Sources¶
Things I actually read and use, sorted by topic. For each link I note what it is and why I keep it.
Everything here is public. No employer material, no proprietary docs. Links go to the original author or publisher, not to rehosted copies.
How this is built
This page is a hand-picked view of my personal reading library. When something new earns its place, I add it here.
Right now: 24 sources in 6 topics.
EU compliance & GRC¶
DORA, NIS2 and the day-to-day work of gap assessments.
ISO 27001 & ISO 22301 free templates
Free policy and procedure templates. I use these as the baseline when starting a DORA or NIS2 gap assessment, since most DORA requirements trace back to these two standards anyway.
law-tracker.europa.euEU Law Tracker
The Commission's official legislation tracker. First stop when I need to know where DORA RTS/ITS, NIS2 implementing acts or AI Act secondary legislation currently stand.
github.comNIS2 posture management (open source)
An open-source platform for tracking NIS2 posture and remediation. Worth a look for how it breaks the directive down into controls you can actually check.
enisa.europa.euENISA cloud computing risk assessment
A classic. Still a solid template for structuring ICT third-party risk analysis under DORA.
medium.comRunning a GDPR project, step by step
A practitioner's playbook for scoping and running a GDPR programme. The project structure carries over to DORA and NIS2 work almost unchanged.
github.comEuConform, an AI Act evidence format
An open evidence format plus bias-evaluation tooling for EU AI Act conformity. Useful if you want to see what "documentation" concretely looks like for high-risk systems.
AI governance & security¶
Securing and governing AI systems. This topic moves fast, so check dates.
OWASP: Securing Agentic Applications 1.0
The reference document for securing AI agents. I use it as the basis for any security review of an agentic system.
genai.owasp.orgAIUC-1 crosswalk to the Agentic Top 10
Maps the AIUC-1 standard to OWASP's Agentic Top 10. Handy when you need to show auditors that your agent controls cover recognized threat categories.
atlas.mitre.orgMITRE ATLAS knowledge graph
The adversarial threat landscape for AI, as a browsable graph. Use it for AI threat modeling the way you'd use ATT&CK for classic infrastructure.
saif.googleGoogle SAIF risk self-assessment
A free questionnaire that gives you an AI security risk profile. Good first step before paying for a full AI security audit.
iapp.orgIAPP: AI governance in the agentic era
Why governance frameworks built for predictive ML don't fit autonomous agents. Good framing for board-level discussions.
github.comMicrosoft agent governance toolkit
Specs, evals and guardrails for shipping agents to production. Basically a governance checklist you can reuse.
github.comNVIDIA NeMo Guardrails
Open-source framework for adding programmable guardrails to LLM applications. The usual starting point for technical output controls.
github.comDeepTeam, LLM red teaming
Open-source red-teaming framework for LLM apps. Use it to test prompt-injection and jailbreak resistance before go-live.
github.comOWASP DevSecOps guideline
How to embed security into the delivery pipeline. As relevant for DORA Art. 25 development evidence as it is for AI systems.
Quantum & cryptography¶
Small topic, growing. The post-quantum migration will become a compliance question sooner than most teams expect.
Knowledge graphs & RAG¶
I think control frameworks are graphs, not spreadsheets. These are the sources behind that opinion.
Essential GraphRAG (free ebook)
A complete introduction to graph-based retrieval. Read this before deciding between vector-only and graph-augmented RAG.
neo4j.comGraph vs. knowledge graph vs. context graph
Clears up the terminology in one post. Share it with anyone who uses the three terms interchangeably.
nebula-graph.ioOntology and graph databases (parts I and II)
Why enterprise AI fails without ontologies, and how to get to production. Applies directly to modeling control frameworks as graphs.
ubuntu.comThe complete guide to RAG (free PDF)
End-to-end RAG reference from Canonical. A good handout for teams starting their first retrieval project.
Building AI agents¶
Engineering sources I keep coming back to when building agentic systems.
Harness design for long-running applications
How to architect agent harnesses that keep working for hours, not minutes. Foundational if you build agentic systems.
generativeprogrammer.com12 agentic harness patterns from Claude Code
Concrete, named patterns pulled from a production harness. A fast way to build up your agent-architecture vocabulary.
github.comHeadroom, context compression
Compresses tool outputs, logs and RAG chunks before they reach the model. Saves money and doubles as data minimization.
github.comContext7, current docs for LLMs
Serves up-to-date library documentation to LLMs instead of stale training data. Fixes a whole class of hallucinated-API bugs.
Learning & reference¶
Free, legitimate, worth the time.
OpenLearn from the Open University
Free courses from a real university, including solid cyber-security introductions. Good links to pass on to non-specialist readers.
classcentral.comFree certificates & badges list
A maintained list of thousands of free certifications. I point career-switchers here before they pay for anything.