Insights

AI Security & Governance, written to be useful after the meeting.

Practical, durable guidance for leaders and teams responsible for making AI adoption safer, clearer, and easier to explain.

Knowledge Center

Explore the library.

A polished office supply room with one tiny approval desk blocking a wall of identical SaaS control panels.
SaaS Security

SaaS Configuration Drift Needs Change Control, Not Hope

SaaS configuration drift rarely looks dramatic. It looks like an admin making a small setting change so a team can move faster. Then that setting changes who can share data, what can be exported, which apps can connect, or how long logs remain available.

Fred Descloux / 6 min read / Jul 15, 2026
A polished office desk where one tiny mailbox holds an absurd pile of oversized access badges and keys.
Security Architecture

Service Account Governance Fails When Ownership Is a Mailbox

A service account is not just a credential. It is authority moving through your environment without a human sitting at the keyboard. If nobody owns that authority, nobody is really governing it.

Fred Descloux / 7 min read / Jul 14, 2026
A clean routing board separates security requests by decision type and ownership.
GRC

Security Intake Fails When Every Request Becomes a Review

A security intake queue is not automatically governance. If every request becomes the same review, low-risk work waits too long and high-risk work reaches the wrong decision makers too late.

Fred Descloux / 6 min read / Jul 13, 2026
Everyone checked out. The keys did not.
SaaS Security

OAuth App Governance: The SaaS Risk Hiding Behind Employee Consent

OAuth app governance breaks when employees can connect third-party apps to enterprise SaaS data and those grants survive long after the task is done. That is the operational problem. Not the login screen. Not the password policy.…

Fred Descloux / 9 min read / Jul 9, 2026
The system is working. Dinner is not.
SaaS Security

Continuous Controls Monitoring: Why GRC Automation Creates Noise Before Assurance

Continuous controls monitoring fails when it treats every system signal as proof that a control is working. The tool may be modern. The dashboard may be attractive.…

Fred Descloux / 7 min read / Jul 7, 2026
The schedule was immaculate. The garage was still full.
Incident Response

A Records Retention Schedule Is Not a Control Until Data Gets Deleted

A records retention schedule is worthless if expired data keeps living in production systems, backups, exports, analytics tables, and AI workspaces. The policy may satisfy a questionnaire. It may calm an auditor for a quarter.…

Fred Descloux / 7 min read / Jul 2, 2026
Inventory complete. Except for the ones already on.
SaaS Security

AI Asset Inventory: Why Your CMDB Won’t Find the Risk

An AI asset inventory fails when it only tracks approved models and ignores the tools, copilots, plugins, workflows, and vendor features already handling company data.…

Fred Descloux / 9 min read / Jun 30, 2026
The box passed inspection.
SaaS Security

Data Loss Prevention: Why Blocking Files Misses the Real Leak

Data loss prevention fails when it treats every leak as a file moving through the wrong door. The primary problem with DLP in most enterprises is not detection accuracy. It is control design.…

Fred Descloux / 7 min read / Jun 25, 2026
The response plan is watching the wrong water.
Incident Response

AI Incident Response Plan: Why Your Cyber Playbook Misses the First Hour

An AI incident response plan fails quickly when the first signal is a bad model output, a poisoned knowledge base, or an agent taking an action nobody approved. That is the operational gap most enterprises have not closed.…

Fred Descloux / 10 min read / Jun 23, 2026
The recipe looked approved.
Incident Response

AI System Prompt Security: Why Your Most Important Control Is Usually Exposed to the Wrong People

The weak point in many enterprise AI deployments is AI system prompt security, not the model itself.…

Fred Descloux / 7 min read / Jun 18, 2026
The alarm works. Shame about the fire.
Incident Response

AI Red Teaming: Why Most Enterprise Exercises Prove Effort, Not Safety

AI red teaming is getting adopted fast, but most enterprise programs are testing the wrong thing. They produce transcripts, screenshots, and a tidy report full of jailbreak examples, then quietly assume the hard part is done.…

Fred Descloux / 7 min read / Jun 16, 2026
The tool was approved. The momentum was not.
AI Security

AI Acceptable Use Policy: Why Most Companies Ban the Wrong Things

Most AI acceptable use policy documents are built to look cautious, not to survive contact with actual work. They ban a few tools, repeat the usual “don’t paste confidential data” warning, and call it governance.…

Fred Descloux / 7 min read / Jun 11, 2026
When the records become more valuable than the thing being sold.
Incident Response

AI Logging Policy: Why Most Enterprises Collect Prompts They Should Never Keep

Most companies need an AI logging policy before they scale copilots, internal chat tools, and model-powered workflows.…

Fred Descloux / 7 min read / Jun 9, 2026
The label is neat. The mess is where the work happens.
Incident Response

AI Data Classification: Why Your Existing Labels Break the Moment Employees Use Copilots

