Twelve weeks. Three phases. Twelve gates.
The recurring deep-change projects, each broken into the substrate-first sequence that actually lands. Week-by-week milestones, twelve named gates, anti-pattern cross-links, and the diagnostic to re-run at week 13. Read top-to-bottom, or skip to the gate you're stuck on.
EU AI Act high-risk, in 12 weeks.
From Piloting to EU AI Act Art. 9-15 ready by 2 Aug 2026. Catalogue → classify → substrate (gateway · prompt registry · evals · guardrails · audit) → documentation → human oversight → pre-conformity review.
CISA Secure Software Attestation in 90 days.
From “some SSDF practices” to a defensible CISA SSA signature. Workload identity → SLSA L2+ signed provenance → SBOM owner-loop → verified deploy → hardened builder → attestation evidence pack.
Cloud cost: Aware to Controlled in a quarter.
From 5-12% YoY savings to 20-35% from baseline. Tag & attribute → idle hunt → right-size → commitment coverage 70-90% on quarterly cadence → cost-of-design in architecture review.
Static creds → workload identity.
From “we have a vault holding credentials” to “workloads prove who they are via federated identity, no static creds in the path”. Closes the Vault Theatre anti-pattern structurally.
More playbooks publishing quarterly. On the queue: BCBS 239 risk-data substrate in 90 days · SRE Operational → Disciplined in a quarter · Monolith → modular monolith extraction. If there's one you'd reach for first, tell me.