A Control on Paper Is Not a Control
When the firms that sell assurance stop operating their own controls.
Several firms that sell assurance over other people's controls have just been caught failing to operate their own. That is the more damning reading, and the more instructive one. A practitioner reading of an operating-effectiveness failure, not a design gap.
02Use this paper when
Scenarios where this briefing earns its place on the desk.
- 01A professional-services or assurance firm is adopting generative AI in client deliverables
- 02Your firm publishes reports, research or thought leadership that may be AI-assisted
- 03A board is selecting, re-appointing or reviewing an assurance provider
- 04You are setting AI controls for content production and need a pre-publication gate
- 05An AI-assisted deliverable has been questioned and you need a defensible response
03What you'll find inside
What the briefing covers, section by section.
- SECTIONAn industry that sells trust, caught failing at the one thing it sells
- SECTIONThe pattern, not the incident
- SECTIONWhat actually went wrong
- SECTIONAn operating-effectiveness failure, not a design gap
- SECTIONThe economics of getting caught
- SECTIONTrust and assurance are not the same thing
- SECTIONThe controls that would have caught it
- SECTIONThe governance wrapper
- SECTIONThe uncomfortable question for anyone buying assurance
- SECTIONWhat has to change
AUTHOR
Paul Jolliffe
FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner
Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Independent UK practice founded 2025. Author of the InfoSecAI insights library.
Get The Brief: practitioner notes on what is changing.
Weekly. No tracking pixels, no marketing automation. Unsubscribe in one click.