CyberOff — Independent AI Security Architecture & CASAM
UK · Independent AI Security Architecture

Your AI security shouldn't come down to a 50/50 choice.

CyberOff is a UK independent AI security architecture practice. We give boards the language to govern AI — built on CASAM, our business-attribute framework.

No jargon. No snake oil. No fear.

See the services
Ian Murphy
30+
Years in security
44
CASAM attributes
3
Service lines
0
Snake oil sold. Ever.
  AI Security Architecture    CASAM v2.1    No Fear    The Risk Is Real    Board-Ready Governance    Agentic AI Covered    No Snake Oil     AI Security Architecture    CASAM v2.1    No Fear    The Risk Is Real    Board-Ready Governance    Agentic AI Covered    No Snake Oil  
The risk is real
£1,000,000

Fourteen years ago I lost a million pounds on live television. Nine million people watched me do it.

I have thought about risk every single day since. Most consultants read about it. I've felt it — in front of an audience the size of a small country.

That's the difference. CyberOff treats your AI risk like there are nine million people watching. Because one day, there might be.

Ian Murphy, founder of CyberOff
Three service lines · The GRM pillars in practice

Where most consultancies haven't arrived yet.

Boards are being asked questions about autonomous AI agents that nobody on the security team has rehearsed answers to. Most consultancies are still talking about prompt injection. We're a UK independent practice on AI security architecture — built from the ground up around CASAM.

01 · Governance pillar

AI Policy Review & Formulation

Gap analysis against ISO 42001, the EU AI Act and NIST AI RMF, mapped to CASAM. You get a board-ready findings report and a prioritised roadmap — not a 90-page PDF nobody reads.

  • AI estate inventory & obligation mapping
  • Gap analysis across Governance & Management
  • EU AI Act risk classification
  • Policy suite & implementation roadmap
ISO 42001 EU AI Act 3–4 weeks
02 · Risk pillar

AI Risk Assessment

Risk to the AI and risk from the AI — adversarial threats and hallucination, bias and harmful output. A register with attribute traceability and OWASP/NIST mapping. Scored, prioritised, actionable.

  • Two-vector assessment: risk TO and FROM
  • Register with CASAM mapping & L×I scoring
  • NIST AI 600-1 GenAI applicability
  • Treatment plan with control recommendations
NIST AI 600-1 OWASP LLM Top 10 3–4 weeks
03 · Modelling pillar

AI Threat Modelling

Architecture-specific, agentic-tier classified. Attack trees, STRIDE-AI, MITRE ATLAS and guardrail specs. Essential the moment your AI can take actions on its own.

  • Three-tier agentic classification
  • Six trust-boundary analysis (incl. Agent-to-Agent)
  • STRIDE-AI · OWASP Agentic Top 10 · ATLAS
  • Attack trees for top-three paths + mitigations
MITRE ATLAS OWASP Agentic 3–4 weeks
NIST AI RMF ISO/IEC 42001 OWASP LLM Top 10 2025 OWASP Agentic AI Top 10 MITRE ATLAS EU AI Act UK GDPR SABSA-influenced
CASAM v2.1 · CyberOff AI Security Attribute Model

Every framework tells your team what to do. None of them answer what the board actually asks.

NIST AI RMF, ISO 42001, the OWASP LLM Top 10 — all control-centric. They describe what to do. The board asks something different: what must be true about our AI for this organisation to be safe, compliant and trusted? CASAM answers that — 44 business attributes across six domains, the connective tissue between technical controls and board-level risk language. GRM — Governance, Risk, Modelling — is the lens that sequences those domains for the board.

The GRM model

A three-pillar sequencing model for AI security — Governance first, then Risk, then Modelling — so organisations address AI risk in the right order and at the right level of the business. Each pillar maps to CASAM domains beneath it and to the engagement it leads to.

GGovernance
Governance & Management domains — is your AI approved, owned, inventoried and overseen?
→ AI Policy Review
RRisk
Data, Technology & Regulatory domains — is your AI reliable, lawful and fair?
→ AI Risk Assessment
MModelling
Model Security domain — has your AI been tested, monitored and hardened against attack?
→ AI Threat Modelling
+ AgenticGated on AI type
Agentic AI domain — 6 additional attributes for organisations running autonomous, tool-using agents.
→ AI Agency Review
44 core attributes 6 domains +6 agentic attributes · 50 total
Proprietary IP · © 2026 CyberOff Ltd

Business-attribute traceability. Control to board. Board to control.

CASAM inverts the conventional assessment direction. It starts with the business attributes that characterise a well-governed AI system — and traces down to the controls that enable them. Any control gap traces forward to the business risk it creates. Any board concern traces back to the control that addresses it.

Ian Murphy
The practitioner

Thirty years at the sharp end. Now pointed at the hardest problem in security.

"AI governance without business-attribute traceability is governance theatre. It satisfies the auditor and leaves the board flying blind."

