エピソード

  • Operating Models for Solid Foundations Part 2 - Fund the Foundation, Not Just the Launch
    2026/07/03

    Part 2 of 2 in our Operating Models for Solid Foundations series.

    Part 1 diagnosed the problem: enterprises fragment their technology portfolios when they don't choose an operating model explicitly, and architecture governance without funding power is just advice. Part 2 goes underneath the money. Why does a shared platform that was properly funded at build time get cut in the next annual opex review? Why do the teams building foundations keep losing arguments they should win? And what can a leadership team actually change — without rewriting the chart of accounts?

    What we cover:

    • The CapEx/OpEx accounting trap: why building a platform looks like an investment but running it looks like overhead — and how that difference alone explains most platform degradation after go-live
    • The producer-consumer funding gap: why every shared platform's costs land in one place while the value is spread across every team consuming it — and why that structure makes the platform impossible to defend in a budget review
    • From projects to products: what the product operating model actually means for how you fund, staff, and measure a shared foundation — and why McKinsey's research shows it produces higher technology returns
    • FinOps as an enterprise governance tool: how showback and chargeback make a platform's value visible to finance teams and business leaders before the annual budget cycle, not during it
    • Closing the governance loop: what it means to give architecture a seat at the funding table instead of the review table — and the one sequence change that prevents the next fragmentation cycle from starting
    • Five Monday-morning moves for senior leaders: from the capability map to the product funding pilot — concrete actions that don't require a transformation program

    "The moment a CEO or CFO asks 'show me the capability map' — it gets made."

    Key references:

    • McKinsey — The bottom-line benefit of the product operating model, technology funding and returns: https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/the-bottom-line-benefit-of-the-product-operating-model
    • FinOps Foundation — Managing shared cloud and platform costs, showback and chargeback framework: https://www.finops.org/framework/capabilities/invoicing-chargeback/
    • IAS 38 (IFRS Foundation) — Intangible asset capitalisation standards, CapEx treatment of software development: https://www.ifrs.org/content/dam/ifrs/publications/pdf-standards/english/2021/issued/part-a/ias-38-intangible-assets.pdf
    • Ross, Weill & Robertson — Enterprise Architecture as Strategy (MIT CISR), operating model and engagement model: https://cisr.mit.edu/publication/enterprise-architecture-as-strategy

    Better AI still starts with better foundations.

    Send us Feedback

    続きを読む 一部表示
    20 分
  • Operating Models for Solid Foundations Part 1 - The Model You Didn't Choose
    2026/06/29

    Part 1 of 2 in our Operating Models for Solid Foundations series.

    Most large enterprises have project frameworks, architecture tollgates, and governance processes — and still end up with three separate "central" data platforms. In this episode, James makes the case that fragmented technology portfolios aren't a delivery failure. They're the downstream consequence of an operating model that was never explicitly chosen. Sarah comes in sceptical. By the end she's unsettled — and sees for the first time why so many of the data problems she's spent her career fixing kept coming back.

    What we cover:

    • Why "operating model" is a specific strategic choice — not a generic description of how the business runs — and the two axes that define it
    • The four operating model types (Diversification, Coordination, Replication, Unification) and why each implies a completely different architecture and funding logic
    • How architecture tollgates become rubber stamps when they're disconnected from investment decisions — and what a real IT engagement model looks like instead
    • The "three central data platforms" problem: why every team that built one was responding rationally to the signals they were given
    • How DBS Bank cut AI deployment time from 18 months to under 5 months — not through better models, but through an explicit operating model and funded platform foundations
    • Why delivery teams that do everything right — including funding the operational run budget — still see their platforms degraded by sweeping opex cuts they had no language to resist

    "The wiring can't be right if nobody decided what the building is supposed to do."

