a security veteran’s field notes for the AI era
CompoundTrust is the research and analysis of one veteran security practitioner — close to three decades on the defending side of large, regulated, high-consequence environments. The focus is the hard part of the AI era: not which tool to buy, but the judgment and governance these systems demand.
How AI systems genuinely fail — prompt injection, agentic risk, model and data attacks — and how to architect and govern them so they don’t.
Getting ahead of AI regulation — ISO/IEC 42001 readiness, the EU AI Act, and the governance evidence auditors and boards now expect.
The wider craft — risk, posture, and the board-level judgment that turns security from a cost centre into earned trust.
An AI system is a brilliant, tireless mind that can’t reliably tell a real instruction from a forged one. You don’t patch it. You vet it, constrain it, supervise it, and govern it — the way you would any powerful new hire.
That single idea is the through-line of everything published here.
I’m a security practitioner with close to thirty years on the defending side — environments where the wrong call carries board-level and regulatory consequences, and “it’s probably fine” was never an acceptable answer.
CompoundTrust is where I turn that toward the AI era: how these systems fail, how to govern them, and how to get ahead of the regulation that’s coming.
I publish without my name for now, by deliberate choice and good faith — not evasion. I’ll step forward in due course. Until then, I’d rather the analysis earn your trust on its own.
Private, and by intent. If something here is useful and you’d like to talk, write — conversations happen off-platform.
info@CompoundTrust.inNo pitch, no list — just a reply.