The Guardrail

Kris Moore

AI governance, security architecture, and compliance intelligence for CISOs, security architects, and GRC professionals. Frameworks, incidents, deadlines, and best practices — analyzed with evidence, delivered with practitioner focus. AI-Assisted Production: Research and editorial direction by Kristopher Moore. Scripts developed with Claude (Anthropic). Narration by AI voice synthesis (Microsoft Edge TTS). All content is human-directed and editorially reviewed.

  1. 1d ago

    Three Customers, One Landlord

    The CTO episode that shipped this morning surfaces the strategic and financial frame of the compute-trade picture — three frontier customers paying into a single landlord's compute book, with a $80B aggregate commitment through 2029, an application layer folded under the same corporate parent, and the substrate-layer shift reshaping the rent-vs-build calculus underneath all of it. This is the governance read on the same window. The vendor-risk register the GRC team built three months ago does not have a row for the question this episode forces: is my vendor's compute provider's parent also my competitor. The four governance themes that follow rebuild the register around that question. The compute-landlord vendor tier, the four-path procurement matrix, the open-weight risk-hedge calculus with its own residual-risk matrix, and the M&A-and-sovereignty calendar that anchors the next 90 days. The Fable 5 outbound directive carry-forward from Fix or Pull runs through every theme.

    46 min

  2. 1d ago

    Fix or Pull.............

    What happens when the regulator pulls your frontier vendor? The 2026-06-12 Commerce Department directive that disabled Claude Fable 5 + Mythos 5 globally for any foreign national set a precedent every CISO needs to underwrite. This episode walks the three governance gaps the recall exposes, the xAI safety-incident stack, the open-weight-as-risk-hedge calculus with its Chinese-vendor counter-exposure, the five-axis identity-management framework the field needs but no vendor has shipped, and the federal-posture shift from "framework guidance" to "directive plus clearinghouse plus binding operational directive plus export-control" inside a single quarter.

    46 min

  3. Jun 16

    The stack came into focus

    Four layers. Model, Harness, Control Plane, Connective Tissue. Most enterprise AI governance programs in 2026 govern the Model layer (vendor due diligence, model approval, EU AI Act high-risk classification, third-party-eval intake) and leave the other three layers ungoverned. The cycle's incidents tell the story — the Claude Code GitHub Action CVE on June 1 landed at the Harness layer; the OpenRouter Series B and the Five Eyes joint guidance on May 1 landed at the Control Plane layer; the Writer 2026 survey, the Colorado AI Act delay, the EU AI Act August 2 GPAI activation, and the Bartz v Anthropic settlement distribution all land at the Connective Tissue layer. This episode walks each layer from the CISO seat — naming the default-bad pattern most programs run today, the actual control surface, the framework families that apply, and what good looks like. Closes with three sequencing patterns by program maturity for the practitioner walking in Monday.

    1h 7m

  4. May 15

    Architecture, Not Checklists

    On May 1, six allied cyber agencies (the Five Eyes plus the Canadian Centre for Cyber Security and the Australian Signals Directorate) published thirty pages of joint guidance on agentic-AI security — twenty-three named risks, over one hundred best practices, organized into five stacked-dependency risk categories. The board-deck misread is to map it onto a control matrix. The document is an architecture brief. This episode lays out the architectural read, walks the five-to-five mapping against the AAGATE production answer, then covers the CCDH/CNN safety study, the Thinking Machines determinism research, and the Q1/Q2 enterprise breach inventory. AI Disclosure: This episode was produced with AI assistance. Research synthesis and script writing used Claude (Anthropic) under human editorial direction. Audio narration by Microsoft Edge TTS (en-US-AndrewNeural voice).

    41 min

  5. May 4

    Trust at the Seam, Continued

    Two questions worth answering this week. What is your engineering team running right now — the canonical AI coding tool you authorized, or a fork routed through a backend you do not control, configured by files an attacker can write into your repository? And if the foundation lab anchoring your AI roadmap stumbles on revenue, sits in active corporate-form litigation, and warns its own CFO about a one-and-a-half-trillion-dollar compute funding gap, what does your off-ramp profile look like in writing today? Episode 10 continues the "trust at the seam" thread from Episode 9 across two new fronts. Part 1 walks the TeamPCP cascade — a forty-two-day, multi-package, cross-ecosystem supply-chain attack chain (Trivy on March 19, litellm on March 24, SAP packages on April 29) that culminated in the first documented weaponization of an AI coding-agent harness configuration as a persistence mechanism. Part 2 walks the OpenAI miss reported by the Wall Street Journal on April 28, the structural reading of the four overdetermined factors behind it (capacity outpacing demand, Anthropic capturing the enterprise wedge, GPT-5.5 pricing posture, DeepSeek V4 shipping at 10–13× lower API cost), and the Musk versus Altman trial in week one — including the bifurcation order that makes the federal jury advisory and the bench remedies trial calendared for May 18. Part 3 lands the compliance calendar. Posture throughout is measured and practitioner-professional. Frameworks named at scope and weight (the supplier-relationship family, the supply-chain entry of the OWASP LLM Top 10, the supplier provisions of the ISO 42001 family) — never by clause number. Closing sign-off: Move at your own pace. Secure your stack. Audit your harnesses. Own your diligence and own your outcomes. AI Disclosure: This episode was produced with AI assistance. Research synthesis and script writing used Claude (Anthropic) under human editorial direction. Audio narration by Microsoft Edge TTS (en-US-AndrewNeural voice).