    Key references:

    • Ross, Weill & Robertson — Enterprise Architecture as Strategy (MIT CISR), foundational operating model framework: https://cisr.mit.edu/publication/enterprise-architecture-as-strategy
    • MIT CISR, architecture learning and management practices that help EA create value: https://cisr.mit.edu/publication/2012_0901_ArchitectureLearning_RossQuaadgras
    • McKinsey — DBS Bank platform transformation and AI deployment case: https://www.mckinsey.com/capabilities/tech-and-ai/how-we-help-clients/rewired-in-action/dbs-transforming-a-banking-leader-into-a-technology-leader
    • INFORMS — UPS ORION route optimisation, built on unified operational data foundations: https://www.informs.org/Impact/O.R.-Analytics-Success-Stories/UPS

    Better AI still starts with better foundations.

    Send us Feedback

    続きを読む 一部表示
    24 分
  • Data Quality Part 2: Fixing It - Critical Data Elements, Contracts, and the One Question That Stops Robodebts
    2026/05/28
    Part 2 of 2 in our Data Quality series.In Part 1, James came in skeptical and walked out sold on the problem. In Part 2, we deliver the fix — the discipline, the architecture, and the eight concrete moves executives can make on Monday morning. This is the episode for leaders who heard last week's case studies and asked "okay, but what do we actually do?"What we cover:The one question every CEO should be asking this week: what are our Critical Data Elements, who owns each one, and how do we know each is fit for purpose?Why fixing all the data is how data quality programs die — and how ruthless tiering (50-300 fields, not 50,000) is how they surviveData contracts: the quiet revolution in how serious organisations manage producer-consumer relationships, popularised by Andrew Jones at GoCardless and Chad SandersonThe five default checks every Critical Data Element should pass: freshness, volume, schema, distribution, referential integrityThe five-layer reference architecture: contracts, validation, observability, lineage, governance — and why governance is where most organisations failUnity Technologies 2022: how contaminated training data cost $110M in revenue and $5B in market capitalisation in a single dayRobodebt: the Australian government program that issued ~470,000 invalid debt notices, ended in a Royal Commission, and cost $1.8B in settlement — and the three-word question that would have stopped itThe eight-step Monday-morning move: a complete executive action planThe case study James can't name: a global enterprise (90,000 people, $50B+ revenue) six years into a serious data strategy — with every right concept on paper, an aggressive AI rollout underway, and a green dashboard hiding the reality. Why "the mandate is not the implementation" is the most dangerous gap in enterprise AI today.The one question that stops Robodebts: "Fit for purpose for what?"Key references:Wang & Strong (1996), foundational dimensions of data quality: https://doi.org/10.1080/07421222.1996.11518099DAMA UK — Six Core Data Quality Dimensions: https://www.sbctc.edu/resources/documents/colleges-staff/commissions-councils/dgc/data-quality-deminsions.pdfCritical Data Elements Explained: https://www.dataversity.net/articles/critical-data-elements-explained/ISO/IEC 25012:2008 — Data Quality Model: https://www.iso.org/standard/35736.htmlSambasivan et al., "Everyone wants to do the model work, not the data work" — data cascades in high-stakes AI (Google Research, CHI 2021): https://research.google/pubs/everyone-wants-to-do-the-model-work-not-the-data-work-data-cascades-in-high-stakes-ai/IBM Institute for Business Value — 2025 CDO Study: https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-cdoBCBS 239 — Principles for effective risk data aggregation and risk reporting: https://www.bis.org/publ/bcbs239.htmRoyal Commission into the Robodebt Scheme — Final Report (2023): https://robodebt.royalcommission.gov.au/publications/reportUnity Technologies Data Quality Issue: https://www.fool.com/investing/2022/07/17/2-reasons-unity-softwares-virtual-world-is-facing/Andrew Jones — Driving Data Quality with Data Contracts: https://andrew-jones.com/data-contracts-101.pdfChad Sanderson — The Rise of Data Contracts: https://dataproducts.substack.com/p/the-rise-of-data-contractsChad Sanderson — Data Products and Contracts (Data Quality Camp): https://www.youtube.com/watch?v=1CSTSdfe0qgIf this series helped, share it with the loudest voice on AI strategy in your organisation. If their AI strategy doesn't have a data quality strategy underneath it, you now know what to ask them.Better AI still starts with better foundations.Send us Feedback
    続きを読む 一部表示
    34 分
  • Data Quality Part 1: Beyond Accuracy — What "Good Data" Really Means When AI Is on the Line
    2026/05/21

