A unified C-suite Solution that "proactively" creates a legal defense before a data breach or event occurs, alerting executives to their legal obligations by role, then guiding them to meet those expectations, so that there are no governance failures, and no negligence—just reasonable care across privacy, cybersecurity, and AI.
Leadership, advisors, and experts with more than 165 years of combined cyber, risk, and governance experience.
Defensible Governance™ is the first platform built specifically to protect executives from personal and criminal liability, and their companies from massive fine settlements. We bridge the gap between traditional GRC (which proves activity) and what courts actually evaluate (proof of reasonable judgment).
Founded by regulatory experts, security and privacy practitioners who've lived through breaches, investigations, and case law, we understand that compliance keeps you certified—but defensibility keeps you standing. Our team combines deep legal expertise in privacy, data protection and AI, with Cyber Security, Risk Management and Governance experience, to guide the C-Suite and Boards in meeting their 'governance' obligations and the legal standard of "reasonable care."
John is the creator of Defensibility.ai, and Defensible Governance™, (the framework, GenAI platform, and managed legal service) that helps executives and boards met their legal obligations and prove reasonable care. He brings 35 years of success in enterprise software, and 21 in cyber security, digital risk and governance, with a focus on bridging law and technology for accountable leadership. He has been an early member of seven Cyber Security and Risk Management start-ups that had successful exits.
Maverick James, also known as The Data Lawyer on social media, is an attorney and expert on digital governance including privacy, security, and AI. He leads the Avant-Garde Legal partnership for Defensible Governance™ managed services, and validates the legal logic and workflow of the product. He advises emerging technology companies, enterprise compliance teams, and global organizations on data protection, AI governance, cyber risk, and defensible operations. He is a Certified Information Privacy Professional/US (CIPP/US), Certified Information Privacy Manager (CIPM), and Fellow of Information Privacy (FIP). Maverick has been invited to speak on data governance, algorithmic accountability, and AI policy by leading industry organizations, and he authors widely-shared educational content for legal, security, and technology professionals.
Ace brings 11 years of hands-on CISO experience spanning risk management, security architecture, compliance, and incident response. He has led the design and implementation of cybersecurity programs for organizations ranging from high-growth startups to regulated enterprises. Ace oversees the CISO practice, provides strategic advisory services, guides clients through onboarding, and helps align security initiatives with defensibility goals.
"Too many CISOs believe compliance shields them. Prosecutors test reasonableness. Defensible Governance™ is the body armor."
Rich was a customer of our founder, 16 years ago, and has been instrumental in the creation of Defensibility.ai. Previously CISO and CSO across Honeywell divisions: Led Honeywell Global Security to a #1 industry ranking. Rich is a board-room translator and scale operator who has built and led top-ranked global security organizations. Today he advises Fortune 500s and critical-infrastructure companies as President & CSO of Critical Infrastructure, LLC, and partners with innovators across supply-chain, identity, OT/IoT, and enterprise browser security. He is a Council member with George Mason University Law's National Security Institute Cyber & Tech Center, an advisor to companies including Island (Enterprise Browser), AirEye, AlertEnterprise, TrustMAPP, Ordr, and others, a member of SVCI (Silicon Valley CISO Investments) and his alumnus background includes AT&T, Bell Labs (Lucent), and executive development programs.
"Executive decisions face scrutiny even when made responsibly. This helps leaders show the reasonableness before hindsight."
Tim is the CISO of SolarWinds and a former Dell Fellow and Distinguished Engineer, with 30+ years designing and scaling identity, cloud, and security platforms. He has testified before Congress, keynoted global security events, and holds 15 issued patents.
EU AI Act Trainer, ISO/IEC 42001 Implementer, CEN/CENELEC AI Standards Contributor, AI Governance Consultant with more than 10 years leading EU data-protection and AI-risk initiatives.
John brings a wealth of experience with over 25 years in Cyber Security and six security patents. He currently leads security pre-sales for Strategic Accounts at Zoom. He was a customer of our founder, 18 years ago.
