<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Michael E. Ruiz — Thinking</title>
    <link>https://michaeleruiz.com/thinking</link>
    <atom:link href="https://michaeleruiz.com/feed.xml" rel="self" type="application/rss+xml" />
    <description>Long-form essays on secure AI transformation, cybersecurity, AI governance, and enterprise technology operating models by Michael E. Ruiz.</description>
    <language>en-us</language>
    <item>
      <title>Building the AI-Native Enterprise</title>
      <link>https://michaeleruiz.com/thinking/building-the-ai-native-enterprise</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/building-the-ai-native-enterprise</guid>
      <pubDate>Tue, 14 Jul 2026 00:00:00 GMT</pubDate>
      <description>Becoming AI-native is an act of organizational design, not procurement. The AI-native enterprise is not the company with the most AI tools. It is the one that can coordinate human judgment, machine execution, memory, trust, and governance safely, repeatedly, and accountably.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Operating System for Expert Work</title>
      <link>https://michaeleruiz.com/thinking/the-operating-system-for-expert-work</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-operating-system-for-expert-work</guid>
      <pubDate>Tue, 07 Jul 2026 00:00:00 GMT</pubDate>
      <description>Expert work has never had an operating system. It has had tools, documents, meetings, and heroics. AI exposes the gap, because machines cannot run on tacit apprenticeship, and knowledge work now needs a layer that coordinates delegation, context, review, memory, evidence, and outcomes.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Trust Architecture for AI-Native Organizations</title>
      <link>https://michaeleruiz.com/thinking/trust-architecture-for-ai-native-organizations</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/trust-architecture-for-ai-native-organizations</guid>
      <pubDate>Mon, 29 Jun 2026 00:00:00 GMT</pubDate>
      <description>Trust in the AI-native enterprise is not a policy statement or a compliance posture. It is engineered through identity, authority, provenance, evidence, memory, observability, escalation, and fail-safe control, the connective tissue among cyber, governance, data, and the operating model.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Cyber Risk of Autonomous Workflows</title>
      <link>https://michaeleruiz.com/thinking/the-cyber-risk-of-autonomous-workflows</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-cyber-risk-of-autonomous-workflows</guid>
      <pubDate>Mon, 22 Jun 2026 00:00:00 GMT</pubDate>
      <description>As workflows move from deterministic automation to autonomous action, security must govern intent, provenance, permissions, and behavior. Autonomy is not the problem. Unbounded autonomy is.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Identity Beyond Humans</title>
      <link>https://michaeleruiz.com/thinking/identity-beyond-humans</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/identity-beyond-humans</guid>
      <pubDate>Mon, 15 Jun 2026 00:00:00 GMT</pubDate>
      <description>Enterprise identity was built for humans, applications, and service accounts. Agents introduce ephemeral, delegated, contextual identity, and demand that every machine action tie back to an accountable principal.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Cybersecurity in the Agentic Enterprise</title>
      <link>https://michaeleruiz.com/thinking/cybersecurity-in-the-agentic-enterprise</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/cybersecurity-in-the-agentic-enterprise</guid>
      <pubDate>Mon, 08 Jun 2026 00:00:00 GMT</pubDate>
      <description>In the agentic enterprise, the security question is no longer only who accessed what. It is what an authorized machine actor is allowed to decide and do right now. Security becomes the enforcement layer for delegated authority.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Why AI Agents Need Contracts, Not Just Prompts</title>
      <link>https://michaeleruiz.com/thinking/why-ai-agents-need-contracts-not-just-prompts</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/why-ai-agents-need-contracts-not-just-prompts</guid>
      <pubDate>Mon, 01 Jun 2026 00:00:00 GMT</pubDate>
      <description>Prompts describe intent. Enterprises need contracts that define authority, boundaries, evidence, escalation, and accountability for delegated machine work. The Agent Delegation Contract is one emerging expression of that need.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Enterprise Memory Problem</title>
      <link>https://michaeleruiz.com/thinking/the-enterprise-memory-problem</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-enterprise-memory-problem</guid>
      <pubDate>Mon, 25 May 2026 00:00:00 GMT</pubDate>
      <description>AI cannot become a reliable organizational actor while context stays trapped in chats, files, applications, and individual heads. Enterprise memory, decisions, assumptions, evidence, and outcomes, is the missing layer between pilots and AI-native operation.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Coordination Is the New AI Bottleneck</title>
      <link>https://michaeleruiz.com/thinking/coordination-is-the-new-ai-bottleneck</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/coordination-is-the-new-ai-bottleneck</guid>
      <pubDate>Mon, 18 May 2026 00:00:00 GMT</pubDate>
