Insights
AI Security & Governance, written to be useful after the meeting.
Practical, durable guidance for leaders and teams responsible for making AI adoption safer, clearer, and easier to explain.

SaaS Security
SaaS Configuration Drift Needs Change Control, Not Hope
SaaS configuration drift rarely looks dramatic. It looks like an admin making a small setting change so a team can move faster. Then that setting changes who can share data, what can be exported, which apps can connect, or how long logs remain available.
Fred Descloux / 6 min read / July 15, 2026Knowledge Center
Explore the library.

SaaS Configuration Drift Needs Change Control, Not Hope
SaaS configuration drift rarely looks dramatic. It looks like an admin making a small setting change so a team can move faster. Then that setting changes who can share data, what can be exported, which apps can connect, or how long logs remain available.
Fred Descloux / 6 min read / Jul 15, 2026
Service Account Governance Fails When Ownership Is a Mailbox
A service account is not just a credential. It is authority moving through your environment without a human sitting at the keyboard. If nobody owns that authority, nobody is really governing it.
Fred Descloux / 7 min read / Jul 14, 2026
Security Intake Fails When Every Request Becomes a Review
A security intake queue is not automatically governance. If every request becomes the same review, low-risk work waits too long and high-risk work reaches the wrong decision makers too late.
Fred Descloux / 6 min read / Jul 13, 2026
OAuth App Governance: The SaaS Risk Hiding Behind Employee Consent
OAuth app governance breaks when employees can connect third-party apps to enterprise SaaS data and those grants survive long after the task is done. That is the operational problem. Not the login screen. Not the password policy.…
Fred Descloux / 9 min read / Jul 9, 2026
Continuous Controls Monitoring: Why GRC Automation Creates Noise Before Assurance
Continuous controls monitoring fails when it treats every system signal as proof that a control is working. The tool may be modern. The dashboard may be attractive.…
Fred Descloux / 7 min read / Jul 7, 2026
A Records Retention Schedule Is Not a Control Until Data Gets Deleted
A records retention schedule is worthless if expired data keeps living in production systems, backups, exports, analytics tables, and AI workspaces. The policy may satisfy a questionnaire. It may calm an auditor for a quarter.…
Fred Descloux / 7 min read / Jul 2, 2026
AI Asset Inventory: Why Your CMDB Won’t Find the Risk
An AI asset inventory fails when it only tracks approved models and ignores the tools, copilots, plugins, workflows, and vendor features already handling company data.…
Fred Descloux / 9 min read / Jun 30, 2026
Data Loss Prevention: Why Blocking Files Misses the Real Leak
Data loss prevention fails when it treats every leak as a file moving through the wrong door. The primary problem with DLP in most enterprises is not detection accuracy. It is control design.…
Fred Descloux / 7 min read / Jun 25, 2026
AI Incident Response Plan: Why Your Cyber Playbook Misses the First Hour
An AI incident response plan fails quickly when the first signal is a bad model output, a poisoned knowledge base, or an agent taking an action nobody approved. That is the operational gap most enterprises have not closed.…
Fred Descloux / 10 min read / Jun 23, 2026
AI System Prompt Security: Why Your Most Important Control Is Usually Exposed to the Wrong People
The weak point in many enterprise AI deployments is AI system prompt security, not the model itself.…
Fred Descloux / 7 min read / Jun 18, 2026
AI Red Teaming: Why Most Enterprise Exercises Prove Effort, Not Safety
AI red teaming is getting adopted fast, but most enterprise programs are testing the wrong thing. They produce transcripts, screenshots, and a tidy report full of jailbreak examples, then quietly assume the hard part is done.…
Fred Descloux / 7 min read / Jun 16, 2026
AI Acceptable Use Policy: Why Most Companies Ban the Wrong Things
Most AI acceptable use policy documents are built to look cautious, not to survive contact with actual work. They ban a few tools, repeat the usual “don’t paste confidential data” warning, and call it governance.…
Fred Descloux / 7 min read / Jun 11, 2026
AI Logging Policy: Why Most Enterprises Collect Prompts They Should Never Keep
Most companies need an AI logging policy before they scale copilots, internal chat tools, and model-powered workflows.…