Executives now face personal and criminal liability under global regulations. We close the Defensibility Gap — the space between passing audits and surviving prosecution.
Protect leadership from personal exposure under SEC, FTC, NIS2, and AI Acts.
Unify GDPR, DORA, EU AI Act, CCPA, and more into a single defensibility-ready governance view.
Negligence — not breaches — caused record penalties between 2021-2024. We create the evidence that prevents them.
Traditional GRC tracks tasks and risk appetite but offers no defense in regulatory or legal forums.
Your GRC proves activity. Defensibility.ai proves judgment.
| Dimension | GRC Tools | Legal Defensibility Layer |
|---|---|---|
| Primary Buyer | Risk / IT / Compliance | CEO / CISO / GC / Board |
| Standard Applied | Frameworks (NIST, ISO) | Legal reasonableness (case law, statutes) |
| Question Answered | "Did we comply?" | "Can we prove judgment was sound?" |
| Evidence Created | Control activity logs | Decision rationale, alternatives, board approvals |
| Outcome Optimized For | Certification | Liability reduction |
| Risk Type Addressed | Operational risk | Personal & corporate legal exposure |
Defensibility.ai integrates with and augments ServiceNow GRC and other platforms—we don't replace them, we make their data meaningful in investigations and courts.
Over $15B in enforcement penalties since 2021 share two findings: negligence and governance failure. These penalties didn't hinge on whether companies checked compliance boxes—they hinged on whether leadership could justify their decisions.
| Most companies have: | But Don't Have: |
|---|---|
| ✅ Controls | ❌ Documented alternatives |
| ✅ Compliance | ❌ Board-approved residual risk |
| ✅ Certification | ❌ Justification for acceptable harm |
| ❌ Contemporaneous reasoning | |
| ❌ Litigation-ready evidence |
Six months after a data breach exposed 47 million customer records, a Fortune 500 CISO sat in a federal investigation room. She'd done everything by the book—SOC 2 Type II certified, ISO 27001 compliant, quarterly board reports, $60 million security budget. Her GRC platform had every control documented.
Then the investigator asked a simple question:
"Walk me through how your CEO and board decided that six months was an acceptable delay for deploying multi-factor authentication. What alternatives did you present? What was the documented rationale for accepting that level of customer risk?"
Silence.
She had spreadsheets showing MFA was on the roadmap. Meeting notes saying "security is a priority." Emails discussing budget. Her GRC tool showed she'd identified the vulnerability and assigned it a "High" risk rating.
But she had no document explaining why six months was reasonable. No analysis of alternatives. No record of the board approving that specific level of customer exposure. No evidence that leadership had weighed harm to customers against implementation costs.
The investigator continued: "So you identified a critical vulnerability, knew it put millions of customers at risk, had the budget to fix it—and chose to wait. Help me understand how that decision reflected reasonable care."
The CISO couldn't answer. Not because she was negligent—but because no tool in her arsenal captured the decision logic that courts now require.
The Result:
She had controls. She had compliance. She had certification.
She didn't have defensibility.
And no tool on the market could have given it to her.
Your Exposure Now Includes:
Executives at Risk:
When you follow due care principles and meet your legal obligations, fines are reduced or eliminated entirely.
Fine reduced 81%
ICO initially proposed £99M fine. Reduced to £18.4M—an 81% reduction.
Why? Marriott produced DPIAs, board minutes showing oversight, and alternatives-analysis documentation. Regulator acknowledged: "They took reasonable steps."
Found NOT negligent
Sued for negligence after ransomware attack. Pennsylvania court found NO negligence.
Why? UPMC demonstrated reasonable cost-benefit decisions. They proved leadership performed risk assessments, documented resource allocation decisions, and made proportionate trade-offs before the attack.
Defensible Governance™ creates this evidence automatically.
How Defensible Governance™ protects your specific executive responsibility
The gap isn't a failure of execution. It's a failure of category definition. Every enterprise tool fails to answer the questions courts now ask.
ServiceNow, OneTrust, LogicGate, Archer
What they do exceptionally well:
What they were never designed to do:
Why the gap exists: GRC tools were built for operational teams to answer "Did we implement controls?" Courts now ask: "Why was your judgment reasonable?"