      <description>Model capability is advancing faster than organizations can coordinate people, agents, tools, context, and decisions. The next limit on enterprise AI is not intelligence. It is coordination.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Agentic Enterprise</title>
      <link>https://michaeleruiz.com/thinking/the-agentic-enterprise</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-agentic-enterprise</guid>
      <pubDate>Mon, 11 May 2026 00:00:00 GMT</pubDate>
      <description>Enterprises are moving from AI as a tool to AI as a delegated actor. Most operating models are built to manage people, applications, and vendors, not machine actors that accept work and produce effects.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Delegation Networks Are the New Unit of Scale</title>
      <link>https://michaeleruiz.com/thinking/delegation-networks-are-the-new-unit-of-scale</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/delegation-networks-are-the-new-unit-of-scale</guid>
      <pubDate>Mon, 04 May 2026 00:00:00 GMT</pubDate>
      <description>The pyramid scaled through headcount. The Diamond scales through delegation networks: coordinated webs of humans, agents, tools, context, and evidence. This is the bridge from the future of consulting to the agentic enterprise.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Advisory Operating System</title>
      <link>https://michaeleruiz.com/thinking/the-advisory-operating-system</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-advisory-operating-system</guid>
      <pubDate>Mon, 27 Apr 2026 00:00:00 GMT</pubDate>
      <description>Advisory firms do not need better prompt libraries. They need an operating system: the workflows, knowledge structures, delegation rules, evidence requirements, and review mechanisms that let expert work be delivered repeatedly through human-machine teams.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Expert Judgment as a Control Layer</title>
      <link>https://michaeleruiz.com/thinking/expert-judgment-as-a-control-layer</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/expert-judgment-as-a-control-layer</guid>
      <pubDate>Mon, 20 Apr 2026 00:00:00 GMT</pubDate>
      <description>AI automates tasks, not judgment. The consequence is not that experts are safe; it is that expert judgment must become an accountable control function over delegated machine work.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Diamond Model Needs a Control Plane</title>
      <link>https://michaeleruiz.com/thinking/the-diamond-model-needs-a-control-plane</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-diamond-model-needs-a-control-plane</guid>
      <pubDate>Mon, 13 Apr 2026 00:00:00 GMT</pubDate>
      <description>The Diamond model answered the staffing question for AI-era consulting. It did not answer the operating question. What makes the new shape safe and repeatable is a control plane for delegation, context, evidence, and review.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The End of the Consulting Pyramid</title>
      <link>https://michaeleruiz.com/thinking/the-end-of-the-consulting-pyramid</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-end-of-the-consulting-pyramid</guid>
      <pubDate>Mon, 06 Apr 2026 00:00:00 GMT</pubDate>
      <description>AI doesn&apos;t make the consulting pyramid more efficient. It puts the pyramid under structural pressure it was not designed to absorb. The firms that adapt earliest will not optimize the old model — they will begin replacing it.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Pyramid Bundles Two Things That Are Not the Same</title>
      <link>https://michaeleruiz.com/thinking/the-pyramid-bundles-two-things-that-are-not-the-same</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-pyramid-bundles-two-things-that-are-not-the-same</guid>
      <pubDate>Mon, 16 Mar 2026 00:00:00 GMT</pubDate>
      <description>Consulting expertise and consulting labor are distinct economic goods. The pyramid has bundled them together for so long that most firms have stopped noticing the difference. AI is forcing the unbundling.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>AI Governance at the Board Level: What Directors Need to Know</title>
      <link>https://michaeleruiz.com/thinking/ai-governance-at-the-board-level</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/ai-governance-at-the-board-level</guid>
      <pubDate>Mon, 02 Mar 2026 00:00:00 GMT</pubDate>
      <description>Board-level engagement with AI governance has followed the familiar pattern of board-level engagement with cybersecurity a decade ago. The regulatory signal is already visible to anyone watching closely.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Secure AI Transformation: What It Actually Takes</title>
      <link>https://michaeleruiz.com/thinking/secure-ai-transformation-what-it-actually-takes</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/secure-ai-transformation-what-it-actually-takes</guid>
      <pubDate>Mon, 02 Feb 2026 00:00:00 GMT</pubDate>
      <description>Secure AI transformation is the organizational process of adopting AI capabilities in a way that does not create new and unmanaged risk while acquiring new capability. Most enterprises are accumulating risk faster than they are building the capacity to manage it.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>What the Billable Hour Reveals</title>
