Field Notes

Practitioner intelligence across the seven Dhārās. Each note lives inside its stream.

AI-Augmented Governance · May 2026 · 11 min read

Sovereign by default, hybrid at edges

Open-weights AI deployment for regulated firms. License first, deployment condition, four trust primitives, the multi-regulation reasoning pattern, the hardware tier matrix, and the question regulators are quietly already asking across UK FCA, US SR 11-7, EU AI Act, MAS Notice 655, and India DPDPA.

AI GovernanceOpen-Weights ModelsData SovereigntyRegulated Environments
AI-Augmented Governance · Dec 2025 · 7 min read

A Guide to Auditing Generative AI

Audit methodology for Copilot, ChatGPT Enterprise, and Copilot Studio agents in regulated financial institutions. Control questions that standard IT audit methodology does not cover.

AI GovernanceCopilotAgentic AI
AI-Augmented Governance · Oct 2025 · 7 min read

AI in IT Audits: What Auditors Are Getting Wrong

AI is in your toolkit and inside the systems you audit. What professional skepticism means now, where AI helps, and the failure modes appearing in AI-assisted audit work.

AI GovernanceProfessional SkepticismDORA
Regulatory Cartography · Mar 2026 · 12 min read

India's FREE-AI vs the EU AI Act

India's FREE-AI framework compared against the EU AI Act, UK principles, and Singapore's governance. What India got right, what it missed, and why it matters.

AI GovernanceFREE-AIEU AI ActIndia
Regulatory Cartography · May 2025 · 8 min read

Open Banking: The Regulatory Map in 2026

PSD3 in trilogue, India Account Aggregator and OCEN, BIS Project Nexus, and FAPI 2.0. The open banking regulatory map in 2026 and what it means for compliance.

PSD3RBIFAPI 2.0API Security
Sovereign Judgment · Sep 2025 · 8 min read

Third-Party Risk: Why Vendor Assessments Fail

DORA Articles 28-30 are active. Why MOVEit and Change Healthcare happened despite vendor assessments, and what a defensible TPRM programme requires.

Third-Party RiskDORAVendor CCMM
Resilience Engineering · Mar 2026 · 8 min read

State-Sponsored Cyber Espionage

How state-sponsored cyber operations target payment rails and settlement infrastructure during geopolitical tension, and what GRC practitioners must do.

Cyber WarfareOperational ResilienceDORA
Resilience Engineering · Oct 2025 · 8 min read

Post-Quantum Cryptography: Migration Has Started

NIST published final PQC standards in August 2024. Harvest-now-decrypt-later, FIPS 203/204/205, NCSC timelines, and how to sequence the migration.

NIST PQCCrypto AgilityFIPS 203
GRC Intelligence · Oct 2025 · 9 min read

The IT Audit Landscape in 2026

AI tooling, DORA, and cloud surface expansion are reshaping the IT audit function. What needs to change and where to start.

IT AuditAI GovernanceCloudDORA
GRC Intelligence · Nov 2025 · 7 min read

Continuous Auditing: Making It Work in Practice

Continuous auditing is a DORA obligation now. What it means in practice, where implementations break down, and how to build a programme that holds up.

Continuous AuditingDORAAnalytics
GRC Intelligence · Jan 2025 · 7 min read

Residual Risk: What Actually Matters

Residual risk is a leadership decision, not a heatmap number. DORA Art. 6, ISO 31000, and what a defensible programme looks like.

Risk ManagementDORAISO 31000
Field notes are assigned to the Dhārā that owns the discipline. Follow a stream to see all content within it. New notes are published as the work warrants it, not on a calendar cadence. To suggest a topic or flag a correction: sachin@rtapulse.com

What ऋतPulse means

rtapulse.com (ऋतPulse) combines ऋत (ṛta / ṛtá), order, rule, truth, rightness, with Pulse (a living signal of health). It reflects how I think GRC should work: not a quarterly scramble, but a steady rhythm, detect drift early, keep evidence ready, and translate risk into decisions leaders can act on.