We don't replace your GRC. Defensibility.ai integrates with and augments ServiceNow GRC to make its data meaningful in investigations and courts.
What they do exceptionally well:
What they can't systematize:
Why the gap exists: Legal provides expertise and counsel, but can't be in every room where decisions happen. Post-incident reconstruction of intent rarely survives scrutiny.
SIEMs, DLP, Privacy Tech
What they do exceptionally well:
What they don't capture:
Why the gap exists: Security tools prevent harm. Courts judge judgment. Different objectives, different tools.
This isn't a feature add—it's a different product for a different job.
Defensible Governance™ is a native GenAI platform and framework that operationalizes "reasonable care" across privacy, AI, and cybersecurity programs — serving as a Unified Legal Defensibility Layer above your existing systems.
We've engineered a comprehensive framework that:
• Unifies all global, federal, and state impact and risk assessments into a single system
• Cross-walks assessments to standards and frameworks (ISO 27001/31000/42001, NIST AI RMF, CMMC)
• Maps specific regulatory obligations to individual executive roles (CEO, CISO, CFO, GC, CPO, CRO)
• Provides a controls library with documented alternatives for every safeguard
• Triggers alternative safeguard review and cost-benefit analysis when controls fall short
• Generates Board-level risk exposure reports and recommendations with full decision capture
• Creates a tracked Defensible Governance Plan with continuous progress monitoring
We operationalize the legal standard of "reasonable care" through role-based legal obligation mapping (GDPR, EU AI Act, NIS2, DORA, SEC Rules, EO 14117), the 8-Question Defensibility Test that courts use to evaluate executive decisions, CDAR™ (Calculated Definition of Acceptable Harm) methodology, and proportionality and alternatives analysis.
Built on this framework, our platform delivers five core services:
Does an intake and interfaces to perform 'all' impact and risk assessments required by laws.
Creates a Calculated Definition of what is Acceptable Risk to impose on customers, partners and citizens.
Formalizes risk tolerance in measurable terms, records alternatives considered, documents reasoning, and connects decisions to Board approval workflows — creating the backbone of executive defensibility.
Immutable
Time-sequenced, tamper-evident storage for risk assessments, DPIAs/AIAs, decisions, and approvals. Packages court-ready artifacts for regulators, AG inquiries, litigation defense, and insurance claims.
Tests your defensibility using regulator-style prompts like: "Show evidence you considered safer alternatives" or "Explain why this level of risk was acceptable." Generates exposure assessments, regulatory posture notes, and executive talking points.
Provides a Broad Risk Exposure & Recommendations report. Documents why decisions were made, what alternatives were considered, risk/harm balancing, burden/benefit analysis, and Board sign-off — turning ambiguous governance into legal-grade documentation.
Tracks role-specific obligations across jurisdictions, shows regulatory gaps requiring action, and displays personal liability posture for each C-Suite member.
Remember the eight questions courts ask? Here's what the platform produces for each:
1. "Was the harm foreseeable?"
→ Risk assessment dated 6 months before incident, flagged as "High," presented to CEO on [date]
2. "Did you consider harm to individuals, not just business?"
→ DPIA showing impact on 50,000 customers, privacy harm scored separately from financial impact
3. "What benefit did your organization gain?"
→ Business case document: $12M annual revenue from feature, documented in CDAR analysis
4. "Did affected parties benefit, or only you?"
→ Cost-benefit memo: customers gained 30-second faster checkout; company gained $12M—disproportionate, flagged for Board review
5. "What alternatives were available?"
→ Alternatives analysis: Option A (encryption), Option B (anonymization), Option C (synthetic data)—with cost/timeline/risk-reduction for each
6. "Would alternatives impose undue burden?"
→ Feasibility assessment: Option A = $2M + 4-month delay; Option C = technically infeasible given architecture
7. "How effectively would they reduce harm?"
→ Risk reduction matrix: Option A reduces breach impact by 85%; Option B by 60%
8. "Was this documented and approved before deployment?"
