Field Notes

Stories from the audit beat.

One post per regulator. Each one is a 90-second narrated walkthrough plus a 600-word explainer of the engineering that makes it possible.

Privacy · GDPR

GDPR Article 15 in 60 seconds, not 30 days

Every DSAR costs the average SaaS company €35,000 and a month of senior-engineering time. It doesn't have to.

5 min read · read →
California · CCPA / CPRA

CCPA "do not sell," cryptographically proven

California's twelve-month sharing lookback is the hardest CCPA primitive to evidence. It shouldn't be.

5 min read · read →
Insurance · NAIC market conduct

Insurance audit week, compressed to one Cypher query

NAIC market-conduct examinations are six-week projects for most carriers. They're a ninety-second project for one.

5 min read · read →
Healthcare · HIPAA · OCR · state privacy

The CDS override defense, cryptographic by default

An HHS OCR complaint about a documented clinical override is a question your audit chain should already have answered.

6 min read · read →
AI Governance · EU AI Act

EU AI Act conformity in five minutes

An Annex IV documentation package is the most expensive thing your AI team will ever produce. With chained provenance, it's a query.

6 min read · read →
Financial Controls · SOX · PCAOB

The SOX walk-through, compressed to six minutes

AS-1105 evidence integrity is a sentence in the standard. With a chained audit log, it's a mathematical proof.

5 min read · read →
Security Standards · PCI DSS 4.0

PCI DSS Requirement 10 in seventy seconds

Cardholder access logs in eight systems is the reason PCI audits take a month. They don't have to.

5 min read · read →
Financial Controls · DORA · EU

Beating DORA's four-hour clock with a single query

Article 19 demands a four-hour notification. If your vendor dependencies aren't in a graph, you've already lost.

5 min read · read →
Security Standards · HITRUST CSF

HITRUST CSF, 310 controls in eight minutes

Eighty percent of a HITRUST assessment is evidence reconciliation. Almost all of it is preventable.

5 min read · read →
Financial Controls · 23 NYCRR 500

Beating NYDFS's 72-hour cyber-event clock

Section 500.17 says notify the Superintendent within 72 hours. If your incident timeline is in three different SIEM tools, you've already lost.

5 min read · read →
Industries · FDA 21 CFR Part 11

21 CFR Part 11 compliance, by construction

The FDA inspector wants the audit trail for batch B-44218 at lot release. In one stack, that's a single Cypher query. In yours, it's two months of reconciliation.

6 min read · read →
Critical Infrastructure · NERC CIP

NERC CIP, evidenced asset by asset

NERC penalties scale at $1.5M per violation per day. A triennial audit shouldn't be a six-month gamble.

5 min read · read →
Government · FedRAMP · FISMA

FedRAMP ConMon, control by control

Lose your ATO and you lose every federal contract overnight. The annual assessment shouldn't be the threat it is.

5 min read · read →
Finance · FINRA Reg BI

Reg BI duty of care, cryptographically defensible

The hardest FINRA question — has the model card been edited since the trade? — is the easiest one to answer if your records are chained.

5 min read · read →