The-CISO-and-the-Machine: Decisions, Code, and Lessons from a Security Platform for CISOs with AI (The Professional and the Machine)

European regulatory compliance no longer fits in a spreadsheet.GDPR, NIS2, DORA, AI Act, ENS, ISO 27001, ISO 27701. Each framework with its own controls, deadlines, and evidence requirements. A CISO at a regulated entity manages hundreds of overlapping requirements that change every quarter. The alternative to automation isn't hiring more people — it's non-compliance.This book documents the real-world construction of a sovereign GRC platform powered by artificial intelligence. From the GDPR's Record of Processing Activities to specialized agents that analyze regulation, assess risk, and generate compliance evidence.What you'll learnImplement the GDPR article by article: ROPA (Art. 30), DPIA (Art. 35), breach notification (Art. 33), data subject rights (ARCO+)Manage 15 risk methodologies on a single platform: MAGERIT, FAIR, OCTAVE, EBIOS RM, NISTBuild specialized agents with the Claude Agent SDK: PrivacyAgent, RiskAgent, ComplianceAgentImplement regulatory RAG over legal corpora: GDPR, LOPDGDD, Spanish DPA guidelines, CCN-STICDesign the CISO's copilot: an orchestrator that routes queries to agents by intentClassify AI systems under the EU AI Act with automated risk assessmentsBuild a Balanced Scorecard with executive traffic-light dashboards for the boardDeploy on-premise with full sovereignty: FastAPI, React, MySQL, Qdrant, 17 Docker servicesGenerate SoA, gap analysis, and exportable compliance reports26 technical chapters across 9 partsEach chapter starts from a specific regulatory requirement and ends with a working code implementation. Architecture decisions include discarded alternatives and documented limitations.Part I — The New CISO: From Auditor to Architect. Part II — Privacy by Design: GDPR in Code. Part III — Risk and Compliance: MAGERIT, ENS, ISO 27001, NIS2, DORA. Part IV — AI in GRC: Multi-Provider LLM, Regulatory RAG, Agents, AI Act. Part V — Security: JWT, LDAP, SAML 2.0, PKI/mTLS, RBAC. Part VI — React Frontend: 32 Modules, Dashboards, Regulatory Forms. Part VII — Sovereign Infrastructure: Docker, Celery, Prometheus, SIEM. Part VIII — Testing: When the Bug Is Non-Compliance. Part IX — The CISO of the Future.Full sovereignty, no proprietary SaaS dependencyThe platform deploys on-premise. Regulatory data never leaves your infrastructure. Open stack: FastAPI, React, MySQL, Qdrant. No vendor lock-in.Source code available at the public repository: github.com/machinebooksWho is this for?CISOs and DPOs at regulated entities who need to automate complianceRisk managers juggling multiple regulatory frameworksGRC consultancies looking to offer their own platform instead of resellingPublic administration security teams with ENS requirementsBook #3 in "The Professional and the Machine" series, which also includes The Architect and the Machine, The Pentester and the Machine, PQC-Day and the Machine, The Cyber Range and the Machine, and The User and the Machine. Each book is standalone.Includes glossary, reference appendices, and architecture diagrams.About the authors: Carlos Pérez González, AI solutions architect with over two decades in offensive cybersecurity (OSCE, OSCP, OSWE, OSEP). Founder of ihacklabs, acquired by Telefónica in 2020. Juan Carlos Montes Senra, cybersecurity architect with a forensic and offensive profile (GCFA, GREM), published in PHRACK #65. Read more