The regulations already exist. The engineering controls that make them work on GenAI don’t.
I work on the gap the April 2026 SR 11-7 rewrite just made explicit — the one between Model Risk Management doctrine and the actual mechanics of generative and agentic AI: prompts, vector indexes, tool-use loops, and a vendor’s silent weekly model update. Most firms are still trying to bridge it with policy documents alone.
Head of Infosec & AI Governance at Tetrate, and a contributor to the FINOS AI Governance Framework (Newcomer Award, OSFF NYC 2025). I write about AI governance as the work regulated firms have to evidence — not as framework adoption — and take a small number of fractional advisory engagements each year with banks, insurers, and FS infrastructure firms.
Currently taking a small number of fractional engagements through 2026.
-
SR 11-7 Just Wrote Itself Out of the GenAI Conversation
The April 17, 2026 interagency MRM rewrite formally excludes generative and agentic AI from scope. That's not a retreat — it's an RFI window.
-
Agent Security: What NIST Wants You to Think About Before Your Agent Calls a Tool ↗
Your agent has AWS credentials. It can execute cloud CLI commands. NIST has opinions about this. Here's what tool-calling security looks like in practice.
-
Making Agents Reliable: Auto-Save, Stable IDs, and the Context Window Problem ↗
When your agent crashes at tool call 142 out of 150, you'd better hope the first 141 findings aren't lost. Here are the patterns that made our cost agents production-ready.
-
Not Everything Needs an LLM: When to Remove the AI from Your AI Agent ↗
We built an agent to sync compliance data. Then we built a version without the LLM that runs faster, costs less, and produces identical results. Knowing when to remove the AI is an underrated skill.
-
Two Ways to Build a Cost Agent (And Why We Use Both) ↗
We built two fundamentally different architectures for our cost optimization agents. One lets the LLM drive. The other relegates it to a single call. Both have their place.
-
Your Agent Found 2.4 Percent of the Savings. Now What? ↗
We built a cost optimization agent. It worked. Then we did the math: it was catching 2.4 percent of the savings. Here's what was missing and what we changed.
-
We Built an AI Agent to Cut Our Cloud Bill in Half ↗
Our cloud bill was attracting board-level attention. Instead of hiring a FinOps team, we built AI agents that scan AWS, GCP, and Azure weekly. Here's what we learned.
-
FINRA Just Told You What They'll Examine Your AI Agents On ↗
FINRA's 2026 report has a new section on AI agents with seven named risks and four considerations for firms. Here's what that actually means for your engineering team.