    53 min

  6. Apr 25

    Move at Your Pace, Own the Outcome

    Two incidents this month. Same structural lesson. The perimeter where trust actually breaks in 2026 is not inside the model — it is at the seam around the model. This episode walks the Mythos vendor-access incident and the Sullivan and Cromwell AI-verification incident as paired calibrations of where AI-era failure modes actually sit, then layers in four adjacent threads: a new research consensus that gives procurement teams a tractable divergence-profile instrument for the first time, a supply-chain attack pattern that Mythos is only one instance of (Vercel via Context.ai, Mercor via LiteLLM, the disputed Lovable incident), capacity-tier availability as a load-bearing variable in AI procurement risk, and the three compliance calendar items worth tracking through Q3 (EU high-risk enforcement window, Colorado AI consumer law implementation end of June, NIST AI RMF critical-infrastructure profile concept note). AI Disclosure: This episode was produced with AI assistance. Research synthesis and script writing used Claude (Anthropic) under human editorial direction. Audio narration by Microsoft Edge TTS (en-US-AndrewNeural voice).

    42 min

  7. Apr 21

    Force Multiplier — Cyber + Kinetic

    Explicit UPDATE to Ep 4 "When AI Hacks AI." Three arcs: (1) Claude Code antimalware filter backfiring (Tim Becker + 5-incident casebook, Adversa CC-643 deny-rule bypass, fake-Claude supply-chain campaigns, Cyber Verification Program 2-day SLA); (2) Cyber war 2026 update — Iran-US Feb 28 escalation, APT42 AI-persona tradecraft, CISA AA26-097A Iranian PLC targeting, Salt Typhoon LOTL attribution gap; (3) Battlefield AI — Anduril $20B Army IDIQ, Palantir $10B EA, Silicon Valley 6-firm consortium, Shield AI $12.7B, Germany-Auterion Ukraine drone contract, Lavender/Gospel (DISPUTED), autonomous-weapons governance gap. Includes 14-row Compliance Calendar + 9 framework mappings. AI Disclosure: This episode was produced with AI assistance. Research synthesis and script writing used Claude (Anthropic) under human editorial direction. Audio narration by Microsoft Edge TTS (en-US-AndrewNeural voice).

    52 min

  8. Apr 8

    Do Your Own Work

    Yesterday, April7, 2026, Anthropic released Claude Mythos Preview through Project Glasswing.During pre-release testing, Mythos found a 27-year-old bug in OpenBSD that theworld's most security-focused operating system project had missed for nearlythree decades. It also found a 17-year-old remote code execution in FreeBSD,plus additional issues across FFmpeg, the Linux kernel, and major browserengines.**Mythos is the light. The defects it found are the cockroaches your softwarenever wanted you to see.** They were always there. The interesting question isnot who to blame for Mythos. It is what was already in your environment.Mythos arrived in a month with a lot of other governance-relevant news. Severalhyperscalers had significant incidents — and several of them were rookieoperational hygiene problems happening at the largest, best-funded technologycompanies on the planet. A maintainer with no two-factor authentication on apackage with one hundred million weekly downloads. A production agent acting ona stale wiki page. A default permission that should have been narrower. A DLPlabel the system meant to enforce ignored. These are not exotic adversarytechniques. They are the basics. The craft observation that runs through thisepisode: the hyperscalers are not infallible. Do not outsource your securitythinking to a brand. Do your own work.Eight themes build from Mythos through the broader month and land on apragmatic playbook. The takeaway is not that the sky is falling. The takeawayis that the work in front of you has not changed — you can just see more of itnow. AI Disclosure:This episode was produced with AI assistance. Research synthesis and scriptwriting used Claude (Anthropic) under human editorial direction. Audionarration by Microsoft Edge TTS (en-US-AndrewNeural voice).

    53 min
See All (14)

About

AI governance, security architecture, and compliance intelligence for CISOs, security architects, and GRC professionals. Frameworks, incidents, deadlines, and best practices — analyzed with evidence, delivered with practitioner focus. AI-Assisted Production: Research and editorial direction by Kristopher Moore. Scripts developed with Claude (Anthropic). Narration by AI voice synthesis (Microsoft Edge TTS). All content is human-directed and editorially reviewed.

Information

  • Creator
    Kris Moore
  • Years Active
    2K
  • Episodes
    14
  • Rating
    Clean
  • Copyright
    © Kris Moore
  • Show Website
    The Guardrail