→ Board minutes (immutable, timestamped): "Board accepted residual risk of Option A implementation delay; CEO to report quarterly on progress"
Every question has an artifact. Every artifact is timestamped. Every decision is defensible.
Defensible Governance sits above GRC as the legal accountability layer. We don't replace your security tools or compliance systems—we convert their outputs into evidence of reasonable care that withstands judicial review.
From board decisions to stakeholder benefits — defensibility operationalized.
The compliance era is over. Between 2021-2024, the regulatory landscape fundamentally shifted — and executives are now in the crosshairs.
Over $15B in regulatory fines were levied between 2021-2024, all tied to negligence — not breaches.
Nearly all penalized organizations had active GRC programs. Controls existed, but decision defensibility didn't.
Courts found inadequate reasoning and evidence. The problem wasn't controls — it was decision defensibility.
From: "Did you comply?"
↓
To: "Can you prove your leadership took reasonable care?"
IT's Personal Now!
Why hasn't anyone built this before? Three forces had to align:
For decades, regulations were domain-specific checklists. GDPR (2018) broke that model with "proportionality" requirements and impact assessments. For the first time, compliance required proving your judgment was sound.
Then came the cascade:
The pattern: Law now requires evidence of reasonable judgment, not just control activity.
For years, corporate liability felt abstract. The company paid fines. Insurance covered settlements. Executives moved on.
That shield shattered:
The impact on executives:
Meanwhile, D&O insurance began excluding "gross negligence." The stakes became existential.
Two identical breaches. Two radically different outcomes:
Marriott (2022):
ICO initially proposed £99M fine. Reduced to £18.4M—an 81% reduction. Why? Marriott produced DPIAs, board minutes showing oversight, and alternatives-analysis documentation. Regulator acknowledged: "They took reasonable steps."
British Airways (2020):
Similar breach, initially fined £183M, reduced to £20M—still one of the largest GDPR penalties ever. BA couldn't demonstrate systematic risk assessment or documented trade-offs.
UPMC Health System (2021):
Sued for negligence after ransomware attack. Pennsylvania court found NO negligence—not because UPMC had perfect security, but because they proved leadership performed risk assessments, documented resource allocation decisions, and made proportionate trade-offs before the attack.
The lesson: Contemporaneous evidence of judgment changes outcomes.
The category couldn't exist until laws converged on "reasonable care," personal liability made it urgent, and evidence-based outcomes proved it was solvable.
That moment is now.
Regulators and courts now apply a three-part test to executive decisions:
Did leadership identify and evaluate potential risks before the incident?
Did the controls match the level of risk and potential harm?
Were safer alternatives considered, compared, and decisions approved by the Board?
Every major enforcement case since 2021 concluded: ✅ Companies complied, but ❌ Leaders could not justify their decisions
| Case | Outcome | Why It Matters |
|---|---|---|
| Marriott | Fine reduced 81% | Had DPIAs + board documentation |
| UPMC | Found NOT negligent | Demonstrated reasonable cost-benefit decisions |
| Uber CSO | Criminal conviction | Obstruction charges |
| SolarWinds | SEC fraud litigation | Ongoing prosecution |
| Drizly CEO | 20-year oversight mandate | Personal accountability precedent |
Defensible Governance™ is the first platform that captures this decision chain end-to-end.
Defensible Governance is already configured for the core regulations, standards, and frameworks most organizations need — adding others takes hours, not months.
ISO 27001 / 27701 / 42001 / 31000, NIST AI RMF, CIS, CMMC, DoCRA — all mapped.
FRIAs, ARIAs, DPIAs, LIAs — any assessment methodology you use.
GDPR, EU AI Act, DORA, SEC Cyber Rules, NIS2, CCPA, Executive Orders 14110 / 14117 and more.
