Frameworks Don’t Ship
Turning NIST AI RMF + the GenAI Profile into an AppSec Backlog That Actually Changes Risk There is a recurring mistake in security. We mistake agreement for execution. A team says they are “aligned to a framework,” and everyone relaxes. The slide looks good. The architecture review sounds mature. The policy document has all the right words. Then an incident happens, and we discover the ugly truth: nouns don’t defend systems. Verbs do. A framework is mostly nouns. Engineering is mostly verbs. ...