Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2026HertzUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2026HertzUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
A Control Blueprint for AI

A Control Blueprint for AI
Control the path. Govern the agent. Protect the asset.

A 40-page 2026 playbook on AI infrastructure, open weights, agents, kill-switch design and operational recovery for boards, CISOs and AI leaders.

40 pages
28 min read
Boards and audit committees
A Control Blueprint for AI: 2026 Playbook cover

Get the playbook

Emailed to you within a minute

Email-gated GDPR compliant

Foreword

AI governance is moving quickly, and the danger is treating it as a paperwork exercise while agents, models and infrastructure become part of the operating fabric of the business. A Control Blueprint for AI is a deliberately different document. It is not a model-security checklist; it is a control blueprint for the people who now have to decide where AI runs, what it can reach, which assets it can change, who can stop it, and how the business recovers if the system fails or is abused. Grounded in AISI, NCSC, NIST AI RMF, OWASP GenAI, MITRE ATLAS, RAND and the International AI Safety Report 2026, and written by Mark Fermor, it gives boards and CISOs a common vocabulary, Control the Path, Govern the Agent, Protect the Asset, and the operating cadence to run AI control as a discipline, not a policy.

Mark Fermor · Co-Founder, Firevault

What's inside

6 parts. Written for the people who own the decision.

Each chapter opens with the decision it exists to help you make, and closes with the evidence you should expect back.

01

The AI infrastructure reality

Why AI is now critical infrastructure, and how control planes, data planes and recovery planes must be separated across compute, data, identity, facilities and recovery.

  • AI infrastructure is now a national security issue
  • One shared path means one shared failure
02

Attack surface and the AI data centre

Chained attack surface analysis, prompt, identity, tool, API, data, recovery, and the concentration risk sitting inside modern AI clusters.

  • Attackers rarely need to own the model if they own the route
  • Model theft is now a data-centre security problem
03

Open weights and model assets

Protecting weights like source code plus crown jewels: custody, safeguards, release control, hashing, offline archives and destruction records.

  • Open-weight releases change the risk boundary permanently
  • Model custody is a lifecycle discipline, not a one-off decision
04

Agents and action authority

Identity, scope, purpose, expiry, approval gates and revocation for AI agents. Why recommendation is not delegated authority.

  • Agents need identity and expiry, like people do
  • Control the tool, not only the prompt
05

The AI kill switch doctrine

Controlled stop states, agent stop, model withdrawal and the hard stop. Designing the safe landing zone and proving it works.

  • A kill switch must have levels, not just an off button
  • The deeper the consequence, the more independent the stop path must be
06

Policy, adoption and operating cadence

From principles to operations. Five board questions, control outputs, a pilot pattern with a control boundary, and a working operating cadence for AI control.

  • A pilot is judged on reach, authority, evidence and recovery
  • AI control is an operating rhythm, not a policy binder

Who it's for

Read it if you're accountable for the decision.

  • Boards and audit committees
  • CISOs, CIOs and chief AI officers
  • AI programme and platform leads
  • Data-centre and infrastructure teams

Sectors we hear from

Financial servicesGovernment & defenceCritical national infrastructureTechnology & AIHealthcare & life sciences

Frequently asked

Questions leaders ask before requesting.

Something else on your mind? Reply to any Firevault email or write to mark@fire-vault.com.

More Firevault playbooks

Board-level control blueprints.

Each playbook is written for the people who own the decision, practical, UK-grounded and free to request.

Ready to read it?

Request A Control Blueprint for AI. It lands in your inbox within a minute, tied to your email address. No download, no fuss.

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy