Most companies are organized into vertical silos, and Conway's law stamps that shape straight into the product they ship. The value stream, the path work actually takes to reach a customer, runs sideways across every silo and belongs to no one. The fix is not to break Conway's law or to reorganize, but to aim it and give the value stream an owner.
The head of security role, usually a company's first security hire, expects one person to be a unicorn with real depth across every security domain. Genuine unicorns are rare, and no two have the same powers. Whether you're hiring one or becoming one, matching those powers to a company's real risk matters more than the myth.
Most AI governance discourse is overheated. The destructive-action panic ignores the boring truth that we already have most of the controls we need. The actual gap is narrower and more specific: the identities we grant agents, and the production access handed out alongside them.
I keep AI tooling out of my .env files entirely. Secrets live in a dedicated 1Password vault that a service account can read — and nothing else. Here's the setup and why I think this is the right pattern for AI agents.
Agents don't survive flights, hotel WiFi, or closed laptop lids. They survive a Mac Studio at home, a Cloudflare Tunnel, and tmux. This is the workspace I built once running sessions became the work.
I spent months building a production collector against the BlackDuck API. The documentation didn't prepare me for what I found. Here's everything I wish someone had told me about navigating its hierarchical data model, undocumented quirks, and the organizational challenges hiding behind the technical ones.
Security teams are great at finding problems. The real challenge is navigating the messy space between finding and fixing — where competing priorities, misaligned incentives, and invisible debt quietly compound.
Most security programs are designed for complicated problems. But the threat landscape — especially with AI — is complex. It's time for a different playbook.
GRC engineering isn't about making spreadsheets fancier. It's about recognizing that compliance at scale is an engineering problem, and it deserves an engineering solution.
A day exploring Tierra del Fuego National Park from the southernmost city in the world. Patagonia cruise stop in Ushuaia, Argentina.
