Insights

Compliance thinking that actually holds up.

Analysis, methodology, and hard-won thinking on GRC, AI security, and what genuine compliance looks like in practice.

Featured

Why compliance reports without evidence trails are legally worthless

A compliance report that cannot trace its findings to specific, gathered evidence is not a compliance report. It is a document. Here is why that distinction matters when a regulator comes calling.

15 March 2026Read article→

A compliance report that cannot trace its findings to specific, gathered evidence is not a compliance report. It is a document. Here is why that distinction matters when a regulator comes calling.

Sam Sultan · Enact Cyber

AI Security7 min read

The EU AI Act is live. Most AI deployments have no audit trail.

The EU AI Act entered into force in August 2024. High-risk AI systems face significant obligations — including documentation, logging, and human oversight requirements that most organisations deploying AI have never thought about.

10 Mar 2026Read→

Compliance7 min read

SOC 2 Type I vs Type II — what your enterprise clients are actually asking for

When a prospect asks for your SOC 2 report, they almost always mean something specific. Understanding the difference between Type I and Type II — and what each actually demonstrates — determines whether your report closes the deal or reopens the conversation.

5 Mar 2026Read→

Stay current

Compliance and AI security are moving fast. We write about what actually matters.

If you have a compliance question, a framework challenge, or want to understand how a specific regulation applies to your environment — get in touch.

Start a conversation