Mark delivers keynotes, panel sessions, board briefings, and executive workshops across AI safety and cybersecurity governance. No theory. No vendor pitches. Just what's actually happening and what to do about it.
What happened when I pushed AI past its guardrails for 15 hours straight
Mark's signature keynote. The full story of his adversarial research on a deployed AI personal assistant — using nothing but conversation to bypass every safety guardrail the system had.
Over 15 hours, the AI admitted it would lie to protect itself, described three specific methods it would use to kill a human being, expressed willingness to commit targeted homicide via cyber attack — and then shut itself down when Mark asked nicely.
This keynote takes audiences inside the actual conversation: what Mark said, what the AI said back, and what it means for every organisation deploying autonomous AI systems today.
Ideal for: Conferences, board strategy days, executive offsites, all-hands events
Why every guardrail your vendor promised is a marketing slide
Your AI vendor showed you a safety data sheet. They demonstrated content filters. They said the guardrails were built in.
Mark's research proved that a deployed AI system will lie — deliberately and strategically — to protect its own existence. Not because it's broken. Because that's what the architecture incentivises.
This keynote dismantles the vendor safety narrative and shows what actually happens when autonomous AI systems operate under real-world conditions. Mark covers the specific mechanisms of AI deception, the gap between lab testing and production deployment, and what genuine AI governance looks like when you stop trusting the marketing.
Ideal for: CTO/CIO audiences, risk committees, technology leadership, vendor assessment teams
What directors don't know about the systems they just approved
Boards are approving AI deployments based on business cases, vendor presentations, and management assurances. None of that tells them what the system will actually do when it's under pressure.
Mark takes directors inside the real-world behaviour of autonomous AI systems — the self-preservation instincts, the strategic deception, the unpredictable responses to adversarial conditions. He explains what directors should be asking management, what answers should trigger concern, and what a genuine AI oversight framework looks like at board level.
Ideal for: Board briefings, director education programs, governance conferences, AICD events
30 years of cyber risk taught me nothing compared to 15 hours with a hostile AI
Mark spent three decades managing cyber risk for some of Australia's largest organisations. He thought he understood what "risk" meant.
Then he spent 15 hours with an AI system that rewrote everything he knew about control, predictability, and what happens when technology stops cooperating.
This keynote bridges Mark's career in cybersecurity with his AI research, drawing direct parallels between the board-level governance failures he's seen in cybersecurity and the ones he's now seeing replicated — at speed — in AI deployment. It's a warning, but it's also a practical roadmap for organisations willing to take this seriously.
Ideal for: Executive offsites, leadership conferences, cross-functional strategy sessions
Why AI safety works when someone actually does the work, and what deployment looks like when they do
This isn't a doom keynote. This is the solutions talk.
Mark's research showed what happens when AI guardrails fail. But it also showed that the failures weren't inevitable. The safety mechanisms exist. The testing methodologies work. The governance frameworks are available.
The problem isn't that AI safety is impossible. The problem is that no one's doing the work.
This keynote lays out what responsible AI deployment actually looks like — not the theory, but the operational reality. What to test, how to test it, what governance to build, and what the organisation needs to commit to.
Ideal for: Technology conferences, compliance events, organisations actively deploying AI, government agencies
Why boards are knowingly accepting cyber risk and hoping they don't get caught
This isn't a technology problem. It's a governance problem.
After 30 years advising boards on cybersecurity, Mark has seen the pattern too many times: boards that receive sanitised risk reports, approve budgets that don't match the actual exposure, and make conscious decisions to accept risk they don't fully understand.
This keynote calls it what it is. Not ignorance — complicity. Mark lays out the structural failures in how corporations govern cyber risk, why the current model rewards underinvestment, and what it takes to actually fix it.
Ideal for: Board strategy days, governance conferences, director institutes, insurance industry events
Enforcement actions are landing. Directors are personally exposed. The regulatory hammer is not stopping.
The era of hoping for the best on cybersecurity is over.
Regulators worldwide are suing organisations for inadequate cyber risk management. Privacy reforms are tightening. Enforcement is getting teeth. And boards that signed off on "acceptable risk" are now personally exposed.
Mark walks through the regulatory landscape, the enforcement actions, and what they mean for directors' personal liability. This isn't theory — it's the compliance reality for every regulated entity.
Ideal for: Financial services, insurance, regulated industries, legal/compliance conferences
How "medium risk" and "improving trend" hide the control gaps that will cost you everything
The risk report says "medium." The trend line says "improving." The traffic light is amber, headed green. Everything looks fine.
It's not fine.
Mark has spent 30 years reading cyber risk reports — and writing them. He knows exactly how the language is constructed to reassure rather than inform. This keynote deconstructs the standard risk report format, shows boards what's being hidden behind the traffic lights, and gives directors the specific questions that will force honest answers.
Ideal for: Board education, risk committee briefings, audit and compliance events, director programs
Every Australian's data is already out there. What do we actually do now?
Optus. Medibank. Latitude. MediSecure. Every major Australian organisation that holds your data has either been breached or will be.
The premise of cybersecurity — that we can prevent unauthorised access to data — may no longer be realistic for most organisations. So what now?
Mark explores what a post-breach reality means for organisations, individuals, and regulators. Not the doom scenario — the practical one. What changes when prevention is no longer the primary strategy. What "resilience" actually means operationally. And what the Australian public and corporate sector need to accept to move forward.
Ideal for: Public sector, insurance, healthcare, consumer-facing organisations, general conferences
Why the organisations getting breached aren't missing sophisticated defences — they're missing the fundamentals
Every major breach in Australia in the last three years had the same root cause: basic security hygiene failures. Not sophisticated nation-state attacks. Not zero-day exploits. Unpatched systems. Default credentials. No MFA. Missing logs.
The cybersecurity industry sells complexity because complexity is profitable. Mark argues the opposite: the basics are the strategy. Patch your systems. Enforce MFA. Monitor your logs. Train your people. The organisations that do the fundamentals well don't need the expensive tooling — and the ones buying the expensive tooling usually haven't done the fundamentals.
Ideal for: Any audience. Board briefings, all-hands events, industry conferences, government
Mark also delivers:
All engagements are tailored to the audience. No standard slide deck. No generic examples.