Skip to content

Sources

Things I actually read and use, sorted by topic. For each link I note what it is and why I keep it.

Everything here is public. No employer material, no proprietary docs. Links go to the original author or publisher, not to rehosted copies.

How this is built

This page is a hand-picked view of my personal reading library. When something new earns its place, I add it here.

Right now: 24 sources in 6 topics.


EU compliance & GRC

DORA, NIS2 and the day-to-day work of gap assessments.

AI governance & security

Securing and governing AI systems. This topic moves fast, so check dates.

genai.owasp.org

OWASP: Securing Agentic Applications 1.0

The reference document for securing AI agents. I use it as the basis for any security review of an agentic system.

genai.owasp.org

AIUC-1 crosswalk to the Agentic Top 10

Maps the AIUC-1 standard to OWASP's Agentic Top 10. Handy when you need to show auditors that your agent controls cover recognized threat categories.

atlas.mitre.org

MITRE ATLAS knowledge graph

The adversarial threat landscape for AI, as a browsable graph. Use it for AI threat modeling the way you'd use ATT&CK for classic infrastructure.

saif.google

Google SAIF risk self-assessment

A free questionnaire that gives you an AI security risk profile. Good first step before paying for a full AI security audit.

iapp.org

IAPP: AI governance in the agentic era

Why governance frameworks built for predictive ML don't fit autonomous agents. Good framing for board-level discussions.

github.com

Microsoft agent governance toolkit

Specs, evals and guardrails for shipping agents to production. Basically a governance checklist you can reuse.

github.com

NVIDIA NeMo Guardrails

Open-source framework for adding programmable guardrails to LLM applications. The usual starting point for technical output controls.

github.com

DeepTeam, LLM red teaming

Open-source red-teaming framework for LLM apps. Use it to test prompt-injection and jailbreak resistance before go-live.

github.com

OWASP DevSecOps guideline

How to embed security into the delivery pipeline. As relevant for DORA Art. 25 development evidence as it is for AI systems.

Quantum & cryptography

Small topic, growing. The post-quantum migration will become a compliance question sooner than most teams expect.

Knowledge graphs & RAG

I think control frameworks are graphs, not spreadsheets. These are the sources behind that opinion.

Building AI agents

Engineering sources I keep coming back to when building agentic systems.

Learning & reference

Free, legitimate, worth the time.