Every organization has infrastructure that no one thinks about until it fails.
The water pipes in the building. The fire suppression system. The identity layer that decides who can touch what data, what system, what crown jewel — and when.
I’ve spent 25 years watching organizations discover their access controls the hard way: in the middle of an audit, after a breach, or when a regulator asks a question no one can answer cleanly.
This site is for the practitioners, the strategists, and the curious — the people who want to understand the invisible architecture before it becomes a headline.
We’ll dig into identity governance, IT audit, cybersecurity controls, and the frameworks that hold it all together. Expect opinions. Expect nuance. Expect the occasional uncomfortable truth.
Welcome to IT Risk & Controls.