      <link>https://michaeleruiz.com/thinking/what-the-billable-hour-reveals</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/what-the-billable-hour-reveals</guid>
      <pubDate>Mon, 19 Jan 2026 00:00:00 GMT</pubDate>
      <description>The time-and-materials model is not just a pricing mechanism. It is a lens that exposes a structural misalignment between how consulting firms spend effort and where clients perceive value.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Real Problem With Enterprise AI Adoption</title>
      <link>https://michaeleruiz.com/thinking/the-real-problem-with-enterprise-ai-adoption</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-real-problem-with-enterprise-ai-adoption</guid>
      <pubDate>Mon, 05 Jan 2026 00:00:00 GMT</pubDate>
      <description>The conversation about enterprise AI adoption has been dominated by technology questions. What has received less attention — and what is almost always the actual constraint — is organizational readiness.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Beyond GRC: Turning Signals into Business Decisions</title>
      <link>https://michaeleruiz.com/thinking/beyond-grc-turning-signals-into-business-decisions</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/beyond-grc-turning-signals-into-business-decisions</guid>
      <pubDate>Mon, 01 Dec 2025 00:00:00 GMT</pubDate>
      <description>GRC was built to create structure around regulatory requirements and produce evidence of due diligence. What it was not built for is helping organizations make better decisions about risk in real time. The gap between the signal and the decision is where most security programs lose their value.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Prompt Is Not the Product</title>
      <link>https://michaeleruiz.com/thinking/the-prompt-is-not-the-product</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-prompt-is-not-the-product</guid>
      <pubDate>Mon, 17 Nov 2025 00:00:00 GMT</pubDate>
      <description>The market has overweighted prompt engineering, treating the quality of the prompt as the primary determinant of AI output quality. It is not. The prompt is the input specification — output quality is determined by model quality, data quality, context quality, and evaluation rigor.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Risk Transfer Without Understanding: The Insurance Problem in Cyber</title>
      <link>https://michaeleruiz.com/thinking/risk-transfer-without-understanding</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/risk-transfer-without-understanding</guid>
      <pubDate>Mon, 03 Nov 2025 00:00:00 GMT</pubDate>
      <description>The organizations having the most difficulty with cyber insurance are not the ones with the worst security programs. They are the ones with the largest gap between what their policy says they have implemented and what they have actually implemented.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>What AI-Native Actually Means</title>
      <link>https://michaeleruiz.com/thinking/what-ai-native-actually-means</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/what-ai-native-actually-means</guid>
      <pubDate>Mon, 20 Oct 2025 00:00:00 GMT</pubDate>
      <description>AI-native is becoming the kind of phrase that means everything and therefore nothing. The organizations that will benefit from AI as a structural competitive advantage are those that have built something more substantive than a portfolio of AI tools sitting on top of traditional processes.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Governing Data at the Speed of Operations</title>
      <link>https://michaeleruiz.com/thinking/governing-data-at-the-speed-of-operations</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/governing-data-at-the-speed-of-operations</guid>
      <pubDate>Mon, 06 Oct 2025 00:00:00 GMT</pubDate>
      <description>Most data governance programs were designed to manage data at the pace of policy-making, not the pace of operations. In environments where AI systems are consuming and generating data continuously, that gap is becoming critical.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Architecture of Trust: Securing AI in Enterprise Environments</title>
      <link>https://michaeleruiz.com/thinking/the-architecture-of-trust</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-architecture-of-trust</guid>
      <pubDate>Mon, 01 Sep 2025 00:00:00 GMT</pubDate>
      <description>Organizations moving AI into production are discovering a security problem that was not salient during experimentation: the question of what the AI system is allowed to access, what it is allowed to do, and how the organization knows those boundaries are being respected.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>AI Increases Output. It Does Not Increase Judgment.</title>
      <link>https://michaeleruiz.com/thinking/ai-increases-output-not-judgment</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/ai-increases-output-not-judgment</guid>
      <pubDate>Mon, 18 Aug 2025 00:00:00 GMT</pubDate>
      <description>Output and judgment are being treated as if they exist on the same scale — as if producing more output at higher speed is equivalent to making better decisions. They are not the same thing.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Data Integration as a Security Control</title>
