Blog
Machine Identity Is the New Perimeter
6/17/2026
Human logins are well defended. The unguarded door now is the service account, the API key, and the AI agent. A baseline for treating non-human identities as first-class.
PCI DSS 4.0, Part 2: How the 12 Requirements Ladder Up to 6 Goals
6/13/2026
A practitioner's map of PCI DSS 4.0 — the 6 control objectives, the 12 requirements beneath them, and how to read the standard as a security model rather than a checklist.
Building Sakinah: An App for the Hardest Moment
6/8/2026
I built Sakinah to help Muslim families in Singapore through the hours after a death. The decisions I'm surest about weren't features — they were the things I chose not to build, hold, or collect.
Governing AI Agents: When the User Isn't a Person Anymore
6/8/2026
Agentic AI breaks the assumption that every action traces back to a human. Here's a baseline for giving agents identity, scope, and accountability.
The Lethal Trifecta: Setting Secure AI Baselines for Organisations
9/1/2025
Simon Willison’s ‘lethal trifecta’ and how to turn it into an enterprise baseline.