A practitioner's perspective.
Shared directly.
Nearly two decades operating at the intersection of modern platform engineering and audit expectations—across Big 4, internal audit, and hypergrowth environments. Aethos is how that perspective reaches the field: through frameworks, research, labs, and direct conversation with practitioners navigating the same inflection point.
Not a consulting practice. A practitioner's contribution to a field in transition.
Platform assurance is being rebuilt in real time.
Most organizations aren't keeping pace.
Modern platform engineering has fundamentally changed what a control environment needs to look like. CI/CD pipelines deploy dozens of times a day. Identity surfaces span dozens of integrated systems. Cloud infrastructure is defined in code and drifts continuously. The frameworks most organizations rely on were designed before any of this existed—and the practitioners who understand both sides of that gap are rare.
Audit expectations haven't caught up to engineering reality. PCAOB standards and SOX frameworks still assume control surfaces that look like they did two decades ago. The gap between what auditors test and how modern systems actually operate isn't closing—it's widening.
GRC modernization is hard to navigate without precedent. Transforming a platform assurance program means making decisions about control design, tooling, ownership, and evidence strategy—often without a peer who has actually built this before. Most guidance in the market is either too theoretical to act on or too vendor-driven to trust.
The field needs practitioners thinking in public. Aethos exists to change that—frameworks grounded in real platform behavior, research that reflects what's actually happening in production environments, and direct conversations that cut through the noise. The conviction behind all of it is spelled out in the Aethos Manifesto.
Frameworks. Research. Labs. Dialogue.
Everything published through Aethos is grounded in the same question: what does modern platform assurance actually need to look like? Here's how that work takes shape.
Structured SOX ITGC control frameworks built around how modern platforms actually operate—GitHub, AWS, Okta, Kubernetes, Databricks, and more. Each framework is designed to close the gap between engineering reality and audit expectation, validated against real-world environments at every layer of the platform stack.
The Aethospect newsletter and supporting research capture what's shifting in platform assurance—emerging control patterns, regulatory signals, and the friction points practitioners are actually navigating. Field intelligence built from direct observation, not vendor white papers.
An experimental space for testing control optimization approaches, exploring how modern tooling intersects with assurance design, and stress-testing frameworks against real-world engineering constraints. Where thinking becomes practice—and practice becomes publishable insight.
Dialogue Sessions
A small number of direct conversations each year with practitioners and leaders at a strategic inflection point. These sessions exist to stress-test frameworks against real enterprise complexity—and to offer candid, peer-level perspective in return. Not engagements. Direct exchanges.
The gap between modern platforms
and audit expectations affects everyone in the room.
Dialogue sessions draw value from—and add value to—practitioners across every function navigating this shift. The conversation is most useful when the person on the other side is living the problem, whatever their role.
Audit & GRC leaders. CAEs, IT audit directors, and compliance executives modernizing their assurance programs. The decisions you're making now—about control design, tooling, audit methodology, and how to govern modern stacks—are exactly where direct perspective adds the most value.
IT auditors & practitioners. The people doing the work—testing CI/CD pipelines, cloud infrastructure, and identity layers using methods that weren't designed for them. These conversations are about practical approaches, not theory: what works, what doesn't, and why.
Security & risk leaders. CISOs and risk executives responsible for control effectiveness in environments where the attack surface changes faster than the audit cycle. The intersection of security and assurance thinking is underexplored—and often where the most important conversations happen.
Platform & engineering leaders. VPs of Engineering, platform architects, and CTOs building systems that will be audited and governed. Understanding what "governable by design" actually means in a modern platform context—before audit or an incident forces the question—is a conversation worth having early.
A handful of conversations a year.
Selective by design.
Dialogue sessions are limited to a small number each year—not because of capacity, but because the conversations worth having require genuine context on both sides. These aren't advisory engagements. They're structured exchanges with practitioners and leaders who are navigating real decisions about platform assurance transformation and want a candid perspective from someone who has lived this problem across every function and every stage of organizational maturity.
What these conversations cover. How to think about control design for modern platform stacks. Where the real audit exposure sits versus where teams are spending energy. How to sequence a GRC modernization roadmap without creating operational drag. What the field is moving toward—and how to position ahead of it.
Why they're selective. The best dialogue sessions are genuinely reciprocal. I bring nearly two decades of pattern recognition across real environments. The value comes when the person on the other side brings the live complexity I don't see from the outside. That combination doesn't work at scale—so it stays small.
What this isn't. A consulting engagement, a retainer, or a deliverable-based project. There's no scope-of-work, no staffing model, no proposal. Just a direct conversation between practitioners at the edge of what the field is working through.
The perspective behind Aethos
comes from having done the work.
Nearly two decades across every vantage point this field has to offer. The frameworks, research, and conversations that come out of Aethos are grounded in that experience—not theoretical models, not research reports, not the view from one function looking at all the others.
All three lines of defense. Direct experience inside internal audit, risk and compliance functions, and control-owning engineering teams. Having operated on every side of the same problem is what makes the frameworks—and the conversations—genuinely useful rather than optimized for one perspective.
Design, implementation, and assessment. Not just audit. Control environments designed from a blank page, implemented inside engineering workflows, and assessed under real audit pressure. The full cycle—which is rarer than it sounds, and what makes the perspective different.
Big 4 through hypergrowth. Large advisory firms, enterprise audit functions, and companies scaling from Series A to post-IPO. Platform assurance looks and feels different at every stage—and the transformation challenges are sharpest at the inflection points between them.
Greenfield to highly complex. From architecting a control environment on a blank page to modernizing frameworks embedded in multi-cloud, multi-product platforms operating at scale. The range of that experience is what allows Aethos frameworks to be useful regardless of where an organization is in its journey.
If this resonates,
reach out directly.
Dialogue sessions are kept small—a handful per year—because they need to be genuinely useful to both sides. If you're navigating a platform assurance transformation and want a candid, peer-level exchange with someone who has operated across every layer of this problem, send a note. No intake form. No auto-responder.
[email protected]Direct line. No contact form. No auto-responder.