Welcome to the first issue of The Current — DLegendDigital's twice-monthly brief for IT leaders, compliance managers, internal auditors, and the increasingly common hybrid role of AI governance owner. This is not a roundup newsletter. It is the five things the field team actually had to act on this fortnight — what shifted, what it means for a mid-market compliance program, and what we are shipping in response.
What changed this fortnight#
Two things moved enough to warrant ink. The first is the final ramp of the NIST Cybersecurity Framework 2.0 adoption curve — we are now in the window where auditors expect a mapped control library and a Govern function narrative on every cybersecurity program, not just the ones chasing a certification. The second is the quieter but more consequential shift: boards are starting to ask about AI use-case inventories by name, and the CISO is usually the one holding the bag.
- NIST CSF 2.0 — the Govern function is the expected answer to 'how is cybersecurity governed here?' If your risk appetite lives in a slide deck, not a document, that is the first gap to close.
- AI use-case inventory — a list in a spreadsheet beats a policy with no list. Shadow AI grows 2-3× faster than shadow IT did, and most organizations cannot name the top five use cases running today.
- Vendor SOC 2 reports — the carve-out question is back. Read the CUECs section on every new vendor report, not just the opinion letter.
The NIST CSF 2.0 Readiness Toolkit is live#
We shipped the NIST CSF 2.0 Readiness Toolkit last week. Three editions — Starter, Professional, Enterprise — built around the same gap assessment workbook we use on every engagement. The Enterprise edition ships with the incident response tracker, policy template library, and audit preparation checklist; the Starter is the 'do it yourself on a Thursday' version.
What makes this specific, as opposed to yet another CSF spreadsheet: the scoring is formula-driven end to end, the dashboards recalculate without macros, and every finding in the remediation tracker is tied back to a control and a named owner. The point is not the workbook; the point is that the assessment stops being a 200-page deliverable and starts being a 12-month roadmap that a CISO can defend.
Field note — the dashboard metric most programs get wrong#
The single most-gamed metric in a cybersecurity program is 'percentage of controls in place.' It is always 97%. It is always 97% because nobody wants to deliver the slide that says otherwise. The metric that actually matters is closure velocity on findings older than 30 days. If that number is drifting the wrong direction, nothing else on the dashboard is real.
“Controls-in-place is the vanity metric of cybersecurity programs. Closure velocity on aging findings is the one that predicts the next incident.”
What's next#
Issue #2 drops in two weeks. Pillar rotation is on — the AI pillar is up next, and we are writing about the EU AI Act's August 2, 2026 enforcement milestone and what it means for US-based organizations with EU customers. If you have a specific question you want answered, reply to this issue and we will work it in.
In the meantime, the long-form companion to this issue is Getting Started with NIST CSF 2.0. If you want the 12-minute version of everything the Govern function changed, start there.