AI data classification breaks in a very specific way once employees start using copilots: the label stays on the document, but the sensitive context moves into prompts, chats, summaries, and outputs that your control model was nev…

Fred Descloux / 7 min read / Jun 4, 2026
When the exception path becomes the normal path, the control is already gone.
Incident Response

AI Policy Exception Process: Why Fast AI Adoption Breaks Slow Governance

The AI policy exception process is where a lot of enterprise AI governance quietly falls apart.…

Fred Descloux / 7 min read / Jun 3, 2026
The cart passed inspection. The leak didn’t.
Incident Response

AI Vendor Due Diligence: Why Security Reviews Keep Missing the Real Risk

AI vendor due diligence is failing in a very specific way: companies are reviewing the vendor as if they were buying ordinary SaaS, while the product behaves more like a moving supply chain. That mismatch matters.…

Fred Descloux / 7 min read / May 29, 2026
The label was approved. The contents kept moving.
Incident Response

AI DPIA: Why Most Privacy Reviews Fail Once the Model Starts Changing

AI DPIA programs fail when they treat a moving system like a one-time project. That is the core problem. If your privacy impact assessment for AI is completed at launch and then filed away, it is probably already wrong.…

Fred Descloux / 7 min read / May 26, 2026
Everyone swears the access was reviewed. The keys say otherwise.
Incident Response

SaaS Access Review: Why Quarterly Certification Misses the Real Risk

SaaS access review has turned into a ritual: export a list, send it to managers, collect approvals, file the screenshots, move on. It looks disciplined. It rarely changes much.…

Fred Descloux / 6 min read / May 21, 2026
Carefully inspected. Operationally irrelevant.
Incident Response

Model Risk Management for Generative AI: Stop Pretending the Old Playbook Still Fits

Model risk management for generative AI is now a practical problem, not a future one. Banks, insurers, healthcare companies, and large enterprises are already trying to fit copilots, summarization tools, internal chat assistants,…

Fred Descloux / 7 min read / May 19, 2026
The policy is technically there.
Incident Response

Shadow AI Policy: Why Banning ChatGPT Doesn’t Reduce Enterprise Risk

A shadow AI policy that simply says “don’t use public AI tools” is not a control. It is a dare.…

Fred Descloux / 7 min read / May 14, 2026
Looks official. Still not getting anyone where they need to go.
Incident Response

AI Risk Register: Why Most Enterprise AI Programs Track Optics Instead of Risk

Most companies building an AI risk register are documenting concerns, not controlling risk. The result is predictable: a neat spreadsheet for audit season, a few traffic-light ratings for leadership, and almost no operational valu…

Fred Descloux / 7 min read / May 12, 2026
Hard to govern what you never bothered to catalog.
Incident Response

AI Asset Inventory: The Missing Control Behind Credible AI Governance

An AI asset inventory is the first control that separates serious AI governance from internal theater.…

Fred Descloux / 6 min read / May 7, 2026
Approved once. Accessible forever.
Incident Response

Third-Party Risk Management Is Broken If You Don’t Know Which Vendors Still Have Access

Third-party risk management fails at the point where most companies stop paying attention: after the vendor is approved. That is the real problem with third-party risk management in many enterprises. The intake workflow exists.…

Fred Descloux / 7 min read / May 5, 2026
Locked down, except for the part that matters.
Incident Response

Model Access Governance: The Control Gap Behind Most Enterprise AI Incidents

Model access governance is becoming a real enterprise control problem, not a policy footnote.…

Fred Descloux / 8 min read / Apr 30, 2026
Official path on the left. Actual path on the right.
AI Security

Why Your AI Approval Process Is Failing in Practice

The AI governance operating model is where most enterprise AI programs quietly fail. Not in the policy. Not in the principles.…

Fred Descloux / 7 min read / Apr 28, 2026
Static process. Shape-shifting problem.
Incident Response

AI Vendor Questionnaire: Why Your Security Review Process Is Slowing You Down

The AI vendor questionnaire is becoming a drag on security review for a simple reason: most of them were built for normal software, not products that change behavior every few weeks. That mismatch matters.…

Fred Descloux / 7 min read / Apr 23, 2026
Retention is where AI governance gets real.
Incident Response

AI Data Retention Policy: The Control Most Companies Forgot to Build

An AI data retention policy is one of the simplest controls to ask for and one of the easiest to find missing. A company enables a chatbot, a meeting assistant, a coding copilot or an internal retrieval tool.…

Fred Descloux / 7 min read / Apr 21, 2026
AI agents do not create a magical new risk category. They turn old access control problems into faster, harder-to-see operational risk.
Incident Response

AI Agents Are Now an Identity and Access Problem

If you strip away the hype, most enterprise AI risk in 2026 comes down to a familiar failure mode. We are giving software broad access before we have figured out how to govern it. The new wrapper is “agentic AI”.…

Fred Descloux / 6 min read / Apr 14, 2026
A control is not a guardrail just because it sounds reassuring. The real test is whether it still holds when someone pushes on it.
AI Security

Most AI Guardrails Don’t Fail. They Were Never Real.

