Explore

Everything here, grouped by what you came for.

Diagnose where you stand · make an architecture decision · ship the substrate · look up which tool closes which regulation · learn from public architectures. Pick a question below, or jump to a section.

Start with the question you came with
Where does my team actually stand?
→ Run a diagnostic (3 min)
Should I build, buy, or skip X?
→ Walk a decision tree
EU AI Act / CISA / FinOps — where do I begin?
→ Open a 90-day playbook
Which tool closes which regulator's control?
→ Browse the dataset
01 · Diagnose

Where do you actually stand?

Six practitioner diagnostics + three live calculators. All run in your browser; nothing stored; results shareable via URL hash.

Diagnostic · 10 capabilities

DevSecOps Maturity

Pipeline, secrets, supply chain, scanning, ownership, identity, patching, observability.

Run → Diagnostic · 12 capabilities

GenAI Readiness

Data, model selection, RAG, prompts, evals, guardrails, observability, cost, governance, audit.

Run → Diagnostic · 8 capabilities

Cloud Cost

Rightsizing, commitments, storage, egress, idle, observability, ownership, governance.

Run → Diagnostic · 10 capabilities

Platform Engineering

Paved paths, self-service, IDP UX, observability defaults, cognitive load, adoption signal.

Run → Diagnostic · 8 capabilities

EA Operating Model

Stance, design authority, capability model, principle enforcement, decision capture.

Run → Diagnostic · 10 capabilities

SRE Programme

SLOs, error budgets, blast radius, on-call, postmortems, runbooks, chaos, toil.

Run → Live calculator

GenAI Cost-Per-Outcome

Tune model + tokens + cache rate. See cost-per-resolved-task live.

Open → Live calculator

Error Budget

SLO, window, deploy cadence, change-fail. Burn rate + time-to-exhaustion.

Open → Live calculator

Cloud Commitment Optimiser

Provider, steady-state %, 1y/3y mix. Savings + lock-in + breakeven.

Open → Synthesizer · combines diagnostic results

Compound diagnostic

Paste shareable URLs from your runs. See the substrate gap (identity, observability, policy, ownership) recurring across disciplines.

Open → Per-discipline tier deep-dives

Maturity tiers

What each tier looks like in real orgs, why teams get stuck, the 3 substrate moves to the next tier.

Browse →
02 · Decide

Walk the architectural choice.

Seven interactive flowcharts for the decisions that recur. Each ends in a recommendation with trade-offs, watch-outs, and cross-links to diagnostic / RA / essay.

All decision trees

The seven trees

AI gateway · RAG vs fine-tune · OPA vs Kyverno · tenancy · K8s vs PaaS · sync vs async · monolith vs microservices.

Open → GenAI · 4 questions · 6 leaves

Build or buy an AI gateway

Use-case count × regulatory posture × platform-team funding × sovereignty.

Walk → GenAI · 4 questions · 7 leaves

RAG, fine-tune, prompt, or hybrid

Knowledge-vs-behaviour fork. Change cadence. Example count. Strict vs loose.

Walk → SaaS · 4 questions · 6 leaves

Shared, cell-based, or single-tenant

Load uniformity × isolation requirements × head-tenant count.

Walk →
03 · Ship

Get to the substrate.

Dated 90-day playbooks with named gates, plus reference architectures for the platform shape that holds the controls. Both lean opinionated.

All 90-day playbooks

The four playbooks

EU AI Act 12 weeks · CISA SSA 90 days · Cloud Cost Aware → Controlled · Vault Theatre → Workload Identity.

Open → GenAI · high-risk

EU AI Act in 12 weeks

From Piloting to Art. 9-15 ready by 2 Aug 2026. Three phases, twelve named gates.

Open → All reference architectures

The four RAs

Regulated GenAI Platform · DevSecOps SLSA L3+ Paved Path · Modern Data Platform · Platform Engineering IDP.

Open → Framework

The 4-Discipline Stack

Named framework that anchors the rest. Substrate beats discipline-specific theatre.

Read →
04 · Look up

Which tool, which regulation, what evidence?

The reference dataset, the glossary, the reading list. Free, public, CC BY 4.0 where applicable.

56 controls · 28 regulations · 261 tools

Regulation × control × tool map

Filter by regulation, category, or sector. Each row: tools, evidence shape, sector notes. JSON + CSV.

Browse → Definitions

Practitioner glossary

The named concepts and trade-offs across the site, cross-linked.

Open → When to reach for what

Reading list

Organised by use-case, not alphabetically. Eight clusters; books · standards · podcasts · conferences.

Open → 15 named failure modes

Anti-patterns

The recurring shapes that go wrong. Each linked from the diagnostic / playbook that closes it.

Browse →
05 · Learn from others

Public architectures, decoded.

Teardowns of public products from public signals only (engineering blogs · talks · job ads · live behaviour). Plus my own case studies.

All teardowns

The four teardowns

Claude.ai · Linear · Notion · Vercel. Diagrammed; what to steal, what to avoid.

Open → GenAI · streaming-first

Claude.ai — decoded

Plane separation, async safety, MCP runtime, per-decision audit.

Read → My own work

Case studies

Multi-region payment platform, EA at Asia's largest bank, lending platform, retail modernisation, $50M+ data-archival.

Browse → Annual report

State of Enterprise Tech 2026

Board-ready 12-page briefing on regulated-industries tech.

Read →
06 · For your sector

Sized for the regulatory floor.

Sector-keyed bundles: the diagnostics, RAs, playbooks, anti-patterns, and dataset rows most relevant to each.

APRA CPS 230/234 · EU DORA · EU AI Act

For Banks & FS

Core modernisation, GenAI in customer journeys, supply-chain attestation, operational resilience.

Open → ASD E8 · IRAP · AU AI Safety · NIST 800-53

For Government

E8 ML2/ML3, IRAP-ready architecture, AU AI Safety guardrails translated into engineering work.

Open → HIPAA · AU Privacy · FDA SaMD · EU AI Act

For Healthcare

Clinical decision support, patient-data lineage, post-market surveillance.

Open → SOCI · EU NIS2 · US CIRCIA · IEC 62443

For Critical Infrastructure

IT-OT convergence, supply-chain attestation, resilience testing.

Open →
07 · Writing & ongoing

Read more, subscribe.

Six cornerstone essays, the monthly Letters, the open-source repo, the press kit.

Six cornerstone essays

Writing

The encoded EA · nine GenAI controls · DevSecOps is supply-chain · platform-eng as AI moat · 4-Discipline Stack · AU AI Safety decoded.

Browse → Monthly Substack

Letters

One synthesis-letter a month. Free, ad-free, no growth hacks.

Subscribe → Open source

OSS — opa-nist-ai-rmf

Reference OPA policy bundle implementing NIST AI RMF + GenAI Profile controls.

Open → Engagement model

How I work

How an engagement actually runs — scope, cadence, deliverables, pricing posture.

Read → Speaker kit

Press & speaker kit

Bio, topics, headshots, past talks. For conference organisers and journalists.

Open → This site's posture

Observability & security

How this site is built, hosted, and observed. The substrate I write about, applied to my own things.

Read →