Notes from the work.

A small number of articles, written when there's something specific to say. No newsletter, no SEO-padding. If a post is here, it's because a real conversation surfaced a question worth a long answer.

• Why we hash-chain the audit log instead of using a blockchain

  Both designs produce a tamper-evident log. Only one of them survives a procurement conversation with a Canadian bank. Why we picked the older, less interesting design.

  April 2026 · 8 min read

• AIDA, OSFI E-23, and the agent-action problem

  Canada's regulatory environment for AI agents is more specific than most realize. AIDA, OSFI E-23, and the federal directive on automated decision-making converge on one question agent vendors will have to answer in 2026 procurement.

  April 2026 · 10 min read

• What an authorization chain actually is

  Filesystem permissions, capability tokens, OAuth, AWS IAM. Each was a step toward authorization that worked for a generation of systems and broke for the next. Why agent authorization needs one more layer, and what shape it has to be.

  April 2026 · 9 min read

• The audit question your CRO is going to ask in Q3

  Most agent projects stall before production not because the model isn't good enough, but because nobody can answer one question from the risk function. Here's the question, and what to have ready when it comes.

  April 2026 · 7 min read