Applied Experience
Governance in Action
Everything on this page is something I built, shipped, or created. The ACR Standard. Enterprise governance programs. Production tooling. Published doctrine. This is the operating background behind everything I write, speak about, and advise on.
Original Work
The ACR Standard
The ACR Standard is the runtime control standard for agentic AI. It defines the mandatory control plane through which protected AI actions must pass before execution — enforcing identity, purpose, policy, risk, and human authority in real time. I created ACR because no existing governance approach addressed the core problem: how do you enforce control over AI systems that act independently, at speed, with real-world permissions? It defines trust paths, containment boundaries, human authority checkpoints, and evidence mechanisms — built from direct operating experience governing 50+ models in production.
Evidence
Published and maintained at autonomouscontrol.io
Defines the runtime enforcement layer no existing standard covers
Built from governing 50+ AI models and agentic systems in production
Enterprise Program
AI Governance Committee — Chair
Built an enterprise AI governance function from zero to operating authority — committee charter, policy architecture, model risk classification, runtime enforcement pipeline, and evidence-based compliance reporting to the board. This is the program that proves ACR principles work at enterprise scale, not in a whitepaper.
Evidence
Committee Chair with enforcement and escalation authority
50+ AI models and agentic systems under active governance
Aligned to ISO/IEC 42001, NIST AI RMF, and internal risk policy
Regulatory Translation
ISO 42001 & NIST AI RMF — From Paper to Production
Compliance standards tell you what to document. They do not tell you how to enforce. I built the mapping between the ACR Standard and established regulatory frameworks so engineering teams can implement controls that satisfy both auditors and production SLAs.
Evidence
Runtime enforcement controls aligned to ISO/IEC 42001
Evidence pipelines mapped to NIST AI RMF categories
Operational controls that boards and auditors can verify
Shipped Tooling
ACR Governance Toolkit
Six production-ready governance templates built on the ACR Standard — Agent/System Cards, Action Class Catalogs, Risk Acceptance Memos, Assurance Packs, Incident Response Playbooks, and Vendor Questionnaires. I built these because governance teams need artifacts they can fill out and hand to auditors, not slide decks about governance philosophy.
Evidence
Six templates with interactive web versions and PDF export
Used for enterprise AI governance documentation and audit readiness
Directly derived from the ACR Standard enforcement model
Published Work
Published Books on Security & AI Governance
Translated a decade of operating experience into published books. The ABCs of Agentic AI provides the definitive guide to controlling autonomous AI action at runtime — how to classify, control, and govern agentic AI in real enterprise environments. Field manuals written from production experience, not academic theory.
Evidence
The ABCs of Agentic AI — controlling autonomous action at runtime
The ABC's of Cyber Security — enterprise security foundations
Weaponization of Social Media — threat intelligence and analysis
Security Leadership
Enterprise Security Program Design
A decade building and operating enterprise security programs across Fortune 500 and high-growth technology companies — vulnerability management, incident response, trust architecture, risk programs, and executive reporting. The same operational rigor I apply to AI governance comes from years of building security programs where every decision carries real consequence.
Evidence
10+ years leading enterprise security operations
Fortune 500 and high-growth technology environments
Full lifecycle ownership: architecture through board reporting
Industry Education
Keynotes, Board Briefings & Executive Sessions
Speaks on runtime AI governance, enforcement-era control architectures, and how leadership teams should evaluate AI risk. Every session is built from operating experience — what actually works in production, what breaks under pressure, and what boards need to hear before approving the next agentic deployment.
Evidence
Five keynote-ready topics on runtime governance and AI control
Board and C-suite briefings on AI risk accountability
Practitioner perspective — built from production, not theory
Engineering
Open-Source Security & Governance Tools
Ships open-source tooling in security and AI governance — practical utilities built to solve operational problems encountered while standing up governance programs. Code reflects the same enforcement-first approach applied to everything else on this page.
Evidence
Security tooling and governance automation
Enforcement-first design philosophy
Published on GitHub
Operating Principle
Built First, Then Codified
Every item on this page is something I created, operated, or shipped. The frameworks, the writing, the advisory perspective — it all starts here, in production.
Governance That Runs
Governance only counts if it executes in production. Standards, tooling, and architectures are designed for runtime enforcement, not documentation.
Evidence Over Claims
Each section includes verifiable artifacts — published standards, deployed programs, live tooling, and practitioner adoption.
This Is What Informs My Advisory
Programs built in production — not theory. This is the experience behind everything I write, speak about, and advise on.