One of the fastest ways to get false confidence in AI is to say: “We have guardrails”. That sentence sounds reassuring. It suggests control.…

Fred Descloux / 8 min read / Apr 7, 2026
The model is the visible layer. The real risk usually sits in the decisions around data, access, actions, and accountability.
AI Security

AI Risk Doesn’t Live in Models. It Lives in Decisions.

A lot of AI risk conversations still start in the wrong place. They start with the model. Which model is being used?Was it trained on the right data?Does the vendor say they do not retain prompts?Is there a content filter?…

Fred Descloux / 7 min read / Apr 2, 2026
Security, Minus the Drama
Incident Response

Security, Minus the Drama

By the time security becomes visible inside a company, it is often already losing. Not because the risks are imaginary. Not because the controls are optional. And not because the people involved are careless.…

Fred Descloux / 10 min read / Mar 25, 2026
Zen CISO was born ready.
Incident Response

Calm Security Beats Perfect Security

Security teams talk a lot about preparedness. Playbooks. Escalation paths. Severity matrices. Logging pipelines. War rooms. Tabletop exercises. Pager rotations. Communication trees. Backup plans for the backup plans.…

Fred Descloux / 10 min read / Mar 17, 2026
As Zen CISO always says, “If it can’t survive in writing, it’s not ready for a meeting”.
Incident Response

Why Security Decisions Don’t Belong in Meetings

There’s a certain kind of security meeting that feels productive while achieving very little. The right people are there. Slides are shared. Someone says “Let’s align”. Someone else says “We should socialize this”.…

Fred Descloux / 9 min read / Mar 11, 2026
For Zen CISO, advice ends with a decision. Work starts after.
Incident Response

The Difference Between Security Advice and Security Work

Security work fails in a predictable way. A leader asks: “Can you help us with security?”. Security replies: “Sure!”. Six weeks later, everyone is frustrated, because they were talking about two different things.…

Fred Descloux / 7 min read / Mar 4, 2026
Zen CISO with a simple checklist to make the right choice
Incident Response

When It’s Too Early (or Too Late) to Hire a CISO

There’s a moment in a company’s life when someone says: “We should probably hire a CISO”. Sometimes it’s the right call. Often it’s a reflex. A big customer asks for a security leader on the org chart.…

Fred Descloux / 8 min read / Feb 24, 2026
Zen CISO, aware of the gaps in this small shield
Incident Response

What a SOC 2 Report Does Not Protect You From

SOC 2 has become a shortcut word. A prospect asks “Are you SOC 2?”A bank asks “Do you have a SOC 2 report?”A board member asks “Are we covered from a controls standpoint?…

Fred Descloux / 9 min read / Feb 17, 2026
Zen CISO managing vendor risks
Incident Response

Why Vendor Risk Reviews Are So Painful (and How to Fix Them)

Vendor risk reviews have a reputation problem. Business teams experience them as slow, unpredictable and vaguely punitive. Security teams experience them as high-stakes, under-scoped and thankless.…

Fred Descloux / 8 min read / Feb 11, 2026
Yep, Zen CISO knows well about the Answer Brief.
Incident Response

You Don’t Need a Project. You Need an Answer.

Most security dysfunction doesn’t start with a breach. It starts with… a meeting. Someone flags an issue (“We should probably…”) and the room does what it always does when it feels risk: it creates motion. A new initiative.…

Fred Descloux / 7 min read / Feb 3, 2026
Incident Response

Compliance Is a Snapshot. Security Is a Habit.

Compliance has a weird reputation. To some leaders, it’s the thing that “keeps us out of trouble”.To some engineers, it’s the thing that “slows everything down”.…

Fred Descloux / 8 min read / Jan 29, 2026
Incident Response

Your Incident Response Plan Won’t Save You

Most organizations have an Incident Response Plan. It’s usually well-formatted.It references the right framework.It has sections for preparation, detection, containment, eradication and recovery. Great.…

Fred Descloux / 6 min read / Jan 21, 2026
Incident Response

Most Security Work Fails Because Decisions Are Delayed

Security rarely fails because teams don’t care. It fails because decisions don’t happen. Not bad intentions.Not lack of tools.Not even lack of budget (at least not at first).…

Fred Descloux / 6 min read / Jan 14, 2026
Incident Response

Why Security Turns Into Drama (and How to Stop It)

Security doesn’t usually start chaotic. Most organizations begin with good intentions: protect customers, meet requirements, avoid incidents. Somewhere along the way, security becomes noisy, reactive and stressful.…

Fred Descloux / 6 min read / Jan 6, 2026