Threat intel, regulatory radar and original analysis for CISOs, CTOs and AI security leaders. Click any brief to expand — then take it into the Intelligence Hub.
Editorial analysis from the Kapālins team — click a card to expand.
Models and the vendors behind them now sit inside operational resilience.
For APRA-regulated entities, AI is no longer a side experiment — models, copilots and the third parties behind them fall under operational-risk and prudential expectations (CPS 234, CPS 230). Boards want a single, evidenced view of where AI runs and how it's controlled. Kapālins maps live telemetry to those standards so the evidence is continuous, not a once-a-year scramble.
The Act reaches anyone placing AI on the EU market, not just European firms.
General-purpose AI obligations and transparency duties under the EU AI Act reach any firm placing AI on the EU market, wherever it is based. Risk classification, documentation and model provenance become table stakes. Kapālins keeps an AI-SBOM and a posture record so an EU classification request is an export, not a project.
Consent and purpose-limitation now reach prompt level.
As the DPDP Act's rules firm up, any AI that ingests personal data — copilots, support bots, RAG pipelines — inherits consent, purpose-limitation and cross-border obligations. Kapālins' privacy detection and prompt-level controls keep personal data out of places it shouldn't go, with evidence for the regulator.
SaaS-embedded AI is the fastest-growing blind spot.
M365 Copilot, Gemini in Workspace, Slack and Notion AI switch on quietly across an enterprise — and a gateway never sees them. Kapālins' Probe mode scans SaaS-embedded AI on a schedule, so shadow AI shows up on the Trust Index instead of in an incident report.
Tool-using and MCP agents expand the blast radius.
Agents that call tools, browse and chain actions can do real damage when prompt-injected or mis-scoped. Static tests don't catch it — runtime behaviour monitoring does. Kapālins' Agentic AI Behaviour Monitor watches what agents actually do, not just what they were configured to do.
Model provenance is the next supply-chain frontier.
Open weights, fine-tunes and third-party models enter the estate with little provenance, and a tampered or drifting model is hard to spot without a bill of materials. Kapālins' AI-SBOM and model-integrity checks give you a verifiable record of every model you run and how it has changed.
The full blog is migrating into this design — recent posts below.
A 30-minute walkthrough of the Trust Index, the three observation modes and your regulator’s evidence chain — on your estate.