Insight

Insight from the people who wrote the policy.

Commentary from our cryptographic and AI governance practitioners on the regulatory, sovereignty, and supply chain conditions shaping critical industries. Organised by theme, not by date.

Themes

Five areas we write in.

Supply chain integrity

Multi-supplier code environments, bespoke signing architecture, the economics of trust at scale.

→

“When we add a new supplier, what does it actually take to bring their signing into our governance?”

A client asked us this recently: “When we add a new supplier, what does it actually take to bring their signing into our governance?”

Commentary · KT Secure · May 2026

Cryptographic sovereignty

Key custody, jurisdiction, hyperscaler risk. Why the sovereignty conversation is no longer optional.

→

AI governance

ISO/IEC 42001, the EU AI Act, board-level AI risk posture, agent identity frameworks.

→

Post-quantum readiness

Hybrid cryptographic migration, NIST and ETSI guidance, board-defensible timelines.

→

Regulatory landscape

NIS2, Cyber Resilience Act, UNECE WP.29, ISO/SAE 21434. What auditors are actually looking for.

→

NIS2, CRA, and ISO/SAE 21434 compliance: the cryptographic inventory gap

Organisations working through NIS2, CRA, or ISO/SAE 21434 have, in many cases, invested significantly in compliance documentation: gap analyses, scope assessments, control matrices with named owners. The documentation is often technically competent. What is frequently absent is the cryptographic inventory that gives the documentation operational substance.

Commentary · KT Secure · June 2026

The evidence architecture gap in NIS2 cryptographic compliance

NIS2 Article 21 now draws a clear line between signing capability and signing evidence. Most organisations have the first. Almost none have the second. This is the gap.

Commentary · KT Secure · May 2026

"We use an HSM" and that's where most signing security stops

We use an HSM" is the answer we hear most often when we ask an OEM's security team how they protect their signing keys. It is meant to close the question. In our experience, it opens a longer one.

Commentary · Sameen Ahmed · May 2026

Why NIS2 makes the hyperscaler question board-level

The sovereignty conversation was a technical preference. NIS2 has made it a fiduciary obligation. A short note on what changed.

Analysis · Principal, Cryptography · March 2026

Featured

Current position piece.

Supply chain integrity

From vehicle to enterprise. One signing architecture.

Inside the model: how one bespoke signing service absorbed the enterprise cryptographic domain under the same governance framework built for the vehicle side. One team. One policy. One sovereign estate. The pattern we now bring to every new engagement.

Case study 01 · Principal, Cryptography · April 2026

Read the piece →

Editorial illustration

Let's talk

Have a specific question?

Brief our team →

Insight from the people who wrote the policy.

Five areas we write in.

Supply chain integrity

“When we add a new supplier, what does it actually take to bring their signing into our governance?”

Cryptographic sovereignty

AI governance

Post-quantum readiness

Regulatory landscape

NIS2, CRA, and ISO/SAE 21434 compliance: the cryptographic inventory gap

The evidence architecture gap in NIS2 cryptographic compliance

"We use an HSM" and that's where most signing security stops

Why NIS2 makes the hyperscaler question board-level

Current position piece.

From vehicle to enterprise. One signing architecture.

Get our quarterly insight briefing.

Have a specific question?