Built in production. Not in a presentation.
The experience behind the advice: 30 years operating technology at scale across regulated environments, and a homelab that puts AI governance into practice daily.
Corey Watts
I'm a Chief Information Officer at a $1 billion financial institution in the Southeast, where I've spent the last 30 years building and running technology across every layer of the enterprise — infrastructure, security, applications, data, and automation. My scope spans a multi-million-dollar technology budget and accountability for a platform that regulators examine every examination cycle.
That operating environment is why boards and executives find my advice useful: I don't advise on AI governance from a framework manual. I do it from daily accountability for the same risks I'm helping clients navigate — exam pressure, vendor opacity, third-party AI in core systems, and the gap between what a model can do and what a regulated institution can allow it to do.
Outside the institution, I hold the CCISO and work within NIST CSF 2.0 and the AI RMF 1.0 as primary governance frameworks. I operate a multi-agent AI environment in my homelab — not as a hobby, but as a controlled testbed for the governance patterns I advise on.
Chief Information Officer — $1B Credit Union
Full-scope technology leadership: infrastructure, security, apps, data, automation. Board reporting. Exam management. AI governance program.
Fractional CIO / vCISO — Open Door Advisory
Advisory practice serving boards, CEOs, and technology leaders at regulated institutions navigating AI adoption and security modernization.
VP of Technology — Regional Technology Consulting Firm
Led the firm's consulting and implementation practice, delivering technology solutions to large institutions across the region.
Founder & Systems / Network Engineering
Founded a regional ISP in 1999; held a range of systems and network engineering roles — the hands-on infrastructure foundation the rest was built on.
How I think about technology leadership
Governance is an operating discipline, not a compliance deliverable.
Frameworks like CSF 2.0 and AI RMF are useful when they describe what you're already doing — not when they're the reason you're doing it. I build governance into operations first, then document it for examiners.
The vendor doesn't own your risk model.
Every third-party AI tool that touches member data, employee workflow, or core systems creates accountability that no BAA or SOC 2 fully transfers. Someone on your team has to understand the model, the data flow, and the failure modes.
Speed and safety are a tradeoff you make explicitly or by default.
Regulated institutions move slower than the AI market. That's not a failure — it's a constraint that has to be managed consciously. "Move fast" is a choice with exam and member consequences. So is "wait."
The best security posture your budget can buy is still a human judgment problem.
Tools don't run programs. People do. I invest in the decision-making capacity of my team before I invest in the next platform — because every tool eventually requires someone to interpret its output under pressure.
Ready to work together?
Advisory engagements start with a 30-minute scoping call — no pitch deck, no pre-work required. Just a direct conversation about what you're trying to solve.