Independent cyber security & AI assurance
Independent judgment on cyber and AI — that you can act on and defend.
I help organisations and their boards trust their security and AI — with evidence, not assertions.
What I do
Testing whether security and AI governance actually work.
For more than twenty years I have tested whether security and governance actually work — independently, against the evidence.
I bring both sides of the problem: the builder’s understanding of how cyber and AI systems are created, and the assessor’s discipline of testing whether they can be trusted.
I help the people accountable for cyber security and AI, whether that is a security team preparing for certification, an executive group governing risk, or a board that has to demonstrate oversight.
I also contribute to public understanding of cyber security, AI governance and assurance through radio and media commentary, including ABC, and conference work with groups such as AISA and ISACA.
How I help
At the level the problem requires.
I work where independent judgment is useful: evidence, governance and complex assurance decisions.
Independent assurance
ISO/IEC 27001 and ISO/IEC 42001 internal audits and assessments that are evidence-led, practical and defensible.
Governance and leadership
Helping executives, leadership teams and boards govern cyber and AI risk, understand their responsibilities and turn oversight into evidence-based decisions.
Technical authority
Accreditation-tier expertise for complex cyber and AI assurance questions, including support for the assurance profession.
Who I work with
Where assurance needs to be credible.
Defence and industry, Australian government, critical infrastructure and technology.
Point of view
Independent judgment is becoming more important, not less.
A curated index of published articles, posts and conference pieces.
LinkedIn article · June 2026The Definitive Guide to ISO/IEC 42001What ISO/IEC 42001 actually covers, where it is strong, and where management-system certification stops — and the model and agent assurance you have to build on top.Read article →Independence
Independence is a role, not a personality.
I build, create and advise in the right context. When the work is independent assurance, I keep the assurance role clear.
Conflicts, prior involvement and delivery roles are checked before the engagement. Work is not described as independent unless the role supports that claim.
Contact
Start with the question.
If you need an independent, expert read on your security or AI — or your board does — start here.