It is now a legal expectation—not a best practice—that organizations perform, document, and retain certain assessments. If it isn't assessed, documented, and tied to decision rationale → it is presumed negligent.
| Assessment | Required By | Core Purpose |
|---|---|---|
| DPIA (Data Protection Impact Assessment) |
GDPR, CPRA, LGPD | Identify + mitigate privacy + public harm |
| FRIA / AI Risk Assessment | EU AI Act, Canada AIDA | Evaluate AI harms, fairness, rights impact |
| Cyber Risk Assessment | NIS2, DORA, ISO 27001 | Identify cyber threats + resilience |
| CRIA (Children's Risk Impact Assessment) |
CAADCA, UK OSA, COPPA | Prevent minors' digital harms |
| Data Transfer Risk Assessment | GDPR, EO 14117 | Evaluate cross-border data exposure |
| Vendor / Third-Party Assessment | DORA, GDPR, ISO 27036 | Evaluate vendor harms + dependencies |
| Defensibility Gap & Risk Assessment (DoCRA - Duty-of-Care Risk Analysis) |
GDPR, EU AI Act, NIS2, DORA, SEC Cyber Rules, CCPA/CPRA, VCDPA, CPA, EO 14110/14117, ISO 27001/31000/42001, NIST AI RMF, Common Law Negligence Standards | Comprehensive governance assessment including: DoCRA framework, role-specific regulatory mapping, automated alternative safeguard review, cost-benefit analysis with 3-yr ROI, Board Risk Exposure & Recommendations report with CISO/GC/CRO input, and documented executive decisions/approvals. Establishes reasonable care standards and governance obligations required by laws mandating "proportionate," "appropriate," or "reasonable" measures. |
| CDAR™ (Calculated Definition of Acceptable Risk) |
ISO 31000 / public-harm logic / Defensibility Framework | Document acceptable harm thresholds + rationale for risk tolerance decisions |
DG organizes each element automatically.
Our modular domain packs leverage shared core services (CDAR, Evidence Locker, Court-Mode) across:
ISO 27001 (Information Security), ISO 27701 (Privacy), ISO 42001 (AI Management), ISO 31000/31010 (Risk Management)
GDPR, CPRA/CCPA, VCDPA, CPA (Colorado), LGPD (Brazil), PIPEDA (Canada), APPI (Japan). Includes DPIAs, data minimization, processor controls, SAR workflows, ROPA.
EU DSA, UK Online Safety Act (OSA), CA AADC (CAADCA), Vermont VAADCA, COPPA, Florida DBOR, NY SAFE Act, Texas SCOPE Act, Tennessee HB1891
EU AI Act, Executive Orders 14110 & 14117, NIST AI RMF. Includes conformity assessments, explainability requirements, and human oversight documentation.
SEC Cyber Rules, NIS2, DORA (EU), SOX, AML/KYC, CFPB, Basel/Risk alignment
Healthcare (HIPAA/HITRUST), Energy/Critical Infrastructure, Education (FERPA), Telecommunications
Exploring the critical difference between passing audits and surviving prosecution. The Defensibility Gap exists because GRC proves controls exist, but Defensible Governance proves leadership was reasonable. Learn why DG doesn't replace GRC — it makes GRC matter in court.
Read Article (PDF)How executives can protect themselves under emerging AI governance laws. From the EU AI Act to Executive Orders 14110 and 14117, understand the new accountability standards and how to document conformity, explainability, and human oversight.
Read Article (PDF)The legal test following a breach asks specific questions about executive decision-making: Was harm foreseeable? Did leadership evaluate risk? Were safer alternatives considered? Was the decision proportional and documented? Did the Board approve? Defensible Governance is the first platform to capture this chain end-to-end.
Read Article (PDF)Analyzing recent regulatory penalties and what they mean for governance. Between 2021-2024, courts found inadequate reasoning and evidence in cases resulting in $15B+ in fines. The problem wasn't controls — it was decision defensibility. Learn how to operationalize reasonable care and create a legal-defensibility layer.
Read Article (PDF)Prefer to schedule directly? Use our Calendly link to find a time that works for you.
Open CalendlyExecutives don't become defensible by achieving perfection. They become defensible the moment they begin documenting reasonable care.
