The Control Layer with Amer Altaf

Trust the agency, not just the agent: a conversation with Vanta's Khush Kashyap

Automating the Work, or the Workers? Vanta [https://www.vanta.com/] shipped a suite of AI agents it calls "24/7 GRC engineers" — evidence collection, risk analysis, vendor assessments, remediation guidance, all handled by machines. So what's left for the humans? Amer Altaf talks to Khush Kashyap, Senior Director of GRC at Vanta, about what agentic compliance actually means for practitioners — what it costs, what it changes, and whether the profession is being augmented or quietly automated out of existence. Khush runs Vanta's own GRC programme on the platform daily, making her both the builder and the first customer. In this episode: • What "agent" actually means at Vanta — beyond the industry buzzword • Whether this works for a 200-person firm with one security lead • The honest answer on pricing • Day one walkthrough: from spreadsheets to agentic compliance in a week • Who's accountable when the agent gets it wrong on approval number 41 • "Don't trust the agents — trust the agency you build" • UK GDPR vs EU GDPR: does the system know the difference? • Data sovereignty, the CLOUD Act, and what UK CISOs are asking • Will compliance teams shrink? The nuanced answer • What skills GRC teams are hiring for now Chapters: 00:00 What Vanta actually built — and what "agent" really means 07:44 Does this work for a 200-person firm? 17:03 Day one — from spreadsheets to agentic compliance 22:31 When you're clicking approve on autopilot 32:51 UK GDPR, data sovereignty, and the CLOUD Act 42:08 Automating the work or automating the workers? 53:39 The time machine question Guest: Khush Kashyap — Senior Director of Governance, Risk and Compliance, Vanta Host: Amer Altaf — Managing Editor, The Control Layer and CEO, Arkava [https://arkava.ai] Subscribe to The Control Layer: https://thecontrollayer.arkava.ai [https://thecontrollayer.arkava.ai] Get full access to The Control Layer at thecontrollayer.arkava.ai/subscribe [https://thecontrollayer.arkava.ai/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

The Equipment Chokehold: ASML and the end of the allied exemption

On 22 April 2026, the House Foreign Affairs Committee advanced by a substantial bipartisan margin a bill that gives the Netherlands 150 days to match American export controls on semiconductor equipment — or lose access to the American intellectual property inside every lithography machine ASML has ever built. This is the third instalment of the Four Chokepoints series — a 50-minute solo episode on the Multilateral Alignment of Technology Controls on Hardware Act, the ASML monopoly that sits at its centre, and the structural shift in how Washington treats its allies that the bill formalises. The argument has two halves. The first is structural: the allied exemption — the diplomatic consensus that allowed European technology companies to trade with relative autonomy inside a multilateral framework — is formally dead. The second is political: the instrument Washington has chosen to kill it reveals something uncomfortable about the stated justification for the entire technology embargo. The episode walks through: — What the MATCH Act actually says, who introduced it, and why the bipartisan, bicameral co-sponsorship matters more than the headline. — The silence from the Semiconductor Industry Association, SEMI, Lam Research, and Applied Materials that is the most important data point in the entire debate. — The honest acknowledgement of the security argument: China is building a state-subsidised semiconductor industry with explicit military applications, and the dual-use risk concern is not paranoia. — Why the MATCH Act is nevertheless not primarily a security instrument but a commercial protection instrument dressed in security language. — ASML's 100 per cent monopoly on EUV lithography, the €32.7 billion 2025 revenue, and the Cymer light source acquisition that gave Washington the legal hook. — The Foreign Direct Product Rule and how it converts a Dutch company's American supplier dependencies into the most powerful instrument of American economic statecraft currently in use. — The death of the Wassenaar Arrangement consensus model — and the structural reason Brussels has said nothing. — A specific recommendation for the quarterly board paper: the named, quantified, irreducible single-vendor dependency with no current mitigation. — A falsifiable predictive judgement about the European Commission's response, due by April 2027, with the four signals that will tell you whether the prediction is on track. — The closing seven-word argument that holds the whole thesis. This is Part 3 of a five-part series. Part 4 — on the CLOUD Act and the data jurisdiction — follows next week. The companion written analysis, fully sourced with 23 endnotes, is published at thecontrollayer.arkava.ai/p/four-chokepoints-the-equipment-chokehold. The Control Layer is the publication where Amer Altaf — Founder & CEO of Arkava, the UK and European sovereign AI agentic automation business, and a techUK contributor on technology sovereignty policy — tracks the convergence of cybersecurity, AI, and the geopolitics of the technology stack. One piece a week, free, written for the board paper. Subscribe at thecontrollayer.arkava.ai [http://thecontrollayer.arkava.ai]. Get full access to The Control Layer at thecontrollayer.arkava.ai/subscribe [https://thecontrollayer.arkava.ai/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