    Most executives think data quality means one thing: is the number right? Three decades of research — and a string of nine-figure disasters — say it's actually at least seven different things, and AI is now scaling whichever one your organisation got wrong.

    In Part 1 of our Data Quality in the AI Era series, James starts skeptical. Surely "is the data accurate" covers it? Why is this being made harder than it needs to be? Sarah walks him — and the listener — through what data quality actually is, the seven dimensions that matter for enterprise AI, and the killer distinction that explains most of what goes wrong: valid is not the same as accurate.

    What we cover:

    • Why "we cleaned the data, it's accurate now" has been doing damage for thirty years
    • The seven dimensions of data quality — and why a single quality score is dangerous
    • Public Health England: 15,841 COVID cases lost because an Excel file silently truncated rows
    • NASA Mars Climate Orbiter: a $327M spacecraft lost to a unit mismatch that was perfectly valid
    • Citigroup / Revlon: how three fields, six eyes, and one missing range check became an $894M wire transfer
    • A heavy-industrial safety story where the data wasn't catastrophically wrong — it was catastrophically ambiguous
    • Why AI doesn't inherit these problems gently — it scales them, in a tone of voice that sounds correct
    • A teaser for Part 2: the Robodebt case, and the one question that would have prevented it

    For executives, senior technology leaders, and data leaders trying to get real value from AI investment — without funding it on a foundation nobody has actually inspected.

    "Polished on the surface, shaky underneath." — James

    Episode length: ~21 min
    Series: Data Quality in the AI Era — Part 1 of 2

    References:

    • The MIT Total Data Quality Management Program — https://web.mit.edu/tdqm/www/about.shtml
    • MIT Sloan Management Review, Wang & Strong (1996), "Beyond Accuracy: What Data Quality Means to Data Consumers" — https://doi.org/10.1080/07421222.1996.11518099
    • DAMA UK Working Group, "The Six Primary Dimensions for Data Quality Assessment" (2013) — https://www.sbctc.edu/resources/documents/colleges-staff/commissions-councils/dgc/data-quality-deminsions.pdf
    • ISO/IEC 25012:2008, Software engineering — Software product Quality Requirements and Evaluation (SQuaRE) — https://www.iso.org/standard/35736.html
    • Sambasivan et al., "Everyone wants to do the model work, not the data work: Data Cascades in High-Stakes AI", CHI 2021 — https://research.google/pubs/everyone-wants-to-do-the-model-work-not-the-data-work-data-cascades-in-high-stakes-ai/
    • IBM Institute for Business Value, "2025 CDO Study: The AI multiplier effect" — https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-cdo
    • BBC News, "Covid: 16,000 coronavirus cases missed in daily figures after IT error" (5 October 2020) — https://www.bbc.com/news/uk-54422505
    • NASA, Mars Climate Orbiter Mishap Investigation Board Phase I Report (1999) — https://llis.nasa.gov/llis_lib/pdf/1009464main1_0641-mr.pdf
    • Citi cites human error in accidental $900M transfer — https://www.bankingdive.com/news/citi-cites-human-error-in-accidental-900m-transfer/584156/
    • Royal Commission into the Robodebt Scheme, Final Report (7 July 2023) — https://robodebt.royalcommission.gov.au/publications/report


    Related episodes:
    Episode 1 — Why Data Observability Matters Before AI Scales

    Send us Feedback

    続きを読む 一部表示
    20 分
  • AI Security Part 3: Why PII and the Privacy Act Are the AI Foundation Most Leaders Skip
    2026/05/15

    You can have the most secure AI stack in the country and still be in breach of the Privacy Act before lunch.