Assess + Orient + Prioritize
Establish Governance Cadence
Board Integration + Readiness
✅ Foreseeability
✅ Alternatives analysis
✅ Proportionality
✅ Role-based decisions
✅ Board approval
✅ Evidence chain
Everything a regulator asks about.
Everything you need to know about implementing Defensible Governance™
Defensible Governance™ doesn't replace your GRC — it makes your GRC matter in court.
Think of it this way: Your GRC platform proves controls exist. Defensible Governance proves your decisions were reasonable.
The Critical Difference:
Between 2021-2024, 95% of organizations penalized with $15B+ in fines had active GRC programs. They passed audits but failed prosecution because they couldn't prove their decision-making was reasonable.
Defensible Governance sits above your existing GRC, transforming operational documentation into court-ready evidence. It connects your risk decisions to the legal standards judges and regulators actually apply.
| Question | GRC | DG |
|---|---|---|
| Did you have controls? | ✅ | ✅ |
| Did you map compliance frameworks? | ✅ | ✅ |
| Did you consider alternatives? | ❌ | ✅ |
| Did you document why you chose this safeguard? | ❌ | ✅ |
| Did execs approve residual risk? | ❌ | ✅ |
| Can you defend decisions to a regulator? | ❌ | ✅ |
60 days to full operational deployment.
Our implementation follows a structured timeline:
Unlike traditional GRC implementations that can take 6-12 months, our GenAI platform is pre-configured with the major frameworks (ISO 27001/27701/42001, NIST AI RMF, GDPR, EU AI Act, SEC Cyber Rules, etc.), so we're customizing rather than building from scratch.
You'll start capturing defensible decisions immediately — not after months of configuration.
This is a C-Suite tool, not a departmental one.
Defensible Governance is owned at the executive level because personal liability sits with:
Typical Governance Model:
Executive sponsor: CEO or CRO
Day-to-day administrators: Risk and Legal teams working collaboratively
Key users: All C-Suite officers with statutory obligations
Oversight: Board Risk Committee
The platform tracks role-specific obligations for each executive across jurisdictions, so everyone knows their personal defensibility posture at all times.
Most organizations see payback in 2 months.
ROI comes from three primary sources:
1. Assessment Efficiency (Immediate)
Organizations reduce assessment time by 35-50% by unifying DPIAs, AIAs, FRIAs, and other impact assessments into a single platform with intelligent cross-walking to standards.
Example: A company doing 120 assessments/year at 16 hours each saves 960+ hours annually.
2. Audit & Verification Speed (30-60 days)
When regulators, auditors, or Board members request evidence, the Evidence Locker™ produces court-ready documentation in minutes instead of weeks of scrambling.
Value: Reduced legal spend, faster audit cycles, lower D&O insurance premiums.
3. Avoided Penalties (Long-term Protection)
The real ROI is what you don't pay: Personal fines, regulatory penalties, litigation costs, and reputational damage. A single avoided SEC enforcement action or GDPR penalty can exceed the platform cost by 100-1000x.
Financial services example: $850K annual savings from reduced assessment burden + avoided $2.5M in potential penalties = 2-month payback, 300%+ first-year ROI.
No. Defensible Governance integrates with and enhances your existing tools.
We're designed as a Unified Legal Defensibility Layer that sits above your current technology stack:
Think of it this way:
Your existing tools are the instruments. Defensible Governance is the conductor that harmonizes them into a legally defensible symphony that regulators and courts can understand.
We make your current investments more valuable by connecting operational data to executive accountability and legal standards.
Compliance frameworks are necessary but not sufficient.
Remember the Fortune-500 CISO who was SOC 2, ISO 27001 certified with a $60M security budget? She still faced a $1.2B settlement because she couldn't answer: "Why was 6 months acceptable for deploying MFA?"
Frameworks define what to do. Courts ask why you made specific decisions. DG bridges that gap by documenting the reasoning behind your framework implementation.
DG becomes your primary defense.
You can immediately produce:
This is exactly what reduced Marriott's penalty by 81% and eliminated UPMC's liability. Without this documentation, your compliance program becomes evidence against you—proving you knew the risk but can't justify your decisions.
Model your effort reduction for assessments and verification.