- Cybersecurity?
- Compliance?
- Legal?

The answer:

None of them.

Check out this episode of Deploy Securely to learn who should.

Or read the original blog post here: https://blog.stackaware.com/p/who-should-make-cyber-risk-management

]]>Buzzsprout-13831724Mon, 23 Oct 2023 10:00:00 GMT<p>It's a tougher challenge than many security folks talk about.<br /><br />Who should have the final say about whether to accept, mitigate, transfer, or avoid risk?<br /><br />- Cybersecurity?<br />- Compliance?<br />- Legal?<br /><br />The answer:<br /><br />None of them.<br /><br />Check out this episode of Deploy Securely to learn who should.<br /><br />Or read the original blog post here: https://blog.stackaware.com/p/who-should-make-cyber-risk-management</p>no00:14:26Who should make cyber risk management decisions?full<![CDATA[Who should get ISO 42001 certified?]]>1) Early-stage AI startups often grapple with customer security reviews, making certifications like SOC 2 or ISO 27001 essential. However, ISO 42001 might be more suitable for AI-focused companies due to its comprehensive coverage.

2) Larger corporations using AI to manage sensitive data face scrutiny and criticism. These companies can validate their AI practices through ISO 42001, offering a certified risk management system that reassures stakeholders

3) In heavily-regulated sectors like healthcare and finance, adopting and certifying AI technologies is complex. ISO 42001 helps these enterprises manage risks and maintain credibility by adhering to industry standards.

Check out the full post on the Deploy Securely blog: https://blog.stackaware.com/p/iso-42001-ai-management-system-company-types

Want more AI security resources? Check out https://products.stackaware.com/

]]>Buzzsprout-15345360Tue, 02 Jul 2024 00:00:00 GMT<p>1) Early-stage AI startups often grapple with customer security reviews, making certifications like SOC 2 or ISO 27001 essential. However, ISO 42001 might be more suitable for AI-focused companies due to its comprehensive coverage.<br /><br />2) Larger corporations using AI to manage sensitive data face scrutiny and criticism. These companies can validate their AI practices through ISO 42001, offering a certified risk management system that reassures stakeholders<br /><br />3) In heavily-regulated sectors like healthcare and finance, adopting and certifying AI technologies is complex. ISO 42001 helps these enterprises manage risks and maintain credibility by adhering to industry standards.<br /><br />Check out the full post on the Deploy Securely blog: https://blog.stackaware.com/p/iso-42001-ai-management-system-company-types<br /><br />Want more AI security resources? Check out https://products.stackaware.com/</p>no00:03:42Who should get ISO 42001 certified?full<![CDATA[Compliance and AI - 3 quick observations]]>Here are the top 3 things I'm seeing:

1️⃣ Auditors don’t (yet) have strong opinions on how to deploy AI securely

2️⃣ Enforcement is here, just not evenly distributed.

3️⃣ Integrating AI-specific requirements with existing security, privacy, and compliance ones isn’t going to be easy

Want to see a full post? Check out the Deploy Securely blog: https://blog.stackaware.com/p/ai-governance-compliance-auditors-enforcement

]]>Buzzsprout-14905276Wed, 17 Apr 2024 10:00:00 GMT<p>Here are the top 3 things I'm seeing:<br /><br />1️⃣ Auditors don’t (yet) have strong opinions on how to deploy AI securely<br /><br />2️⃣ Enforcement is here, just not evenly distributed.<br /><br />3️⃣ Integrating AI-specific requirements with existing security, privacy, and compliance ones isn’t going to be easy<br /><br />Want to see a full post? Check out the Deploy Securely blog: https://blog.stackaware.com/p/ai-governance-compliance-auditors-enforcement</p>no00:04:48Compliance and AI - 3 quick observationsfull<![CDATA[Waymo outage, Manus, AI-generated police reports]]>To kick off the new year, Steve Dufour and I chatted about:

  • Steve's expertise in copying and pasting hundreds of lines from the Health Insurance Portability and Accountability Act (HIPAA), because ChatGPT couldn't parse it.
  • The late December 2025 ​Waymo outage​.
  • Cops Forced to ​Explain​ Why AI Generated Police Report Claimed Officer Transformed Into Frog.
  • Manus AI's ​acquisition​.
  • AI hampering ​productivity​ of software developers, despite expectations it would boost efficiency.
  • ​Impacts​ of AI on language, media, and culture.
  • Our 2026 predictions for AI
]]>Buzzsprout-18474572Thu, 08 Jan 2026 13:00:00 GMT<p>To kick off the new year, Steve Dufour and I chatted about:</p><ul><li>Steve's expertise in copying and pasting hundreds of lines from the Health Insurance Portability and Accountability Act (HIPAA), because ChatGPT couldn't parse it.</li><li>The late December 2025 <a href="https://www.usatoday.com/story/tech/news/2025/12/24/waymo-power-outage-san-francisco-cars-update/87905535007/" rel="noopener noreferrer nofollow">​Waymo outage​</a>.</li><li>Cops Forced to <a href="https://futurism.com/artificial-intelligence/ai-police-report-frog" rel="noopener noreferrer nofollow">​Explain​</a> Why AI Generated Police Report Claimed Officer Transformed Into Frog.</li><li>Manus AI's <a href="https://www.wsj.com/tech/ai/meta-buys-ai-startup-manus-adding-millions-of-paying-users-f1dc7ef8" rel="noopener noreferrer nofollow">​acquisition​</a>.</li><li>AI hampering <a href="https://fortune.com/article/does-ai-increase-workplace-productivity-experiment-software-developers-task-took-longer/" rel="noopener noreferrer nofollow">​productivity​</a> of software developers, despite expectations it would boost efficiency.</li><li><a href="https://www.reddit.com/r/ArtificialInteligence/comments/1py55r7/ai_generated_content_is_changing_our_language_and" rel="noopener noreferrer nofollow">​Impacts​</a> of AI on language, media, and culture.</li><li>Our 2026 predictions for AI</li></ul>no00:45:54Waymo outage, Manus, AI-generated police reportsfull