CyberOff is a UK independent AI security architecture practice. We give boards the language to govern AI — built on CASAM, our business-attribute framework.
No jargon. No snake oil. No fear.
Fourteen years ago I lost a million pounds on live television. Nine million people watched me do it.
I have thought about risk every single day since. Most consultants read about it. I've felt it — in front of an audience the size of a small country.
That's the difference. CyberOff treats your AI risk like there are nine million people watching. Because one day, there might be.
Boards are being asked questions about autonomous AI agents that nobody on the security team has rehearsed answers to. Most consultancies are still talking about prompt injection. We're a UK independent practice on AI security architecture — built from the ground up around CASAM.
Gap analysis against ISO 42001, the EU AI Act and NIST AI RMF, mapped to CASAM. You get a board-ready findings report and a prioritised roadmap — not a 90-page PDF nobody reads.
Risk to the AI and risk from the AI — adversarial threats and hallucination, bias and harmful output. A register with attribute traceability and OWASP/NIST mapping. Scored, prioritised, actionable.
Architecture-specific, agentic-tier classified. Attack trees, STRIDE-AI, MITRE ATLAS and guardrail specs. Essential the moment your AI can take actions on its own.
NIST AI RMF, ISO 42001, the OWASP LLM Top 10 — all control-centric. They describe what to do. The board asks something different: what must be true about our AI for this organisation to be safe, compliant and trusted? CASAM answers that — 44 business attributes across six domains, the connective tissue between technical controls and board-level risk language.
CASAM inverts the conventional assessment direction. It starts with the business attributes that characterise a well-governed AI system — and traces down to the controls that enable them. Any control gap traces forward to the business risk it creates. Any board concern traces back to the control that addresses it.
"AI governance without business-attribute traceability is governance theatre. It satisfies the auditor and leaves the board flying blind."
Ian Murphy FBCS CITP has spent thirty years in senior UK cybersecurity roles — central government, defence, critical national infrastructure, large enterprise. Former CLAS-accredited consultant. Account-CISO work with Fujitsu, enterprise architecture with Symantec. The kind of depth clients verify in thirty seconds.
CyberOff focuses that experience exclusively on AI security architecture. CASAM is the methodological expression of that focus — a framework that didn't exist, built because the gap was real.
Ian is also a working stand-up comedian on the professional circuit. The consultant is a better communicator because the comedian has to earn the room. Based in Barnstaple, Devon; working across the UK and internationally.
Ian speaks at industry events, MCs awards nights and gala dinners, and runs Clocking Off — sponsored cyber comedy nights that put real stand-up at the centre of what is otherwise the same vendor marketing cycle.
Single-sponsor cyber comedy nights — MC'd by Ian, three pro acts including a TV-name closer. Curated UK cyber decision-maker guest list. Inaugural event with CyberCert in 2026, quarterly thereafter.
Conference keynotes, in-house events, association talks, awards nights, gala dinners. Technical rigour, real humour, plain English. No fear-based slides.
15 questions across six CASAM domains. A clear picture of your posture and where to focus first. No jargon, no sales pitch in the results.
Drop a line. Response measured in hours, not a week and a half.
ian@cyberoff.comConsultations are free, last 20 minutes, and don't involve a pitch.
{{ formBlurb }}
15 questions across 6 domains. A clear picture of your AI security posture — and where to focus first.
Enter your details to see your CASAM domain scores and key findings. We'll also send a copy to your inbox.
{{ resSummary }}
Powered by CASAM v1.0 · © 2026 CyberOff Ltd.