Shows executives what they are legally accountable for, where governance obligations are unmet, and how to remediate — producing authenticated evidence of reasonable care across cyber, privacy, and AI.
Built to work with your existing stack: Can integrate with ServiceNow, Drata, Vanta, OneTrust, BigID, and more — transforming compliance data into court-ready evidence.
Companies already spend heavily on GRC, Big Legal, and Big 4 assessments — yet executives still can't answer three questions: What are we legally accountable for? Where are we exposed? What actions are required?
Executives are liable under laws that are never translated into their specific responsibilities. No existing tool maps legal obligations to individual roles.
Leadership cannot see where governance obligations are unmet until after a breach or investigation. By then, the damage is done.
Existing tools track compliance controls and tasks, but do not tell executives what actions they must take to satisfy duty-of-care requirements.
When scrutiny comes, companies cannot produce the decision record regulators and courts expect. GRC proves activity — not judgment.
Your GRC proves activity. We prove judgment.
| Dimension | GRC Tools | Legal Defensibility Layer |
|---|---|---|
| Primary Buyer | Risk / IT / Compliance | GC / CPO / CRO / CEO / Board |
| Question Answered | "Did we comply?" | "Can we prove judgment was sound?" |
| Evidence Created | Control activity logs | Decision rationale, alternatives, board approvals |
| Outcome Optimized For | Certification | Liability reduction |
| Risk Type Addressed | Operational risk | Personal & corporate legal exposure |
We don't replace your GRC — we make its data meaningful in investigations and courts.
Five steps from obligation mapping to authenticated evidence.
Map legal obligations to executive roles: Board, CEO, CISO, GC, DPO.
Defensibility Gap Assessment: surface where obligations are unmet.
Evaluate alternatives, proportionality, and cost-benefit tradeoffs.
Approved DG Plan with remediation priorities and accountability.
Immutable record of all decisions, approvals, and rationale.
Performs all impact and risk assessments required by law. Unifies DPIAs, AIAs, FRIAs, and more into a single system with automated crosswalks to ISO/NIST frameworks.
Creates a Calculated Definition of Acceptable Risk to impose on customers, partners, and citizens. Formalizes risk tolerance, records alternatives, and connects decisions to Board approval workflows.
Time-sequenced, tamper-evident storage for risk assessments, decisions, and approvals. Packages court-ready artifacts for regulators, litigation, and insurance claims.
Tests your defensibility using regulator-style prompts: "Show evidence you considered safer alternatives." Generates exposure assessments and executive talking points.
Documents why decisions were made, what alternatives were considered, risk/harm balancing, and Board sign-off — turning ambiguous governance into legal-grade documentation.
Tracks role-specific obligations across jurisdictions, shows regulatory gaps requiring action, and displays personal liability posture for each C-Suite member.
How prosecutors and regulators would interpret your current Defensibility Gap Assessment findings.
Legal review hours included, defensibility assessment and gap analysis, Quarterly Defensibility Reports, Court-Mode readiness exercises, executive training, and ongoing advisory services with real-time dashboards.
Defensible Governance sits above GRC as the legal accountability layer. We convert your existing tool outputs into evidence of reasonable care that withstands judicial review.
Role-specific defensibility for every executive with personal liability exposure.
The compliance era is over. Enforcement now turns on governance judgment, not audit activity.
GDPR, EU AI Act, SEC Cyber Rules, NIS2, DORA, and 20+ state privacy laws now all require evidence of proportionate, reasonable decision-making — not just controls.
Uber CSO criminally convicted. SolarWinds CISO personally named. Drizly CEO under 20-year oversight mandate. D&O insurance now excludes "gross negligence." The shield has shattered.
Marriott's fine reduced 81%. UPMC found not negligent. Citi fined $336M. Same category of breach — different documentation. Contemporaneous evidence of judgment changes everything.
The standard has shifted.
From: "Did you comply?" → To: "Can you prove your leadership took reasonable care?"
