Twelve years architecting application and platform security across Canada's banks, capital markets, telecoms, and government. Now helping enterprises ship AI capability — without shipping the risk.
Threat modeling for RAG pipelines, agentic systems, and fine-tuned models. Securing the MLSecOps lifecycle: data provenance, secure training environments, model signing, deployment verification, and runtime drift & abuse detection.
Building DevSecOps capability from the ground up: SAST, SCA, DAST, IaC scanning, secrets management, container security, and Copilot governance — integrated into CI/CD without slowing teams down. Security Champion programs that actually stick.
Azure AI Foundry, Microsoft Fabric, Databricks, AWS SageMaker & Bedrock, GCP. Kubernetes and OpenShift hardening, service mesh, Zero Trust, and policy-as-code with OPA and Kyverno across multi-cloud platforms.
Translating frameworks into working controls — not binders. FedRAMP authorization paths, NIST 800-53, ISO/IEC 27001 and 42001, PCI DSS, SOC 2, and HIPAA, designed into the architecture rather than retrofitted after audit.
My graduate research at Concordia focused on epistemic uncertainty in AI — the known-unknown problem. The question of how to build models that recognize the limits of their knowledge and abstain, rather than fabricate.
The same instinct shapes how I approach security engagements. Threat models are exercises in mapping the unknown. Architectures earn trust through restraint, not performance. The controls that matter most are the ones that fail safely.
I work as an embedded architect, not a deck-deliverer. The deliverable is a system that holds up under load, under audit, and under adversarial scrutiny — designed with the people who'll run it, in the platforms they actually use.