Research Library

The research behind the framework.

Programmer to Board is the accessible front door into a deeper body of work on continuous governance, agentic AI risk, and threat evolution. The papers below carry the full academic and regulatory rigor.

M. Robinette — Former OCC Lead Examiner (FEIC) · AWS Principal Compliance Specialist
01

Flagship working papers

Anchor research, published on SSRN.

Continuous Governance Across Enterprise AI and Agentic Systems: Governing What You Cannot See SSRN 6437982 · March/April 2026

Establishes board-level fiduciary accountability under deployer frameworks (EU AI Act), introduces authority drift as a first-class ERM variable, and presents a unified governance loop with autonomy tiering (Tier 0–4).

Published View on SSRN →
Threat Shift Framework: Recognizing Milestone Events in the Evolution of Cyber Threats SSRN 6511079 · April 2026

Submitted to Journal of Computer Virology and Hacking Techniques (Springer). A three-criterion diagnostic for milestone threat events, validated against DDoS, ransomware, and supply chain compromise, and introduces the Intellectual Threat class targeting the reasoning layer.

View on SSRN →
02

RAI-A companion series

Five sequential papers extending Continuous Governance to delegated autonomy in agentic systems.

A0

The Agentic Inflection Point

Extending Continuous Governance to delegated autonomy. Defines the shift from boundary automation to delegated authority.

A1

Autonomy Classification

Establishes autonomy tiering as the mechanism for classifying delegated authority within ERM.

A2

Escalation Under Ambiguity

Defines appetite-aligned escalation thresholds rather than anomaly detection alone.

A3

Architectural Containment

Governing the boundaries of delegated authority — structural mechanisms that bound blast radius before escalation triggers.

A4

Enterprise Visibility

Aggregating delegated authority for board oversight. Completes the loop with enterprise-level aggregation and reporting.

Working Paper · Pre-Publication Draft · March 11, 2026 (all five)
03

Master compendium

Responsible AI (RAI) at Scale v7 — EU AI Act Master

The full integrated document combining the RAI-A series with EU AI Act alignment, risk classification and appetite cascade, unified control baseline, evidence discipline, implementation roadmap, and board takeaways.

Appendix RAI-Series-001 — Six Lessons Delivering Responsible AI Governance
Appendix RAI-Series-002 — Unified Story aligning EU AI Act, GDPR, DMA, NIST AI RMF, ISO 42001, SEC
04

Policy and practitioner series

Global VM Policy (Draft v2 Final)

Six-chapter paper on vulnerability management frameworks: CVE/VEP origins, NIS2/GDPR, CFAA trajectory, the Budapest Convention's global export, agentic AI's disruption of temporal assumptions, and a multi-institution call to action with jurisdiction-specific recommendations to CERT-In, China's MIIT, Israel's INCD, and others. References both flagship SSRN papers; forms the basis for a six-part weekly LinkedIn series.

Draft v2 final
05

In development

Third paper (untitled)

Centered on six ATLAS framework coverage gaps representing structurally unmitigable residual risk from agentic AI — to be carried and reported to boards as bounded residual risk.

In development
Full-text search across this body of work is coming in a future release. For now, contact the author directly for early access to any working paper.