Cherry Bekaert: Risk & Cybersecurity

The episode is dense with framework references but mostly explains what each standard does rather than offering non-obvious operator insights; useful nuggets like control harmonization, tokenization, and OWASP for LLMs surface but are surrounded by descriptive padding.

“there's been a huge push kind of in the industry in the risk space for kind of control harmonization”

“the OWASP Top 10 for LLMs is another great way to kind of dovetail into your overall AI risk assessment”

Largely recycled compliance-framework descriptions and standard talking points about SOC 2 flexibility and AI governance; little contrarian or first-principles thinking beyond conventional consulting positioning.

“SOC 2 is really, really flexible”

“ISO 42001 is really the standard that's looking to govern AI responsibility across its lifecycle”

Guests are a cybersecurity partner and senior managers at relevant compliance consultancies who clearly know the frameworks, but they are advisors rather than operators who built AI systems at scale.

“Steve Ursillo, a partner in our cybersecurity practice”

“Morgan Haag, a senior manager at Meditology Services”

Strong on naming concrete frameworks and tools (ISO 42001, NIST AI RMF, OWASP, HITRUST, HICP 405, Drata, Vanta) but almost devoid of hard numbers, dollar figures, or named company case studies.

“toolkits like Drata and Vanta”

“HICP 405 is kind of a rule set that's being considered”

The host asks clean, teed-up questions but offers no follow-up challenge or pushback; it functions as a structured firm walkthrough rather than a probing conversation.

“So Steve, how can SOC 2 reporting give confidence in AI systems”

“Morgan, how can organizations adopt SOC 2 controls to address these risks?”