Pelican Tech BlogCybersecurity, AI governance, and MedTech regulatory writing from the practice2026-04-30T00:00:00.000Zhttps://www.pelican-tech.com/blog/NIS2 Compliance Beyond Checkboxes: A 2026 Implementation Playbookhttps://www.pelican-tech.com/blog/nis2-compliance-2026.html2026-04-30T00:00:00.000ZA practitioner's guide to NIS2 implementation that goes beyond control catalogs. It covers what regulators actually look for, where mid-market security teams stall, and how to build a defensible programme in 90 days.Pelican TechCloud Security for Boards That Still Need Engineering Detailhttps://www.pelican-tech.com/blog/cloud-security-boards.html2026-04-28T00:00:00.000ZA practical translation between what boards ask about cloud risk and what engineering teams actually have to build. No fluff, no maturity-model bingo, just the controls that move the loss curve.Pelican TechIdentity Is the New Perimeter: Practical Zero-Trust for Mid-Size Companieshttps://www.pelican-tech.com/blog/identity-zero-trust.html2026-04-25T00:00:00.000ZWhat zero-trust actually means at the implementation layer when you don't have a Google-scale budget. The four moves that close 80 percent of the realistic attack surface, and the trap that swallows the rest.Pelican TechSIEM and SOAR Without Alert Fatigue: A Detection Engineering Approachhttps://www.pelican-tech.com/blog/siem-soar-detection-engineering.html2026-04-22T00:00:00.000ZHow to run a SIEM and SOAR programme that produces actionable detections rather than a 200-deep Slack channel of high-severity noise. The detection-engineering practices that separate functional SOCs from theatrical ones.Pelican TechThe CISO's $4M Question: Which Pre-Breach Investments Actually Move the Loss Curvehttps://www.pelican-tech.com/blog/ciso-4m-question.html2026-04-19T00:00:00.000ZThe IBM Cost of a Data Breach number is famous. The decisions a CISO can make today to bend that number down are less famous. The four investment categories that demonstrably reduce loss expectancy and the popular ones that mostly do not.Pelican TechImplementing ISO/IEC 42001: An AI Governance Roadmap That Doesn't Stallhttps://www.pelican-tech.com/blog/iso-42001-ai-governance.html2026-04-16T00:00:00.000ZISO 42001 is the first AI management system standard with audit teeth. This is how to actually implement it, where the typical programmes get stuck, and what the EU AI Act overlap saves you.Pelican TechOWASP LLM Top 10 in Production: Hardening RAG, Agents, and the Vectors Most Teams Misshttps://www.pelican-tech.com/blog/owasp-llm-top-10.html2026-04-13T00:00:00.000ZThe OWASP LLM Top 10 isn't a checklist. It's a threat model that maps cleanly onto product security work if you know how to read it. Where the real risks live in production GenAI deployments and what to actually build.Pelican TechPrompt Injection Is a Product Security Problem, Not a Model Limitationhttps://www.pelican-tech.com/blog/prompt-injection-product-security.html2026-04-10T00:00:00.000ZThe framing of prompt injection as a model-quality problem misdirects attention. The realised attacks land in production because of architecture decisions, not because the model is gullible. The product-security pattern that closes the class.Pelican TechAI Risk Assessment for Regulated Industries: A Working Templatehttps://www.pelican-tech.com/blog/ai-risk-regulated-industries.html2026-04-07T00:00:00.000ZWhat an AI risk assessment looks like when it has to satisfy a financial-services regulator, a healthcare auditor, or an industrial safety body. The structure that holds up under scrutiny and the sections that turn into evidence.Pelican TechRAG vs Fine-Tuning vs Tool Use: When Each Wins, and What It Costshttps://www.pelican-tech.com/blog/rag-finetune-toolcall.html2026-04-04T00:00:00.000ZThe three patterns most GenAI applications now combine, with the trade-offs that matter at scale. Latency, cost, evaluation difficulty, governance burden — the parts of the decision that don't show up in the demo.Pelican TechFDA 510(k) for SaMD: Cybersecurity Documentation That Won't Get Returnedhttps://www.pelican-tech.com/blog/fda-510k-cyber-docs.html2026-04-01T00:00:00.000ZThe FDA's 2025 cybersecurity guidance for Software as a Medical Device tightened the documentation bar materially. The artefacts that actually get a 510(k) cleared on the first cycle and the ones that trigger Refuse to Accept letters.Pelican TechEU AI Act Meets MDR: What Medical SaMD Vendors Should Be Doing Right Nowhttps://www.pelican-tech.com/blog/eu-ai-act-mdr.html2026-03-29T00:00:00.000ZThe EU AI Act's high-risk obligations now sit on top of the existing MDR/IVDR framework for medical SaMD. The overlap saves work; the gaps create new compliance debt. The combined posture vendors need by mid-2026.Pelican TechIEC 62304 + ISO 14971: A Combined Software Lifecycle Risk Strategyhttps://www.pelican-tech.com/blog/iec-62304-iso-14971.html2026-03-26T00:00:00.000ZThe two standards medical software teams are required to follow are usually run as separate processes. Treating them as one integrated lifecycle saves duplicated work and produces evidence that holds up under scrutiny.Pelican TechClinical Validation Pathways for AI/ML SaMD: A Step-by-Step Maphttps://www.pelican-tech.com/blog/clinical-validation-saas-ml.html2026-03-23T00:00:00.000ZClinical validation for AI/ML SaMD is where many vendors lose six to twelve months they did not plan for. The pathway choices, the evidence each pathway requires, and the order of operations that gets you to launch fastest.Pelican TechISO 13485 Beyond the Audit: Building a QMS That Speeds Up Releaseshttps://www.pelican-tech.com/blog/iso-13485-speed.html2026-03-20T00:00:00.000ZMost medical-device QMS implementations slow product releases. The ones that don't share three operational disciplines that the standard does not require but does not preclude. The pattern that turns a QMS from a tax into a multiplier.Pelican Tech