We Make Sure

The episode provides a practical guide to conducting a risk assessment, emphasizing simplicity and practicality. It outlines five key steps: defining scope, identifying risks, assessing likelihood and impact, planning response, and documenting the assessment.TakeawaysSimplicity in risk assessmentRegular review of risk assessmentChapters00:00 The Truth About Risk Assessment

Agentic AI is a compliance problem that most businesses aren't ready for. It requires governance, human checkpoints, audit logging, and updated AI policies to address the liability and accountability issues. Businesses need to define the scope and permissions, build human checkpoints, require audit logging, and update AI policies to address the challenges of agentic AI.TakeawaysAgentic AI requires governanceHuman checkpoints are essential for agentic AIAudit logging is necessary for every action of an AI agentUpdated AI policies are crucial for addressing the challenges of agentic AIChapters00:00 Introduction to Agentic AI

Compliance as Code vs Real Compliance | HIPAA, ISO 27001, and NIST 800-53 ExplainedEveryone is talking about Compliance as Code—automating controls, enforcing policies in CI/CD, and letting tools monitor security posture in real time. But can automation really handle the full scope of compliance frameworks like HIPAA, ISO 27001, and NIST 800-53?In this episode of the We Make Sure Podcast, David Pahlman breaks down where Compliance as Code works incredibly well—and where it falls short.You’ll learn why automation can enforce technical controls, but frameworks like HIPAA and ISO demand something deeper: governance, leadership involvement, risk-based decisions, and documented intent.If you're a CISO, security leader, compliance professional, or executive, this episode will help you understand how to balance automation with real-world compliance strategy.In this episode we discuss:• What Compliance as Code actually is• Where automation strengthens security programs• Why HIPAA compliance is mostly administrative• Why ISO 27001 requires intentional governance• The limits of automation in NIST 800-53• The difference between proving a control exists and proving why it existsCompliance as Code is powerful—but real compliance still requires people, judgment, and leadership.Subscribe for more conversations on:Cybersecurity • Governance • Risk Management • Compliance • LeadershipAbout the We Make Sure PodcastThe We Make Sure Podcast explores the intersection of cybersecurity, governance, risk management, and leadership. Each episode breaks down complex security and compliance topics into practical insights that executives and security professionals can actually use.If you work in security, compliance, healthcare technology, or executive leadership, this channel is built for you.#CyberSecurity #Compliance #ISO27001 #HIPAA #NIST #GRC #DevSecOps #InformationSecurity #WeMakeSure