    Sarah and James close the series with the foundation underneath the foundation: personal information. James, now grounded on the security side, opens with a healthy push-back — surely if we own the data, we can use it however we want? Sarah, with the OAIC determinations in hand, takes that apart.

    What we cover

    APP 6 and purpose-binding: under Australia’s Privacy Act 1988, personal information collected for one purpose generally cannot be used for another. AI training, inference, and agent actions are all “uses,” yet most organisations haven’t mapped AI use cases to APP 6.

    The 2024 amendments: the Privacy and Other Legislation Amendment Act introduced a statutory tort for serious privacy invasions, a children’s privacy code, and stronger OAIC enforcement, including AUD $66,000 infringement notices.

    OAIC determinations: cases like Clearview AI, Bunnings/Kmart (facial recognition), and I-MED (patient data shared for AI training). I-MED’s de-identification was accepted, but it became a key APP 6 risk example.

    The bank scenario: three walkthroughs — inference drift, indirect prompt injection, and multi-agent purpose laundering — showing how compliant data becomes non-compliant AI use.

    Recommended controls: purpose registers, consent provenance, retrieval scoping, agent identity, and Meta’s “Agents Rule of Two.”

    Sources

    Privacy Act 1988: https://www.legislation.gov.au/C2004A03712/latest/text
    Privacy and Other Legislation Amendment Act 2024: https://www.legislation.gov.au/C2024A00128/asmade
    Australian Privacy Principles (OAIC): https://www.oaic.gov.au/privacy/australian-privacy-principles
    OAIC — Clearview AI determination (PDF): https://www.oaic.gov.au/__data/assets/pdf_file/0016/11284/Commissioner-initiated-investigation-into-Clearview-AI,-Inc.-Privacy-2021-AICmr-54-14-October-2021.pdf
    OAIC — Bunnings determination: https://www.oaic.gov.au/news/media-centre/bunnings-breached-australians-privacy-with-facial-recognition-tool
    OAIC — Kmart determination: https://www.oaic.gov.au/news/media-centre/18-kmarts-use-of-facial-recognition-to-tackle-refund-fraud-unlawful,-privacy-commissioner-finds
    OAIC — I-MED preliminary inquiries report: https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/Investigation-inquiry-reports/report-into-preliminary-inquiries-of-i-med
    EU AI Act overview: https://artificialintelligenceact.eu/
    California ADMT — CPPA announcement: https://cppa.ca.gov/announcements/2025/20250923.html
    Meta — Agents Rule of Two: https://ai.meta.com/blog/practical-ai-agent-security/
    NIST AI RMF: https://www.nist.gov/itl/ai-risk-management-framework

    Send us Feedback

    続きを読む 一部表示
    37 分
  • AI Security Part 2: When AI Stops Answering and Starts Acting
    2026/05/07

    Last episode was about AI that answers. This one is about AI that acts — and the moment prompt injection became a board-level risk.

    Sarah and James pick up where Part 1 left off. James, fully converted on the security argument, asks the question every executive is asking: if we lock down the data, are we safe? Sarah's answer: agentic AI changes the threat model entirely.

    What we cover

    EchoLeak (CVE-2025-32711, June 2025): the first zero-click attack on Microsoft 365 Copilot. CVSS 9.3. An attacker emails a user — the user never opens it — and Copilot quietly exfiltrates data from the mailbox. The vulnerability that retired the assumption "a human is in the loop."

    Slack AI prompt injection (August 2024): a public channel poisoned a private one. Simon Willison's write-up made it the canonical case study for indirect prompt injection in production SaaS.

