Named governance doctrine. Commercially decisive.
The institutional operating model boards retain when contracts, regulators, and market confidence converge on the same fault line. Decision architecture for environments where information is incomplete and consequences are irreversible.
Organisations do not lose systems first. They lose decision authority. Then everything else follows.
This doctrine exists because the distance between a near-miss and a career-ending breach is one unsigned control.
Not advisory. Not consultancy. The governance infrastructure that holds when the regulator is already in the building.
Technical Execution Stack
Sentinel · Splunk · Azure Defender · KQL · Wireshark · Burp Suite · Nessus · MITRE ATT&CK · Defender for Endpoint · Logic Apps SOAR
I accept 2–3 mandates per calendar year. Engagement requires executive authority or board resolution.
Who this is for
Boards & Audit Committees
Regulatory exposure, accountability frameworks, and evidence chains for board-level scrutiny under DORA and NIS2.
Explore governance doctrine →CISOs & Risk Officers
Operational resilience models, control collapse diagnostics, and crisis decision hierarchies built for regulated environments.
Explore resilience frameworks →PE & Deal Teams
Pre-acquisition cyber due diligence, failure cascade mapping, and post-deal control uplift programmes.
Explore due diligence doctrine →Regulated Enterprises
End-to-end delivery for DORA, NIS2, EU AI Act, ISO 42001, and GDPR obligations with full audit-trail evidence.
Explore compliance delivery →Outcomes counterparties sign against
Representative outcomes (client identifiers withheld). Written in procurement language under regulatory scrutiny.
Tier-1 FS: DORA Transformation
Win condition: audit-ready operational resilience evidence chain.
Result 147 findings → 12 in 84 days · owner model · testing cadence · board KPIs
Regulated Enterprise: Outsourcing Controls
Win condition: contract clauses aligned to operational resilience, TPRM, and audit rights.
Result Negotiation cycle 22wk → 9wk · renegotiated control schedule · exit plan
AI Programme: Governance Reset
Win condition: ISO 42001-aligned governance, model inventory, assurance pathways.
Result 0 → 214 models governed · control matrix · accountability map · audit artefacts
Global Bank: Incident Response Overhaul
Win condition: regulatory-grade incident classification, escalation, and evidence chain under NIS2.
Result MTTR 14d → 2.1d · 24/7 playbooks · board escalation SLA · regulator pack
Insurer: Cloud Security Architecture
Win condition: zero-trust posture validated against NIST 800-207 and FCA expectations.
Result 3 critical gaps → 0 · microsegmentation · PAM rollout · attestation dashboard
PE Portfolio: Cyber Due Diligence
Win condition: pre-acquisition security posture assessment with quantified remediation roadmap.
Result 5 targets assessed · €2.3M risk quantified · 2 deal-breakers identified · remediation priced
Organisations do not lose systems first. They lose decision authority. Then everything else follows.
A predictable path from briefing to mandate.
Three stages. Procurement-grade artefacts at every step. Designed for boards under regulatory scrutiny.
Discovery Briefing
A 60-minute confidential conversation. We map the decision authority gap, regulatory exposure window, and the artefacts your board, regulator, or counterparty will require.
Mandate Definition
A signed scope tied to specific outcomes — control closures, evidence chains, governance architecture, or interim CISO coverage. Procurement-grade contract on day one.
Delivery & Artefacts
Doctrine-grade execution against the mandate. Every output is regulator-ready and board-survivable: control matrices, evidence chains, accountability maps, decision papers.
Senior authority. Direct delivery. No partner-tier markup.
When the regulator is already in the building, the work cannot be delegated to junior consultants. It has to land with the named principal.
The principal who signs the doctrine is the principal who delivers it. No partner-to-junior handoff.
Every output is regulator-ready and board-survivable. Evidence chains, accountability maps, decision papers — not slideware.
900 published doctrine frameworks, peer-reviewed at UCL & Imperial. The IP that the work runs on is named, citable, and counterparty-validated.
Institutional Governance Architecture
Navigate the complete governance doctrine — from proprietary frameworks and research to regulatory intelligence and strategic threat analysis.
AI + Cyber Security
As AI reshapes the attack surface — LLM exploitation, adversarial prompts, deepfake phishing — your security architecture must operate at the intersection of governance and engineering. 27 years of cyber delivery meets the 2026 AI threat landscape.
Prompt Injection & LLM Defence
Adversarial prompt testing, jailbreak detection, and output sanitisation frameworks. OWASP LLM Top 10 assessment methodology. AI model sandboxing, guardrail architecture, and data leakage prevention for enterprise LLM deployments.
- → Prompt injection penetration testing
- → System prompt extraction prevention
- → RAG poisoning defences
- → Output filtering architectures
AI-Driven Threat Detection
ML anomaly detection integrated with Microsoft Sentinel. Behavioural baselines using Azure ML. Automated triage reduction: 60% fewer false positives through ML-assisted rule tuning. UEBA (User & Entity Behaviour Analytics) deployment for insider threat detection.
- → Sentinel ML-powered detection
- → Behavioural anomaly baselines
- → UEBA insider threat modelling
- → AI-assisted SOC automation
AI Governance & Model Risk
EU AI Act Article 9 risk management. Model inventory, bias testing, and transparency documentation for high-risk AI systems. AI incident classification under DORA and NIS2. ISO 42001 AI management system implementation and certification readiness.
- → High-risk AI system registration
- → Model risk register & testing
- → AI incident reporting (DORA/NIS2)
- → ISO 42001 gap analysis
AI Threat Coverage
Deepfake phishing · Model inversion · Training data poisoning · Supply chain AI attacks · Shadow AI governance