We Make Sure

David Pahlman - Starting the First Risk Assessment

The episode provides a practical guide to conducting a risk assessment, emphasizing simplicity and practicality. It outlines five key steps: defining scope, identifying risks, assessing likelihood and impact, planning response, and documenting the assessment. Takeaways * Simplicity in risk assessment * Regular review of risk assessment Chapters * 00:00 The Truth About Risk Assessment

David Pahlman - Agentic A.I. Governance

Agentic AI is a compliance problem that most businesses aren't ready for. It requires governance, human checkpoints, audit logging, and updated AI policies to address the liability and accountability issues. Businesses need to define the scope and permissions, build human checkpoints, require audit logging, and update AI policies to address the challenges of agentic AI. Takeaways * Agentic AI requires governance * Human checkpoints are essential for agentic AI * Audit logging is necessary for every action of an AI agent * Updated AI policies are crucial for addressing the challenges of agentic AI Chapters * 00:00 Introduction to Agentic AI

David Pahlman - Compliance As Code

Compliance as Code vs Real Compliance | HIPAA, ISO 27001, and NIST 800-53 Explained Everyone is talking about Compliance as Code—automating controls, enforcing policies in CI/CD, and letting tools monitor security posture in real time. But can automation really handle the full scope of compliance frameworks like HIPAA, ISO 27001, and NIST 800-53? In this episode of the We Make Sure Podcast, David Pahlman breaks down where Compliance as Code works incredibly well—and where it falls short. You’ll learn why automation can enforce technical controls, but frameworks like HIPAA and ISO demand something deeper: governance, leadership involvement, risk-based decisions, and documented intent. If you're a CISO, security leader, compliance professional, or executive, this episode will help you understand how to balance automation with real-world compliance strategy. In this episode we discuss: • What Compliance as Code actually is • Where automation strengthens security programs • Why HIPAA compliance is mostly administrative • Why ISO 27001 requires intentional governance • The limits of automation in NIST 800-53 • The difference between proving a control exists and proving why it exists Compliance as Code is powerful—but real compliance still requires people, judgment, and leadership. Subscribe for more conversations on: Cybersecurity • Governance • Risk Management • Compliance • Leadership About the We Make Sure Podcast The We Make Sure Podcast explores the intersection of cybersecurity, governance, risk management, and leadership. Each episode breaks down complex security and compliance topics into practical insights that executives and security professionals can actually use. If you work in security, compliance, healthcare technology, or executive leadership, this channel is built for you. #CyberSecurity #Compliance #ISO27001 #HIPAA #NIST #GRC #DevSecOps #InformationSecurity #WeMakeSure