About the team
ShadowLock Team & Editorial Process
Our blog posts are published under the "ShadowLock Team" byline because that's how they are actually made: collaboratively, by team members across security engineering, compliance, and customer-facing work. This page describes who we are, how we produce our content, and the sources we cite.
Team expertise
Where our credibility comes from
ShadowLock is built and operated by people with direct, hands-on experience in the disciplines our content covers. The team's collective expertise spans four areas:
Security engineering
Backgrounds across endpoint security, EDR development, and managed detection at MSPs serving regulated industries (healthcare, financial services, government contractors). Direct experience with NTFS-level controls, browser extension architecture, and clipboard-layer detection.
Compliance and audit
Working knowledge of SOC 2 Type II, HIPAA Security Rule, GDPR (including post-Schrems II transfer mechanisms), and PCI-DSS as applied to AI tool usage. Coordination with audit firms across multiple Type II observation windows.
MSP delivery
Direct experience operating multi-tenant security platforms across SMB and mid-market client books. Familiar with the major RMM platforms (Datto, ConnectWise, NinjaOne, Kaseya, N-able) and the operational patterns of AI governance delivery as a managed service.
Product and AI tool ecosystem
Continuous tracking of the AI vendor landscape: OpenAI, Anthropic, Google, Microsoft, GitHub Copilot, and the long tail of niche AI tools. Direct review of enterprise terms, DPAs, and data handling practices across the major vendors.
Editorial principles
How our content is made
Cite sources by name and link
Every statistic, framework reference, or third-party claim links to its source: Gartner, NIST, Microsoft Work Trend Index, IBM, HHS, EU Commission, ISO. If we can't cite it, we don't publish it.
Ground in customer telemetry where appropriate
Patterns we describe are drawn from aggregated, anonymized telemetry across ShadowLock customer environments, not theoretical examples. When we say "we see this pattern," we mean we have measured it.
No vendor-sponsored content
No paid placements. No "sponsored by" arrangements. Vendor comparisons are written as honestly as we can. We name our own trade-offs and constraints explicitly.
Refresh on a stated cadence
Buyer's guides and statistics posts are reviewed at least annually, and updated more frequently when the underlying landscape changes materially. Every post displays its publication date.
Defer to legal counsel on compliance specifics
Posts covering HIPAA, SOC 2, GDPR, and cyber insurance describe patterns and frameworks. They are not legal advice. We explicitly recommend legal review before any organization adopts a specific control or interpretation.
Primary sources
The sources we cite
Our blog and research content cites authoritative primary sources by name and links to them directly. The most frequently referenced sources across our content:
- • Gartner: survey research on shadow AI and AI governance among security and risk leaders
- • Microsoft Work Trend Index: annual workplace AI adoption research
- • Cyberhaven: endpoint research on sensitive data flowing to AI tools
- • IBM Cost of a Data Breach Report: annual breach economics research
- • NIST AI Risk Management Framework: US federal framework for AI risk
- • ISO/IEC 42001: international standard for AI management systems
- • US HHS HIPAA guidance: Privacy Rule and Security Rule reference
- • EU AI Act: European regulation of AI systems
- • EU-US Data Privacy Framework: post-Schrems II transfer framework
- • Aggregated, anonymized ShadowLock customer telemetry, marked clearly when cited as a source
Editorial corrections
Found a factual error?
We do our best to fact-check before publishing, but errors happen and the AI vendor landscape changes quickly. If you spot a factual error, an outdated statistic, or a citation that needs updating, please tell us. We treat editorial corrections as a priority and will update the post with a brief note.
Send a correctionFrequently asked
About our editorial process
Why does ShadowLock publish content under a team byline rather than individual authors?
Our content is produced collaboratively by team members across security engineering, compliance, and customer success. Individual posts often pass through review by multiple team members before publication. Attributing collective work to a single named author would misrepresent how the content is actually made. The team byline reflects the editorial reality.
What sources does ShadowLock cite?
Primary sources only: Gartner research, the Microsoft Work Trend Index, Cyberhaven endpoint research, IBM Cost of a Data Breach Report, NIST AI Risk Management Framework, ISO/IEC 42001, US HHS HIPAA guidance, the EU Commission on the AI Act and Data Privacy Framework, and aggregated anonymized ShadowLock customer telemetry. Where we cite our own data, we mark it clearly.
Does ShadowLock accept guest contributions or sponsored content?
No. All ShadowLock published content is produced in-house. We do not accept paid placements, sponsored posts, link insertions, or guest contributions. This keeps the editorial position honest about competitors and trade-offs.
How often is content reviewed and updated?
Buyer's guides and statistics posts are reviewed annually at minimum, more frequently when the underlying landscape changes. Foundational guides (definitions, frameworks) are reviewed annually. Every post displays its publication date; significant updates are noted inline.
How can I get in touch with the ShadowLock team?
For product questions, the fastest path is the contact form. For press inquiries, suggested corrections to published content, or research collaboration, email is published on the contact page. We respond to editorial corrections promptly.
Want to talk to the team?
Press inquiries, editorial corrections, research collaboration, or product questions. We read every email.