AI Governance & IT Risk Advisory

15+ years spanning the full IT lifecycle — from building servers and databases in the datacenter, to designing controls, auditing enterprise systems, and managing risk for financial services. I bring hands-on technical depth to threat-informed risk assessment, AI governance, and control design that integrates directly into business processes.

What I Do

I help financial institutions understand and manage the risks that emerge when AI meets regulatory compliance. My approach is threat-informed, evidence-based, and grounded in frameworks that regulators recognize.

Threat-Informed Risk Assessment

Methodology for mapping MITRE ATT&CK techniques to control environments in financial services, with evidence-based coverage validation.

MITRE ATT&CKRisk AssessmentFinancial Services

CRI Coverage Framework

Operationalizing the Cyber Risk Institute Profile for community banks — gap analysis methodology with quantified coverage ratings.

CRI ProfileGap AnalysisBanking

AI Governance Case Studies

Evidence portfolio spanning three governance layers — operational, strategic, and regulatory — with real-world AI audit scenarios.

AI GovernanceCase StudiesAudit

Integrated Risk Deliverables

Analysis outputs delivered into SharePoint and MS Lists via Power Automate — not Excel attachments. Findings, controls, and risk tracking live where the organization works.

SharePointPower AutomateMS Lists

MITRE Validation Methodology

Two-layer validation framework — reasoning validation grounded in source material, and controls validation mapped to MITRE mitigations.

MITREValidationControls

Approach

Every assessment starts with understanding the threat landscape, not the compliance checklist. Controls exist to mitigate specific risks — if you can't trace a control back to a threat, you can't validate its effectiveness.

Threat Mapping

Identify relevant MITRE ATT&CK techniques for your industry and environment. Focus on what adversaries actually do, not theoretical risks.

Controls Validation

Map existing controls to threat mitigations. Quantify coverage using evidence-based ratings — not opinions, not checkboxes.

Gap Remediation

Prioritize gaps by exploitability and business impact. Deliver actionable recommendations with implementation guidance.

Frameworks & Standards

Grounded in the frameworks that matter to regulators, auditors, and boards.

NIST AI RMF

AI Risk

ISO 42001

AI Management

MITRE ATT&CK

Threat Intelligence

CRI Profile

Financial Services

EU AI Act

Regulation

OWASP LLM Top 10

AI Security

CIS Benchmarks

Hardening Standards

COBIT 2019

IT Governance

Mentors

I owe my level of expertise to these three professionals. Each shaped a different dimension of how I approach risk, audit, and governance work.

Neil Lindholm

View on LinkedIn

Recruited me from IT management and trained me in ISACA COBIT-based audit methodology — the foundation of everything I do.

Satya Vithala

View on LinkedIn

Trained me in MITRE ATT&CK, CRI Profile, and threat-informed risk assessment to meet regulatory requirements.

Vince Werling

View on LinkedIn

Shaped my ability to turn technical analysis into corporate audit deliverables with enterprise impact at S&P Global.

Let's Work Together

Available for consulting engagements in AI governance, IT risk assessment, and threat-informed audit for financial services.