Ian Murphy FBCS CITP has spent thirty years in senior UK cybersecurity roles — central government, defence, critical national infrastructure, large enterprise. Former CLAS-accredited consultant. Account-CISO work with Fujitsu, enterprise architecture with Symantec. The kind of depth clients verify in thirty seconds.

CyberOff focuses that experience exclusively on AI security architecture. CASAM is the methodological expression of that focus — a framework that didn't exist, built because the gap was real.

Ian is also a working stand-up comedian on the professional circuit. The consultant is a better communicator because the comedian has to earn the room. Based in Barnstaple, Devon; working across the UK and internationally.

Events & Speaking

The same voice. Different rooms.

Ian speaks at industry events, MCs awards nights and gala dinners, and runs Clocking Off — sponsored cyber comedy nights that put real stand-up at the centre of what is otherwise the same vendor marketing cycle.

Clocking Off · Sponsored comedy nights

Your marketing money. An audience that actually turned up.

Single-sponsor cyber comedy nights — MC'd by Ian, three pro acts including a TV-name closer. Curated UK cyber decision-maker guest list. Inaugural event with CyberCert in 2026, quarterly thereafter.

  • Turnkey production — venue, acts, MC, content pack
  • Single-sponsor exclusivity, sponsor sign-off
  • Post-event content pack within five working days
Turnkey production Quarterly series
Keynotes & MC · For your stage

The cyber speaker who lands the room. Then makes them laugh.

Conference keynotes, in-house events, association talks, awards nights, gala dinners. Technical rigour, real humour, plain English. No fear-based slides.

  • Flagship 2026: The Agentic AI Risk Blindspot
  • Signature: The Snake Oil Detector
  • Awards MC & gala-dinner hosting available
Keynote & MC UK & international
Free · 10 minutes · No signup until results

Where do you actually stand on AI security?

20 questions across Governance, Risk and Modelling — the three pillars of CASAM. A clear picture of your posture and where to focus first. No jargon, no sales pitch in the results.

Let's talk

AI security, CASAM, or a comedy night. One address.

Drop a line. Response measured in hours, not a week and a half.

ian@cyberoff.com
Book a free 20-min consultation →

Consultations are free, last 20 minutes, and don't involve a pitch.

CyberOff

© 2026 CyberOff Ltd. All rights reserved. Ian Murphy FBCS CITP.

Based in Barnstaple, Devon. Working across the UK and internationally.

CyberOff Ltd. Company No: 13167805 · VAT No: 370598960.

CASAM (CyberOff AI Security Attribute Model) is proprietary to CyberOff Ltd. Sponsors of Clocking Off events do not receive product endorsement from the stage. Where a consulting engagement involves a vendor with a recent sponsorship relationship, this is disclosed to the client at scoping.

AI Security CASAM About Events Contact Privacy Notice
{{ formEyebrow }}

{{ formTitle }}

{{ formDoneTitle }}

{{ formDoneBody }}

Read the white paper →

{{ formBlurb }}

By submitting you agree to our Privacy Notice. No spam, no list-selling.

CyberOff
Powered by CASAM v2.1
Free GRM Diagnostic · 20 Questions · Instant Results

Where does your AI programme actually stand on security?

Map your gaps across Governance, Risk and Modelling — the three pillars of the CASAM framework. 20 questions, under 10 minutes, and a GRM diagnostic you can act on.

{{ progressLabel }}
{{ pillarLabel }} {{ pillarService }}
{{ qNumLabel }}
{{ qText }}
{{ qHelp }}

Your results are ready.

Enter your details to see your GRM diagnostic — Governance, Risk and Modelling scores with a tailored recommendation. We'll also send a copy to your inbox.

By submitting you agree to our Privacy Notice. No spam, no list-selling.

{{ resGreeting }}

{{ resSummary }}

{{ card.name }}
{{ card.service }}
{{ card.pctText }}
{{ card.ragLabel }}
{{ card.insight }}

Key findings

{{ f.label }}
{{ f.text }}
Recommended starting point

{{ recTitle }}

{{ recBody }}

Free download

Get the full CASAM white paper

The research paper behind this assessment — the case for attribute-based AI governance, the full GRM model, and what a CASAM v2.1 assessment looks like in practice. Written for boards, CISOs and senior risk leaders.

Sent to your inbox within one business day · No obligation

Powered by CASAM v2.1 · © 2026 CyberOff Ltd.

ian@cyberoff.com

Discovery Call — Pre-Call Brief

Your consultant will be prepared before you speak.

The GRM results below will be shared with Ian Murphy before your call. Your 30-minute Discovery Call will focus on your specific gaps — not a generic sales conversation.

{{ bp.name }}
{{ bp.pctText }}
{{ bp.ragLabel }}
{{ tag }}
What to expect: Ian will have reviewed your GRM scores before the call. The session focuses on translating your highest-priority gap into a scoped engagement — with a clear recommendation by the end.
Open my booking →

Clicking "Open my booking" opens Calendly with your name, email and GRM results pre-filled. Your results are shared only with CyberOff.