      <link>https://michaeleruiz.com/thinking/data-integration-as-a-security-control</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/data-integration-as-a-security-control</guid>
      <pubDate>Mon, 04 Aug 2025 00:00:00 GMT</pubDate>
      <description>The relationship between data integration and security is usually framed in one direction. The more consequential relationship runs the other way: data integration determines what can be seen, correlated, and acted on.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Automation Illusion: What AI Actually Replaces</title>
      <link>https://michaeleruiz.com/thinking/the-automation-illusion</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-automation-illusion</guid>
      <pubDate>Mon, 21 Jul 2025 00:00:00 GMT</pubDate>
      <description>AI does not replace work. It replaces specific cognitive tasks within work. Everything that requires judgment about what the output means and what to do with it remains human — and the enterprise response to AI has consistently blurred this distinction.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Data Problem Underneath Every AI Initiative</title>
      <link>https://michaeleruiz.com/thinking/the-data-problem-underneath-every-ai-initiative</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-data-problem-underneath-every-ai-initiative</guid>
      <pubDate>Mon, 07 Jul 2025 00:00:00 GMT</pubDate>
      <description>Every AI initiative runs into the same obstacle around six to eight weeks in, with the same expression of surprise. The models do not work the way the demos suggested — not because the technology is deficient, but because the data is not what the organization assumed it was.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>From Continuous Monitoring to Continuous Awareness</title>
      <link>https://michaeleruiz.com/thinking/from-continuous-monitoring-to-continuous-awareness</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/from-continuous-monitoring-to-continuous-awareness</guid>
      <pubDate>Mon, 02 Jun 2025 00:00:00 GMT</pubDate>
      <description>Data volume produces the appearance of security awareness while frequently obscuring the understanding that awareness is supposed to provide. The distinction between monitoring and awareness is the difference between having data and understanding what it is telling you.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Safe Interrogation in Fragile Systems: The Art of Touching Without Breaking</title>
      <link>https://michaeleruiz.com/thinking/safe-interrogation-in-fragile-systems</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/safe-interrogation-in-fragile-systems</guid>
      <pubDate>Mon, 05 May 2025 00:00:00 GMT</pubDate>
      <description>There is a competency in OT security that rarely appears in job descriptions but separates practitioners who can operate in industrial environments from those who have only studied them.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The Visibility Gap in OT: Why You See Less Than You Think</title>
      <link>https://michaeleruiz.com/thinking/the-visibility-gap-in-ot</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-visibility-gap-in-ot</guid>
      <pubDate>Mon, 07 Apr 2025 00:00:00 GMT</pubDate>
      <description>The gap between documented assets and actual assets in industrial environments is not organizational incompetence — it is a structural feature. And threat actors are not constrained by your asset inventory.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Why Vulnerability Management Breaks Down in Industrial Systems</title>
      <link>https://michaeleruiz.com/thinking/why-vulnerability-management-breaks-down-in-industrial-systems</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/why-vulnerability-management-breaks-down-in-industrial-systems</guid>
      <pubDate>Mon, 03 Mar 2025 00:00:00 GMT</pubDate>
      <description>The patch-prioritize-verify cycle of enterprise vulnerability management rests on assumptions that collapse in OT environments. A mature OT vulnerability program looks fundamentally different — and must be built from scratch.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>Active vs. Passive Monitoring in OT: The Question Nobody Wants to Answer</title>
      <link>https://michaeleruiz.com/thinking/active-vs-passive-monitoring-in-ot</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/active-vs-passive-monitoring-in-ot</guid>
      <pubDate>Mon, 03 Feb 2025 00:00:00 GMT</pubDate>
      <description>Passive monitoring is the safe choice in OT — and if taken too literally, it is also an incomplete one. The real answer is a tiered interrogation model that reflects actual device risk, not methodology purity.</description>
      <author>Michael E. Ruiz</author>
    </item>
    <item>
      <title>The False Promise of IT Security in OT Environments</title>
      <link>https://michaeleruiz.com/thinking/the-false-promise-of-it-security-in-ot-environments</link>
      <guid isPermaLink="true">https://michaeleruiz.com/thinking/the-false-promise-of-it-security-in-ot-environments</guid>
      <pubDate>Mon, 06 Jan 2025 00:00:00 GMT</pubDate>
      <description>The assumption that OT security is just IT security in a different building is not only wrong — it is dangerous. Applying IT controls to OT environments does not reduce risk. It introduces a new category of it.</description>
      <author>Michael E. Ruiz</author>
    </item>
  </channel>
</rss>