I think about GRC, security, and data — and write down the parts that work.
I work in GRC, security, and data — currently focused on how strategy, risk, and AI change the way security programs are designed and run. This is where I think out loud: essays, small tools, and the things I'd want a younger version of me to read.
A practitioner — strategy, risk, and the parts of compliance worth keeping.
I work in GRC, security, and data security. Day to day, I think about how strategy, risk management, and smart compliance meet the technology decisions teams actually have to make — and how to keep the program defensible without burying it in paperwork.
I'm increasingly interested in how AI changes both sides of that equation: the threat surface, and the way GRC programs themselves are built and run. This site is where I write about what works, ship small tools to test ideas, and keep notes worth re-reading.
Read the full bio →Notes on doing GRC deliberately — and using AI where it actually earns its keep.
Essays are being drafted. The companion piece to the V2 Security 2026 talk lands first.
Small tools and frameworks I've built in client work — generalised so others can use them.
Project writeups land here as tools and frameworks are generalised from client work.
Where I've been talking about strategy, risk, and AI in security.
All talks & press →Small repos — the ones I actually maintain.
A curated list of small repos worth maintaining. For now, see the GitHub profile ↗ directly.
Got a question, or something to share?
I read everything. Especially happy to hear from people working on GRC, data security, or AI policy in the real world — push-back, references, and good papers welcome.