Research

Security Frontier

30 documents

Agentic AI Governance: The Policy Framework for When AI Stops Suggesting and Starts Acting

Every AI governance document written before mid-2025 assumes a human-initiated workflow. The human asks a question, the AI suggests an answer, the human acts. A

AI in Client-Facing Contracts: The Seller's Playbook for MSAs, SOWs, and Engagement Letters

Every mid-market professional services company faces the same structural gap. The firm uses AI tools — for drafting, analysis, research, code generation, design

Compliance and Regulatory Landscape for AI-Generated Code: What Enterprises Must Navigate in 2026

There is no comprehensive federal AI law. What exists is a collection of agency-specific guidance, executive orders, and enforcement priorities that create obli

Enterprise IP Concerns with AI-Generated Code: The Ownership Gap Nobody Planned For

The foundational problem: U.S. copyright law requires human authorship. The Copyright Office's Part 2 report (January 29, 2025) made this explicit — copyright p

AI and Customer-Facing Disclosure: When and How to Tell Customers That AI Is Involved

The FTC has no AI-specific disclosure statute, but Section 5's prohibition on unfair and deceptive practices applies with full force. The materiality test is st

The Two-Front War: Mid-Market Companies Are Expanding Their Attack Surface While AI-Enabled Threats Accelerate

Most CISOs track external threats. Most CIOs track AI adoption. Almost no one at a 200-2,000 person company is tracking both simultaneously — and the interactio

The AI Insurance Application Playbook: 20 Questions Your Underwriter Will Ask and What Answers Get the Best Rates

The questions below are compiled from carrier application updates, broker renewal guidance (Founder Shield, WTW, Amwins, Marsh), and insurer public commentary t

AI and Data Privacy: The Compliance Layer Every Mid-Market Company Deploying AI Must Address Now

The privacy compliance obligation for AI is not new law. It is existing law — designed for traditional data processing — now applied to AI systems that process

When Algorithms Become Defendants: The AI Employment Litigation Landscape Every Employer Needs to Understand

Derek Mobley, a Black applicant over age 40, applied to more than 100 jobs through employers using Workday's AI-powered screening tools. He received no offers.

The Other Side of the AI Coin: How Attackers Are Weaponizing AI Against Your Company in 2026

This is the highest-volume threat. It is also the one most mid-market security programs are least prepared for, because their defenses were built for a differen

AI and Your Existing Contracts: The Pre-Deployment Audit Every GC Must Run Before Day One

Most mid-market AI governance programs start in the right place: acceptable use policies, vendor evaluations, security controls. The GC checklist, the vendor co

Corporate AI Governance Frameworks: The $492M Race to Govern What You Already Deployed

The central problem in enterprise AI is not adoption — it is accountability. Adoption has outrun governance at every company size.

The AI Incident Response Playbook: What Happens in the First 72 Hours After AI Goes Wrong

Traditional incident response assumes a breach: someone got in who should not have. AI incidents break this model in three ways.

The AI Insurance Reckoning: What Your CFO Needs to Know Before the Next Renewal

Most mid-market CFOs treat insurance lines as separate purchasing decisions — cyber with the IT team, D&O with the board, E&O with operations, professional liab

AI and Professional Liability: The Malpractice Exposure Nobody Priced

Professional liability insurance was designed for a world where errors came from human judgment. A lawyer missed a filing deadline. An accountant transposed dig

The AI Regulatory Preparation Roadmap: A 2026-2027 Compliance Calendar for Multi-State Companies

The calendar below sequences every actionable compliance deadline for a mid-market company operating across five or more U.S. states. Deadlines are organized by

AI-Washing Liability: The Enforcement Landscape Every CEO and GC Must Understand

The SEC's AI-washing enforcement has escalated from administrative penalties to parallel criminal prosecutions in 18 months.

Assume Breach for AI Agents: Zero Trust Security in the Age of Autonomous Systems

The security model that worked for SaaS applications does not work for AI agents. SaaS applications receive instructions and return data. AI agents receive goal

Board Fiduciary Duty in the AI Era: When "Wait and See" Becomes Director Liability

The duty of oversight under Delaware law traces to *In re Caremark Int'l Inc. Derivative Litig.*, 698 A.2d 959 (Del. Ch. 1996). Directors face liability when th

What the CISO Needs to Know About AI Risk That Traditional Software Risk Models Miss

Traditional software behaves the same way every time given the same inputs. AI does not. Large language models produce different outputs for identical inputs, e

What Your Cyber Insurer Now Asks About AI: Five Renewal Questions and How to Answer Them

These five questions are distilled from carrier application updates, broker renewal guidance (Founder Shield, WTW, Amwins, Marsh), and insurer public commentary

EU AI Act Implications for Law Firms with European Offices

Article 2 of the EU AI Act applies to any entity that "places on the market or puts into service AI systems or places on the market general-purpose AI models in

The General Counsel's AI Checklist: 12 Legal Risk Categories for a 200-500 Person Company

General counsel at mid-market companies face a unique structural problem. They lack the dedicated AI counsel, regulatory affairs teams, and compliance infrastru

The Mid-Market AI Acceptable Use Policy: The General Counsel's Day 1 Document

The acceptable use policy sits at the intersection of legal risk, data security, and operational efficiency — and at a 200-2,000 person company, the GC is the o

The Multi-State AI Compliance Matrix: One Program, Not Five

The regulatory environment is fragmented but not chaotic. State AI laws fall into five categories, and most mid-market companies face obligations in three or fo

OWASP, NIST, and CSA on AI Coding Tool Security: What the Standards Bodies Actually Say

OWASP's LLM Top 10, developed by 500+ international experts, is the de facto application security standard for AI-powered systems. The 2025 version reflects the

The Regulated Industry AI Compliance Overlay: What Financial Services, Healthcare, and Insurance Companies Face on Top of State AI Laws

Mid-market companies in regulated industries face a compliance architecture that horizontal AI governance research does not address. The multi-state compliance

AI Security Frontier: Enterprise Risks, Compliance, and Governance (2025-2026)

1. **Prompt injection** to bypass LLM guardrails

The AI Security Floor: 10 Controls Every 200-500 Person Company Needs Before Deploying Any AI Tool

The typical mid-market company approaches AI security backwards. They buy the tool, deploy it broadly, and address security after an incident. IBM's data explai

Your Vendors Are Adopting AI on Your Behalf: The Third-Party Risk You Are Not Managing

Every mid-market company runs its business on 3-5 core platforms: Microsoft 365 or Google Workspace for productivity, Salesforce or HubSpot for CRM, NetSuite or