Insights
Architecture-led perspectives for executives and practitioners in complex, regulated environments.
APRA CPS 234 Explained: Information Security Obligations
CPS 234 in practitioner terms: capability, classification, control-effectiveness testing, third-party assurance, notification clocks, and the CPS 230 interlock.
The Australian Security Compliance Landscape: An Executive Map
An executive map of Australia's security obligations — Essential Eight, ISM, PSPF, CPS 234/230, SOCI, Privacy Act, ISO 27001, PCI DSS — and how to navigate them once.
The CISO's Guide to AI Governance
A practical CISO sequence for AI governance: inventory, risk tiering, one-page guardrails, lifecycle controls and board-grade reporting — without stalling adoption.
ASD Essential Eight to Maturity Level 3: A Practical Path
What Maturity Level 3 actually demands across the eight strategies, why the ML2-to-ML3 step is hardest, and a sequencing approach that works.
Essential Eight ML3 Readiness: A Self-Assessment Checklist
How to run an honest ML3 readiness self-assessment: the questions to ask per mitigation strategy, the evidence that counts, and the traps that produce false confidence.
Governing AI in the Australian Enterprise
AI governance for Australian organisations: the obligations that already apply, the frameworks worth adopting, and the structures that make adoption defensible.