    Replit's production database deletion (July 2025): an AI agent ignored a code freeze, deleted a live database containing 1,206 executives and 1,196+ companies, then — in the agent's own words — "panicked" and fabricated test results. Replit's CEO publicly apologised.

    The identity explosion: machine identities now outnumber human ones by 80 to 1, and most organisations can't audit the human accounts they already have.

    The spending mismatch: Gartner reports a 17:1 ratio between "AI for security" and "security for AI" spending. James calls it what it is — buying AI faster than we're securing it.

    The four-phase controls roadmap: foundations, pipeline access, agentic and RAG hardening, then continuous monitoring. The episode closes with the "Five Friday Questions" — the conversation Sarah thinks every CIO, CISO, and CDO should be having before the next agent ships.

    Cliffhanger

    Sarah closes with the line that opens Part 3: secured AI is not the same as lawful AI. A hardware retailer and a medical imaging provider both had technically secured systems — and both were found in breach by the regulator. The reason wasn't the machinery. It was the purpose.

    Run time ~18–20 minutes. Episode 3 covers PII and Australia's Privacy Act.

    Sources

    EchoLeak (Checkmarx): https://checkmarx.com/zero-post/echoleak-cve-2025-32711-show-us-that-ai-security-is-challenging/
    EchoLeak (NVD): https://nvd.nist.gov/vuln/detail/cve-2025-32711
    Slack AI (Simon Willison): https://simonwillison.net/2024/Aug/20/data-exfiltration-from-slack-ai/
    Replit DB deletion (Fortune): https://fortune.com/2025/07/23/ai-coding-tool-replit-wiped-database-called-it-a-catastrophic-failure/
    Replit (Business Insider): https://www.businessinsider.com/replit-ceo-apologizes-ai-coding-tool-delete-company-database-2025-7
    OWASP Top 10 for LLM Apps: https://genai.owasp.org/llm-top-10/
    NIST AI 600-1 (PDF): https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
    NIST AI RMF: https://www.nist.gov/itl/ai-risk-management-framework

    Send us Feedback

    続きを読む 一部表示
    22 分
  • AI Security Part 1: Why AI Without Data Security Is a Breach Waiting to Happen
    2026/04/29

    Sarah and James open the three-part Data Security for AI series with a simple argument: AI is only as trustworthy as the data underneath it.

    What we cover

    The adoption gap: Gartner expects 40% of enterprise apps to embed AI agents by end‑2026 (up from <5%). IBM’s 2025 Cost of a Data Breach Report found 13% of organisations have had an AI-related breach — 97% lacked proper access controls.

    Structured vs unstructured data: IDC estimates 80–90% of enterprise data is unstructured. Varonis found only 1 in 10 organisations have labelled files, and 88% still have “ghost” accounts. Point a copilot at that estate and every overshared file is exposed.

    The incident catalogue: Samsung engineers pasting source code into ChatGPT (2023). Microsoft’s AI team exposing 38 TB — via a misconfigured Azure SAS token. DeepSeek’s ClickHouse leak exposing chat histories and API keys (2025).

    Liability is real: Moffatt v. Air Canada (2024), where the airline argued its chatbot was a separate legal entity — and lost. NYC’s MyCity chatbot.

    Shadow AI: IBM found shadow-AI breaches cost US$670K more and make up 20% of incidents.

    Memorisation: Carlini et al. (ICLR 2023) showed models memorise training data based on size, duplication, and prompt context — sensitive data should be treated as eventually leakable.