| Company | $ Amount | Primary Transgression | Governance Failure Characterization |
|---|---|---|---|
| $5–$7.8B | Secret tracking in Incognito mode; unlawful data collection | Unreasonable practices; failure to safeguard users from foreseeable privacy harm; deceptive governance | |
| Meta Platforms | $3.5–$4.1B+ | Illegal cross-border transfers; biometric collection; children's data misuse; transparency failures | Systemic governance failure; inadequate safeguards; unreasonable reliance on invalid transfer mechanisms |
| Amazon | $877M | GDPR violations in ad-tech and data processing | Failure to implement appropriate technical & organizational measures (Art. 25, 32 GDPR) = Requires defining and applying risk-based thresholds to demonstrate the standard of reasonable and appropriate care |
| Equifax | $700M | Failure to patch known vulnerability; massive consumer data breach | Negligence; failure to meet reasonable security standards; foreseeable harm ignored |
| Epic Games | $520M | COPPA violations; dark patterns tied to data use | Failure to protect children; unreasonable data and product governance |
| T-Mobile | $500M | Repeated breaches; inadequate access controls | Failure of reasonable security; governance breakdown despite prior warnings |
| Meta (Texas) | $1.4B (incl. above) | Facial recognition without consent | Per-se statutory negligence; failure to govern biometric risk |
| TikTok (EU) | $370M | Children's data mishandling | Failure to implement heightened safeguards for vulnerable populations |
| Citi (aggregate) | $336M | Data breach controls; internal risk governance failures | Failure to secure financial data; inadequate internal controls = governance failure |
| Uber (EU) | $324M | Unlawful international data transfers | Unreasonable safeguards; failure to assess transfer risk post-Schrems II |
| Home Depot | $200M+ | Payment card breach | Failure to segment networks and monitor foreseeable attack vectors |
| Capital One | $190M+ | Cloud misconfiguration; access control failure | Failure of reasonable cloud governance and risk assessment |
| Twitter / X | $150M | Misuse of security data for advertising | Deceptive governance; misuse of data entrusted for security purposes |
| Anthem | $115M | Healthcare data breach | Failure to safeguard sensitive health data; foreseeable harm |
| Oracle | $115M | Improper data collection and sale | Inadequate data governance; unreasonable secondary use of personal data |
| Zoom | $85M | Security failures ('Zoombombing') | Failure to design for reasonable security under foreseeable misuse |
| OPM | $63M | Federal employee data breach | Failure to meet baseline government security standards |
| Plaid | $58M | Excessive data collection beyond consumer consent | Unreasonable data minimization and access governance |
| Blackbaud | $49.5M | Ransomware + misrepresentation of risk | Failure to implement reasonable ransomware defenses; governance misstatements |
| Morgan Stanley | $35M | Unencrypted data disposal | Failure of basic data lifecycle governance |
$21B+ in enforcement penalties. In every case, governance failure was the common factor.
Pre-configured for the core regulations, standards, and frameworks most organizations need. Adding others takes hours, not months.
ISO 27001 / 27701 / 42001 / 31000, NIST AI RMF, CIS, CMMC, DoCRA — all mapped.
DPIAs, FRIAs, ARIAs, Cyber Risk, Vendor, Data Transfer, and Defensibility Gap Assessments — unified in one system.
GDPR, EU AI Act, DORA, SEC Cyber Rules, NIS2, CCPA/CPRA, 20+ state privacy laws, Executive Orders 14110 / 14117, and more.
GDPR, CPRA/CCPA, VCDPA, CPA, LGPD, PIPEDA, APPI. Includes DPIAs, data minimization, processor controls, SAR workflows.
EU AI Act, Executive Orders 14110 & 14117, NIST AI RMF. Conformity assessments, explainability, and human oversight documentation.
SEC Cyber Rules, NIS2, DORA, SOX, AML/KYC, CFPB, Basel alignment. Minors' online safety coming soon.
Foreseeability + Harm Consideration + Proportionality + Documentation = Safe Harbor
We offer annual subscriptions with various intervals of doing Defensibility Gap Assessments to Defensible Governance Plans. Covering once a year, every quarter, or continuously running assessments, workflow, evidence updates, and major change reviews, with ongoing domain expert + attorney support.
1 full Defensibility Gap Assessment workflow per year, with guided remediation, board reporting, Evidence Locker updates, and domain expert + attorney review.
4 full Defensibility Gap Assessment workflows per year for quarterly posture refresh, progress tracking, updated reporting, and recurring expert + attorney review.
Continuous access across assessments, workflow, evidence updates, and major change reviews, with ongoing domain expert + attorney support.
When leadership can demonstrate reasonable care, fines are reduced or eliminated. When they can't, enforcement is devastating — even when charges are dismissed.
Fine reduced 81%
ICO initially proposed £99M. Reduced to £18.4M. Why? Marriott produced DPIAs, board minutes showing oversight, and alternatives-analysis documentation. Regulator acknowledged: "They took reasonable steps."
Found NOT negligent
Sued for negligence after ransomware attack. Court found no negligence — because UPMC demonstrated risk assessments, documented resource allocation, and proportionate trade-offs before the attack.
No provable rationale
$200M (2021) + $136M (2024). Regulators found a documentation gap — leadership could not produce evidence of why key risks were accepted, delayed, or sequenced. COO replaced. Trust eroded.
$46M+ even after dismissal
SEC dismissed all charges Nov 2025. But the cost: $26M settlement, $20M+ legal, CISO personally named, 400 engineers off roadmap for 6 months, renewals dropped from 98% to 80%.
11,000 emails reviewed. 7 identified a risk. Zero explained the rationale.
The complete governance record: risk assessments, cost-benefit analyses, board-level findings, and executive approval decisions — exportable to Word, ready for regulators.