Fred Descloux / 7 min read / Jun 9, 2026
AI Data Classification: Why Your Existing Labels Break the Moment Employees Use Copilots
AI data classification breaks in a very specific way once employees start using copilots: the label stays on the document, but the sensitive context moves into prompts, chats, summaries, and outputs that your control model was nev…
Fred Descloux / 7 min read / Jun 4, 2026
AI Policy Exception Process: Why Fast AI Adoption Breaks Slow Governance
The AI policy exception process is where a lot of enterprise AI governance quietly falls apart.…
Fred Descloux / 7 min read / Jun 3, 2026
AI Vendor Due Diligence: Why Security Reviews Keep Missing the Real Risk
AI vendor due diligence is failing in a very specific way: companies are reviewing the vendor as if they were buying ordinary SaaS, while the product behaves more like a moving supply chain. That mismatch matters.…
Fred Descloux / 7 min read / May 29, 2026
AI DPIA: Why Most Privacy Reviews Fail Once the Model Starts Changing
AI DPIA programs fail when they treat a moving system like a one-time project. That is the core problem. If your privacy impact assessment for AI is completed at launch and then filed away, it is probably already wrong.…
Fred Descloux / 7 min read / May 26, 2026
SaaS Access Review: Why Quarterly Certification Misses the Real Risk
SaaS access review has turned into a ritual: export a list, send it to managers, collect approvals, file the screenshots, move on. It looks disciplined. It rarely changes much.…
Fred Descloux / 6 min read / May 21, 2026
Model Risk Management for Generative AI: Stop Pretending the Old Playbook Still Fits
Model risk management for generative AI is now a practical problem, not a future one. Banks, insurers, healthcare companies, and large enterprises are already trying to fit copilots, summarization tools, internal chat assistants,…
Fred Descloux / 7 min read / May 19, 2026
Shadow AI Policy: Why Banning ChatGPT Doesn’t Reduce Enterprise Risk
A shadow AI policy that simply says “don’t use public AI tools” is not a control. It is a dare.…
Fred Descloux / 7 min read / May 14, 2026
AI Risk Register: Why Most Enterprise AI Programs Track Optics Instead of Risk
Most companies building an AI risk register are documenting concerns, not controlling risk. The result is predictable: a neat spreadsheet for audit season, a few traffic-light ratings for leadership, and almost no operational valu…
Fred Descloux / 7 min read / May 12, 2026
AI Asset Inventory: The Missing Control Behind Credible AI Governance
An AI asset inventory is the first control that separates serious AI governance from internal theater.…
Fred Descloux / 6 min read / May 7, 2026
Third-Party Risk Management Is Broken If You Don’t Know Which Vendors Still Have Access
Third-party risk management fails at the point where most companies stop paying attention: after the vendor is approved. That is the real problem with third-party risk management in many enterprises. The intake workflow exists.…
Fred Descloux / 7 min read / May 5, 2026
Model Access Governance: The Control Gap Behind Most Enterprise AI Incidents
Model access governance is becoming a real enterprise control problem, not a policy footnote.…
Fred Descloux / 8 min read / Apr 30, 2026
Why Your AI Approval Process Is Failing in Practice
The AI governance operating model is where most enterprise AI programs quietly fail. Not in the policy. Not in the principles.…
Fred Descloux / 7 min read / Apr 28, 2026
AI Vendor Questionnaire: Why Your Security Review Process Is Slowing You Down
The AI vendor questionnaire is becoming a drag on security review for a simple reason: most of them were built for normal software, not products that change behavior every few weeks. That mismatch matters.…
Fred Descloux / 7 min read / Apr 23, 2026
AI Data Retention Policy: The Control Most Companies Forgot to Build
An AI data retention policy is one of the simplest controls to ask for and one of the easiest to find missing. A company enables a chatbot, a meeting assistant, a coding copilot or an internal retrieval tool.…
Fred Descloux / 7 min read / Apr 21, 2026
AI Agents Are Now an Identity and Access Problem
If you strip away the hype, most enterprise AI risk in 2026 comes down to a familiar failure mode. We are giving software broad access before we have figured out how to govern it. The new wrapper is “agentic AI”.…
Fred Descloux / 6 min read / Apr 14, 2026
Most AI Guardrails Don’t Fail. They Were Never Real.
