How to Build Enterprise Cloud Governance That Scales

GRC is broken. FedRAMP 20x might fix it

Traditional compliance frameworks like SOC 2 and ISO 27001 have become performative exercises in storytelling rather than genuine security assurance. FedRAMP 20x is pushing a fundamentally different model: machine-readable evidence, APIs, telemetry, and continuous operational visibility instead of point-in-time snapshots and curated screenshots. The author shares their firsthand experience navigating FedRAMP 20x, including entering the moderate pilot without completing the low pathway first, and argues that the discomfort of exposing full operational truth — including bypassed approvals, drift events, and identity lifecycle failures — is precisely the point. The broader GRC engineering movement mirrors this shift, treating compliance as an engineering discipline with telemetry pipelines and continuous assurance rather than annual documentation exercises. The future of trust, the author argues, will be queryable operational data rather than polished PDF certifications.

Why AI and Compliance Are Forcing A New Security Operating Model, with Rapid7's Corey Thomas & Sabeen Malik

Rapid7's Corey Thomas and Sabeen Malik discuss how frontier AI and evolving compliance requirements are forcing a new security operating model. AI is accelerating vulnerability discovery faster than existing standards and governance frameworks can handle, creating noise rather than safety unless paired with exploitability context. Compliance is shifting from annual snapshots to continuous evidence collection. The future model is AI-driven but human-led, connecting security operations, risk management, and compliance through live operational context rather than disconnected reports.

The EU CRA Doesn’t Change What Good Open Source Governance Looks Like. It Just Makes the Accountability Visible.

EU Cyber Resilience Act (CRA) chính thức hóa các nghĩa vụ quản trị phần mềm nguồn mở mà các tổ chức tốt đã thực hiện, nhưng chỉ khiến trách nhiệm trở nên minh bạch hơn. Đến hạn thi hành vào tháng 12/2027, CRA yêu cầu quy trình phê duyệt nguồn mở có tài liệu, SBOM liên tục, chuỗi nguồn gốc kiểm toán được và báo cáo lỗ hổng từ tháng 9/2026, trong khi phần lớn doanh nghiệp vẫn chưa sẵn sàng.

Lập trình viên nên đọc bài này để hiểu cách CRA EU không chỉ là một quy định mới mà là cơ hội để cải thiện quản lý mã nguồn mở hiện tại, từ việc giảm chi phí fork riêng sang việc hợp tác hiệu quả và đảm bảo tuân thủ một cách bền vững.

Amazon Neptune now supports AWS CloudFormation for global databases

Amazon Neptune now supports AWS CloudFormation for provisioning and managing Neptune global databases via the new AWS::Neptune::GlobalCluster resource type. This enables teams to define multi-region graph database topologies as code, store configurations in source control, and integrate with CI/CD pipelines. Neptune global databases support a primary read-write cluster and up to five read-only secondary clusters across AWS regions, with low-latency replication. Use cases include cross-region low-latency reads, disaster recovery, data residency compliance, and high-availability graph deployments.

Conditional & Iterative Deployments with Azure Bicep

A deep dive into Azure Bicep's conditional (if) and iterative (for) deployment features, covering practical patterns and common pitfalls. Key topics include: guarding references to conditional resources using ternary expressions, the non-cascading nature of conditions on child resources, safe use of runtime functions like listKeys(), resource naming stability in loops, the difference between resource/module loops and variable/output loops, index fragility in filtered loops, and using @batchSize() to control deployment parallelism. Includes a practical checklist and a complete example combining conditionals, filtered loops, batching, and structured outputs.

AWS Launches Blocks, an Open-Source TypeScript Framework Designed for AI Agents to Build Backends

AWS released Blocks in public preview, an open-source TypeScript framework that bundles application code, local mocks, and AWS infrastructure into composable npm packages called Blocks. Designed with AI agents in mind, it ships with built-in steering files that guide coding agents toward correct architecture. Developers can run a full backend locally without an AWS account using npm run dev, then deploy the same code unchanged to Lambda, DynamoDB, Aurora, API Gateway, and Bedrock. Around 20 Blocks are available covering databases, authentication, AI agents, file storage, real-time messaging, and more. Type safety flows end-to-end from schema to frontend across major web frameworks and native clients. Blocks applications are CDK applications, allowing escape hatches to raw CDK when needed. The framework is free; users pay only for underlying AWS services consumed.

The missing layer in enterprise agentic AI

Enterprise AI agent frameworks excel at coordinating tasks but lack built-in governance for production environments. A missing orchestration layer is needed to evaluate every agent action against policies covering data locality, model approval, authorization chains, and audit requirements. Drawing an analogy to Kubernetes, this layer would sit between agent logic and execution, using ontology-aware policy evaluation to reason over entity relationships (datasets, models, regulations, environments) rather than simple ACLs. Decision provenance — traceable records of what ran, under what authorization, and with what effect — is framed as a first-class requirement, especially given the EU AI Act's Article 12/17 mandates. Without this layer, Gartner predicts over 40% of agentic AI projects will be canceled by 2027 due to inadequate risk controls.