Whitepapers
Governance architecture for AI where sensitive data is in play.
The whitepapers
Two architecture pieces for exec committees and risk leaders.
For exec teams, risk leaders, and architects in regulated environments
Membrane vs. DLP: Governance Architecture for Sensitive Data in AI Systems
Why traditional data-loss-prevention patterns fail at the boundary between sensitive data and generative AI, and what a membrane-based governance architecture looks like instead. Developed during healthcare work (PHI boundary cases), equally applicable to PCI, financial records, student records, and other controlled data. Includes a reference design your risk lead can review and your implementation team can build.
Early access — drafting complete, in final review
We email you the PDF the day it publishes. One email. No list, no nurture sequence.
For exec teams, AI steering committees, and enterprise architects
Portable Cognitive Architecture for Regulated Environments
A pattern for building AI capability that is portable across vendors, auditable end-to-end, and defensible under the regulatory frameworks that apply to your business (HIPAA and HHS AI rules in healthcare; PCI-DSS in payments; FFIEC in banking; emerging state AI law in CA and CO). How to invest in AI now without locking yourself into a model or a platform that may not survive the next regulatory cycle.
Early access — drafting complete, in final review
We email you the PDF the day it publishes. One email. No list, no nurture sequence.
Why we wrote these
The architecture question shows up before the policy question.
Every AI program in a regulated environment eventually hits the same wall: the policy is written, the committee has met, and the architecture still cannot explain where sensitive data goes when a model is invoked. DLP patterns designed for email and file shares do not describe the right boundary. Vendor "enterprise" tiers do not define the oversight. The gap is architectural, not procedural.
These two whitepapers are the architecture pieces we wish had existed when we were shipping governed generative AI inside a highly regulated environment. Written for the leader who has to sign the SOW and the risk lead who has to approve the design.
30 minutes. Real answers.
Book a strategy sessionNot ready to talk? anything about how we work.