See Full Defensibility Dossier"I've seen how executive decisions can come under intense scrutiny, even when they're made responsibly. Defensible Governance addresses a critical need: helping leaders show the reasonableness of their actions before they're judged in hindsight."
"Too many CISOs, boards, and executives still believe that compliance checkboxes and 'best effort' will shield them from liability. The reality is different. Prosecutors and regulators systematically reconstruct whether leadership met a reasonable duty of care. Defensible Governance™ is the framework that shifts the balance. This is no longer optional — it's necessary body armor for managing cyber legal risk."
Defensible Governance™ creates this evidence automatically, before scrutiny arrives.
Built by operators across cyber, legal, governance, and enterprise security.
Creator of Defensibility.ai and Defensible Governance™. 35 years in enterprise software, 25 years in startup GTM and sales, 22 years in cybersecurity. Seven cyber/risk startups with successful exits.
Privacy, security, and AI governance attorney. Validates legal logic, governance workflows, and defensibility requirements. CIPP/US, CIPM, Fellow of Information Privacy (FIP). Known as The Data Lawyer.
11 years hands-on CISO experience. Oversees the CISO practice, provides strategic advisory, and helps align security with defensibility goals.
Former CSO & CISO of Honeywell. Board-room translator and scale operator. President & CSO of Critical Infrastructure, LLC. Council member, George Mason University Law's National Security Institute.
"Too many CISOs believe compliance shields them. Prosecutors test reasonableness."
CISO of SolarWinds. Former Dell Fellow and Distinguished Engineer. 30+ years, 15 patents. Testified before Congress.
"Executive decisions face scrutiny even when made responsibly. This helps leaders show the reasonableness before hindsight."
EU AI Act Trainer, ISO/IEC 42001 Implementer, CEN/CENELEC AI Standards Contributor. 10+ years leading EU data-protection and AI-risk initiatives.
25+ years in cybersecurity. Six security patents. Leads security pre-sales for Strategic Accounts at Zoom.
100+ enforcement actions mapped to the governance failures that Defensible Governance identifies, remediates, and documents. $21B+ in documented penalties.
Download PDFGRC proves controls exist. Defensible Governance proves leadership was reasonable. Learn why DG doesn't replace GRC — it makes GRC matter in court.
Read ArticleFrom the EU AI Act to Executive Orders, understand the new accountability standards and how to document conformity, explainability, and human oversight.
Read ArticleThe legal test following a breach asks specific questions about executive decision-making. Defensible Governance captures this chain end-to-end.
Read ArticleBetween 2021–2026, courts found inadequate reasoning in $21B+ of fines. The problem wasn't controls — it was decision defensibility.
Read ArticleSchedule a conversation with our team.
Defensible Governance™ doesn't replace your GRC — it makes your GRC matter in court.
Your GRC platform proves controls exist. We prove your decisions were reasonable. Between 2021–2026, 95% of organizations penalized with $21B+ in fines had active GRC programs. They passed audits but failed prosecution.
We sit above your existing GRC, transforming operational documentation into court-ready evidence of decision quality.
60 days to full operational deployment. Our platform is pre-configured with major frameworks. You start capturing defensible decisions immediately — not after months of configuration.
This is a C-Suite tool, not a departmental one. Executive sponsor is typically the CEO, GC, or CRO. Day-to-day administrators are Risk and Legal teams. Key users are all C-Suite officers with statutory obligations. Oversight: Board Risk Committee.
Most organizations see payback in 2 months. ROI comes from assessment efficiency (35–50% reduction), faster audit/verification cycles, and avoided penalties. A single avoided enforcement action can exceed the platform cost by 100–1000×.
No. We integrate with and enhance ServiceNow, Archer, LogicGate, OneTrust, TrustArc, and your existing security tools. We're the conductor that harmonizes them into a legally defensible record.
Compliance frameworks are necessary but not sufficient. Frameworks define what to do. Courts ask why you made specific decisions. We bridge that gap by documenting the reasoning behind your implementation choices.
DG becomes your primary defense. You immediately produce contemporaneous evidence of foreseeability, alternatives considered, proportionate safeguards, board-approved risk thresholds, and complete evidence chain. This is exactly what reduced Marriott's penalty by 81%.
Model the estimated financial impact of Defensible Governance on your organization's regulatory exposure.
All outputs are modeled estimates based on industry benchmarks and inputs you provide. Results are not guaranteed savings.
1.0 = 1/yr 0.5 = 1 every 2yr 0.33 = 1 every 3yr 1.5 = 3 every 2yr
Enter total fines + legal costs from your most recent event. Overrides the industry benchmark per-event cost when populated.
Based on enforcement patterns in your industry, select which risk categories your organization faces.
Large financial services companies typically face enforcement involving 2–3 categories. In the Top 25 enforcement actions ($14B+), every case coded to at least two governance failure patterns.
If your organization has documented enforcement actions, enter the details below. This strengthens the exposure model with real data.