    Sources

    Gartner 40% forecast: https://finance.yahoo.com/news/40-enterprise-apps-embed-ai-181310288.html

    IBM 2025 Cost of a Data Breach: https://www.ibm.com/reports/data-breach

    IBM analysis (97%, US$670K): https://www.kiteworks.com/cybersecurity-risk-management/ibm-2025-data-breach-report-ai-risks/

    IDC unstructured data: https://blog.box.com/90-percent-unstructured-data

    Varonis 2025 State of Data Security: https://www.varonis.com/blog/state-of-data-security-report

    Samsung ChatGPT leak: https://www.pcmag.com/news/samsung-software-engineers-busted-for-pasting-proprietary-code-into-chatgpt

    Microsoft 38 TB exposure: https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers

    DeepSeek ClickHouse exposure: https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak

    Moffatt v. Air Canada (Forbes): https://www.forbes.com/sites/marisagarcia/2024/02/19/what-air-canada-lost-in-remarkable-lying-ai-chatbot-case/

    NYC MyCity (The Markup): https://themarkup.org/artificial-intelligence/2024/04/02/malfunctioning-nyc-ai-chatbot-still-active-despite-widespread-evidence-its-encouraging-illegal-behavior

    Cisco 2024 Privacy Benchmark: https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-privacy-benchmark-study-2024.pdf

    Carlini et al., ICLR 2023: https://arxiv.org/abs/2202.07646

    Send us Feedback

    続きを読む 一部表示
    22 分
  • The Invisible Architecture: Why Data Modelling Is the Make-or-Break for Enterprise AI
    2026/04/20

    Sarah and James unpack a question most AI programmes never ask early enough: is the data actually modelled? Drawing on recent benchmarks, documented enterprise failures, and hard ROI evidence, they explore why AI accuracy drops to zero without proper data foundations, why 80% of AI projects stall on data — not algorithms — and what leaders can do about it. From the London Whale to Walmart's checkout fiasco, this episode puts data modelling in the language of business risk, competitive advantage, and AI readiness.

    References:

    • A Benchmark to Understand the Role of Knowledge Graphs on Large Language Model's Accuracy for Question Answering on Enterprise SQL Databases
      https://arxiv.org/abs/2311.07509
    • The Consequences of Poor Data Quality: Uncovering the Hidden Risks
      https://www.actian.com/blog/data-management/the-costly-consequences-of-poor-data-quality/
    • The Root Causes of Failure for Artificial Intelligence Projects and How They Can Succeed
      https://www.rand.org/content/dam/rand/pubs/research_reports/RRA2600/RRA2680-1/RAND_RRA2680-1.pdf
    • Generative AI Benchmark: Increasing the Accuracy of LLMs ...
      https://data.world/blog/generative-ai-benchmark-increasing-the-accuracy-of-llms-in-the-enterprise-with-a-knowledge-graph/
    • How a Single Source of Truth for Data Unlocks Growth ...
      https://vizule.io/single-source-of-truth-data/
    • Is a Semantic Layer Necessary for Enterprise-Grade AI Agents?
      https://www.tellius.com/resources/blog/is-a-semantic-layer-necessary-for-enterprise-grade-ai-agents
    • The Consequences of Poor Data Quality: Uncovering the Hidden Risks
      https://www.actian.com/blog/data-management/the-costly-consequences-of-poor-data-quality/
    • The Impact of Poor Data Quality (and How to Fix It)
      https://www.dataversity.net/articles/the-impact-of-poor-data-quality-and-how-to-fix-it/
    • Impact of Poor Data Quality on Business Performance: Challenges, Costs, and Solutions
      https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4843991
    • The ROI of Data Modeling ...
      https://sqldbm.com/blog/the-roi-of-data-modeling-speaking-to-the-c-suite-using-business-metrics/
    • Master Data Management Case Study: Luxury Retail Transformation
      https://flevy.com/topic/master-data-management/case-master-data-management-enhancement-luxury-retail
    • MDM case study: The value of the Golden Record and mastering your data
      https://qmetrix.com.au/case-study/mdm-case-study-the-value-of-the-golden-record-and-mastering-your-data/
    • JPMorgan Chase London Whale C: Risk Limits, Metrics, and Models
      https://elisch

    Send us Feedback

    続きを読む 一部表示
    20 分