The Metal Floor: why you cannot procure sovereignty on imported metal

You cannot procure sovereignty on imported metal. That's the argument at the centre of this episode — Part 2 of the Four Chokepoints series. Aluminium smelters in the Gulf are offline. Helium tankers from Qatar are caught in the Hormuz disruption. And the entirety of European semiconductor policy — the €43 billion Chips Act — is sitting on a material foundation it hasn't costed. In this solo episode, Amer Altaf traces the supply chain underneath the supply chain. He explains why an aluminium pot line cannot be cold-started (the cells are destroyed, not paused), why every helium atom in commercial use was mined rather than manufactured, and why the loss of three million tonnes of Gulf aluminium capacity and 25 per cent of global helium supply is a sovereignty story rather than a commodity story. The episode walks through the EU Chips Act's three structural gaps, the UK Critical Minerals Strategy's order-of-magnitude funding shortfall, and an honest five-point metal floor strategy that would cost between €40 and €60 billion over a decade for the European bloc. It extends Ed Conway's Material World thesis to argue that digital sovereignty is a subset of material sovereignty — and it's the material layer Western policy has most systematically under-priced. The episode closes with a prediction: within 18 months, a major European fab will publicly disclose a helium allocation constraint delaying capacity expansion — and three amendments to the quarterly board paper introduced in Part 1. Read the full written analysis: thecontrollayer.arkava.ai [http://thecontrollayer.arkava.ai] Subscribe for Part 3: The Equipment Chokehold. Get full access to The Control Layer at thecontrollayer.arkava.ai/subscribe [https://thecontrollayer.arkava.ai/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

Four Chokepoints: The Fortnight That Made European Technology Sovereignty Unavoidable

Four Chokepoints: The Fortnight That Made European Technology Sovereignty Unavoidable Solo episode — Part 1 of the Four Chokepoints series --- On the morning of 8 April, four supply chains began to fail at once. Not in the same country. Not in the same industry. Not even on the same continent. The headlines called it an oil shock. It isn't. In this episode, I trace the line from the Strait of Hormuz to the server rack in your data centre — through the aluminium smelters, the helium tankers, the Dutch lithography plant, and the Franco-British communiqué that said something no European government has said out loud since 1945. My argument: the post-war bargain between Europe and America has not strained. It has inverted. And the board papers being written this month still treat it as an oil shock. If you prefer to read the full written analysis — with all twelve endnotes and the complete image brief — [that essay is here](https://thecontrollayer.arkava.ai/p/four-chokepoints-the-inversion). [https://thecontrollayer.arkava.ai/p/four-chokepoints-the-inversion).**] This episode covers the same ground but restructures it entirely for audio: different pacing, extended analogies, and three concrete lines I think should be rewritten in your next Audit and Risk Committee paper. --- What this episode covers The four failures — what actually happened in the fortnight to 12 April 2026: three million tonnes of Gulf aluminium capacity offline, helium tanker disruptions threatening semiconductor fabs, the MATCH Act's 150-day ultimatum to ASML, and the first Franco-British military operation outside the American framework since the post-war settlement. The inversion — why Helen Thompson's thesis about the contingent Atlantic settlement is no longer history but operational reality, and why Adam Tooze's structural polycrisis framework is the correct lens for the events of this fortnight. Three lines for the board paper — the vendor concentration matrix, the supply chain map, and the political risk register: what's wrong with each and what they should say instead. The eighteen-month prediction — procurement-driven re-sovereigntisation in UK and EU public-sector contracts, with explicit falsifiability conditions I'll track quarterly on The Control Layer. Get full access to The Control Layer at thecontrollayer.arkava.ai/subscribe [https://thecontrollayer.arkava.ai/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

Anthropic Built a Model Too Dangerous to Release. Then It Gave It to 12 American Companies.

Yesterday, Anthropic announced Project Glasswing — a cybersecurity coalition built around Claude Mythos Preview, a frontier AI model so proficient at finding and exploiting software vulnerabilities that it cannot safely be released to the public. In just weeks of testing, Mythos Preview has autonomously identified thousands of zero-day vulnerabilities in every major operating system and every major web browser — including a 27-year-old flaw in OpenBSD, a 16-year-old bug in FFmpeg that automated testing missed five million times, and a chained Linux kernel exploit that escalates to full machine control. The 12 launch partners — AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, Palo Alto Networks, Broadcom, NVIDIA, JPMorganChase, the Linux Foundation, and Anthropic — will use the model exclusively for defensive security work. Anthropic is committing $100 million in usage credits and $4 million to open-source security organisations. In this solo episode, I break down what Mythos Preview can actually do, why the defensive case is strong, and why the dual-use problem — the same model that finds vulnerabilities can exploit them — cannot be engineered away. Then I ask the question almost no one else covering this story is asking: why are all 12 launch partners US-headquartered? What does it mean when the most powerful defensive cybersecurity tool ever created is exclusively in the hands of American companies, subject to US government engagement, with no mention of the UK's NCSC, the EU's ENISA, or any non-US government body? What I cover: - Claude Mythos Preview's capabilities — and why this is a step change, not an incremental improvement - The defensive case: $100M in credits, open-source funding, and a coalition that touches most of the world's software infrastructure - The dual-use tension: Mythos develops working exploits autonomously, without human steering - The sovereignty question: all 12 partners are US-headquartered, and the implications for UK and European defenders are significant - Five things to watch over the coming months — from the 90-day report to the UK's Cyber Security and Resilience Bill This episode is for: - CISOs and security leaders assessing what AI-augmented threats mean for their organisations - CTOs and engineers building on infrastructure maintained by Glasswing partners - Policymakers writing cybersecurity legislation in a world that just changed - Anyone who believes the geography of AI capability is a strategic question, not a technical footnote Read the full analysis: thecontrollayer.arkava.ai [http://thecontrollayer.arkava.ai] The Control Layer is hosted by Amer Altaf, founder and CEO of Arkava, and publishes weekly. Sponsored by Arkava — Trusted Intelligence, Tangible Impact. https://arkava.ai [https://arkava.ai] Get full access to The Control Layer at thecontrollayer.arkava.ai/subscribe [https://thecontrollayer.arkava.ai/subscribe?utm_medium=podcast&utm_campaign=CTA_4]