Sign in Subscribe

About Tom Hillman

Practical AI security controls and evidence patterns for regulated SaaS teams shipping agentic AI.

I’m Tom Hillman. I help security and GRC leaders in regulated SaaS deploy and operate agentic AI that stays auditable and trusted, with practical controls and reusable evidence.

If agentic AI is now part of how you deliver your product or service, you will be asked for proof. Not opinions, proof. What the system did, why it did it, and who approved it.

This site exists to make that easier.

What I publish

I publish one post a week. Each post is built around a concrete artefact you can copy, adapt, and use internally.

Expect things like:

  • Evidence pack structures you can hand to audit or a bank security reviewer.
  • Audit trail logging fields that make agent actions reconstructable.
  • Change control patterns for prompts, models, tools, and connectors.
  • Decision integrity rules for high-impact exceptions and human overrides.
  • Vendor risk questions that force clear answers.
  • Incident response artefacts and comms templates for when the model is the incident.

If I cannot make a claim operational, I try not to make it.

Who this is for

CISOs, Heads of Trust, security leaders, security architects, and GRC leads working in regulated SaaS. Particularly those serving banks, credit, fraud, payments, insurance, or other customers who ask hard questions and expect defensible answers.

If you are looking for generic AI commentary, you will not like this.

My working assumptions

Agentic AI expands blast radius because tools and connectors create side effects.

Auditability is a product requirement, not paperwork.

The best controls are boring, explicit, and easy to evidence.

If you cannot reconstruct an event in minutes, you do not control it.

Start here

If you want the practical version first, start with the AI Evidence Pack Starter Kit. It is intentionally small. It gives you the minimum structure to answer audits and due diligence without scrambling.

Newsletter

One email a week. Practical controls and evidence patterns. Unsubscribe anytime.

If you subscribe, you will get the same style as the posts, plus occasional condensed add-ons that are easier to paste into internal docs and questionnaires.

Contact

The simplest way to contact me is to reply to any newsletter email once you are subscribed.

If you include the exact question you are trying to answer, for example a due diligence question you keep getting, I will often turn it into a future post so you can reuse the answer.