One of the fastest ways to get false confidence in AI is to say: “We have guardrails”. That sentence sounds reassuring. It suggests control.…
Fred Descloux / 8 min read / Apr 7, 2026
AI Risk Doesn’t Live in Models. It Lives in Decisions.
A lot of AI risk conversations still start in the wrong place. They start with the model. Which model is being used?Was it trained on the right data?Does the vendor say they do not retain prompts?Is there a content filter?…
Fred Descloux / 7 min read / Apr 2, 2026
Security, Minus the Drama
By the time security becomes visible inside a company, it is often already losing. Not because the risks are imaginary. Not because the controls are optional. And not because the people involved are careless.…
Fred Descloux / 10 min read / Mar 25, 2026
Calm Security Beats Perfect Security
Security teams talk a lot about preparedness. Playbooks. Escalation paths. Severity matrices. Logging pipelines. War rooms. Tabletop exercises. Pager rotations. Communication trees. Backup plans for the backup plans.…
Fred Descloux / 10 min read / Mar 17, 2026
Why Security Decisions Don’t Belong in Meetings
There’s a certain kind of security meeting that feels productive while achieving very little. The right people are there. Slides are shared. Someone says “Let’s align”. Someone else says “We should socialize this”.…
Fred Descloux / 9 min read / Mar 11, 2026
The Difference Between Security Advice and Security Work
Security work fails in a predictable way. A leader asks: “Can you help us with security?”. Security replies: “Sure!”. Six weeks later, everyone is frustrated, because they were talking about two different things.…
Fred Descloux / 7 min read / Mar 4, 2026
When It’s Too Early (or Too Late) to Hire a CISO
There’s a moment in a company’s life when someone says: “We should probably hire a CISO”. Sometimes it’s the right call. Often it’s a reflex. A big customer asks for a security leader on the org chart.…
Fred Descloux / 8 min read / Feb 24, 2026
What a SOC 2 Report Does Not Protect You From
SOC 2 has become a shortcut word. A prospect asks “Are you SOC 2?”A bank asks “Do you have a SOC 2 report?”A board member asks “Are we covered from a controls standpoint?…
Fred Descloux / 9 min read / Feb 17, 2026
Why Vendor Risk Reviews Are So Painful (and How to Fix Them)
Vendor risk reviews have a reputation problem. Business teams experience them as slow, unpredictable and vaguely punitive. Security teams experience them as high-stakes, under-scoped and thankless.…
Fred Descloux / 8 min read / Feb 11, 2026
You Don’t Need a Project. You Need an Answer.
Most security dysfunction doesn’t start with a breach. It starts with… a meeting. Someone flags an issue (“We should probably…”) and the room does what it always does when it feels risk: it creates motion. A new initiative.…
Fred Descloux / 7 min read / Feb 3, 2026Compliance Is a Snapshot. Security Is a Habit.
Compliance has a weird reputation. To some leaders, it’s the thing that “keeps us out of trouble”.To some engineers, it’s the thing that “slows everything down”.…
Fred Descloux / 8 min read / Jan 29, 2026Your Incident Response Plan Won’t Save You
Most organizations have an Incident Response Plan. It’s usually well-formatted.It references the right framework.It has sections for preparation, detection, containment, eradication and recovery. Great.…
Fred Descloux / 6 min read / Jan 21, 2026Most Security Work Fails Because Decisions Are Delayed
Security rarely fails because teams don’t care. It fails because decisions don’t happen. Not bad intentions.Not lack of tools.Not even lack of budget (at least not at first).…
Fred Descloux / 6 min read / Jan 14, 2026Why Security Turns Into Drama (and How to Stop It)
Security doesn’t usually start chaotic. Most organizations begin with good intentions: protect customers, meet requirements, avoid incidents. Somewhere along the way, security becomes noisy, reactive and stressful.…
Fred Descloux / 6 min read / Jan 6, 2026