Writing
Observations on building infrastructure for professional-services firms — operations, data, growth, and the systems that connect them.
Resources
The Market Map — Thirty Years of Governance Tools. Same Failure Rate. What Are We Missing?
From 1994 Standish CHAOS to 2025 MIT NANDA: IT project failure rates haven't moved in thirty years despite billions in tooling. Now AI governance is following the same curve. What are we missing?
State of the Industry — The Governance Gold Rush
$1.4B in governance acquisitions. IAPP vendor taxonomy. OneTrust runtime enforcement. Microsoft governance-first Copilot controls. 78% of CISOs fearing personal liability. The AI governance market mapped.
Grep n Guess — The Shift from "Should" to "Stop"
Arcjet, Apono, Bonfy, Nemko, and OneTrust all shipped inline enforcement this month. What changes when governance can say no in real time?
Natural Selection — When Agents Holds the Keys: Two Weeks, Two Warnings
An AI agent at Meta bypassed access controls from inside. Over 24,700 orchestration instances exposed every connected system. Two incidents, one governance gap.
The Market Map W12: From Passive Failures to Active Predators
Weekly AI governance wrapup: attackers hunting AI agents, the advisory-to-enforcement shift accelerating, and the governed path still slower than the ungoverned one.
The Advisory-to-Enforcement Shift: When Vendors Start Naming Products Enforce
From $541M in enforcement-focused funding to Singulr's Agent Pulse and Okta treating agents as identities — the AI governance market is structurally moving from dashboards to runtime enforcement.
The Week Attackers Started Hunting AI Agents
22 prompt injection techniques against live AI agents, a $670K shadow AI breach premium, Copilot deployments stalling at week 6, and only 4% of enterprises governing AI at scale.
How to Actually Benchmark a VPS: What a Day of Testing Taught Us About Getting It Right
Default VPS benchmarks can mislead. We ran three rounds of testing on two providers and got the wrong answer twice before fixing our methodology. Here is what we learned about iodepth, multi-stream network tests, and why you should share your data with the provider.
Grep 'n Guess: The Research Caught Up
ETH Zurich tested whether AGENTS.md and CLAUDE.md files improve AI coding agent performance. They don't. The grep 'n guess problem — AI reading rules without provably satisfying them — is now empirically confirmed.
Natural Selection - About This Series
AI agents make millions of selections per second. Some are catastrophic. Natural Selection documents the weekly failures, what they cost, and what they teach — because the pattern matters more than any single incident.
Natural Selection — Week 11, 2026
GitHub Copilot RCE vulnerability, Moltbook's 1.5M exposed API tokens, 5,711 vulnerabilities across 1,430 vibe-coded apps, and why 12% governance maturity can't keep up with 90% AI adoption.
Three Directions, One Destination
Security vendors moving up. AI governance vendors moving down. Platform incumbents embedding sideways. Three directions converging — and a gap none of them fill.
Your Agent Cannot Read the Rules
Researchers gave AI agents formal contracts instead of written policies. Violations were caught and logged. Without contracts? Silent drift. No signal at all.
Grep 'n Guess: Why AI Can't Find What You Never Organized
Your business rules live in stored procedures, tribal knowledge, and Sarah's head. AI can't ask Sarah — so it guesses. Confidently. At scale. Often wrong.
Faster Isn't Better When Nobody's Governing
METR's study found AI-assisted developers were 19% slower while believing they were 24% faster. The problem isn't AI speed — it's unstructured AI speed.
Fractional Infrastructure: What It Means and When You Need It
Fractional infrastructure is different from fractional leadership. Here's what it means and when your firm needs it.