Portfolio
Whitepapers, novel research, and selected engagements.
Engagements
E1. Security Advisor to Microsoft AI Office of the CEO. Security Advisor across the Microsoft AI portfolio (Bing, Copilot, Edge, MSN) covering AI security, privacy, and systemic risk. The work yielded Microsoft AI patent leadership, Model Context Protocol security improvements adopted across internal and partner integrations, and shaped long term vision for product security. 2026-Present.
E2. Security Due Diligence for AI Infrastructure Company. Security fitness assessment for General Availability across business model, infrastructure, and product lines. The architectural alignment also produced ROI gains by routing latency-tolerant inference and training to remote regions with co-located partial data sets, capturing spare compute capacity at lower cost rates. 2026-Present.
E3. Product Research for Security Hardware Device. Large firm based in Japan asked for solution to keeping software within their ecosystem, without collecting any personal information for customers. Custom solution built using Microchip AT97SCx class products for both I2C and SPI interfaces. Now on second generation of product line with same product solution. 2016.
Whitepapers
P1. Dynamic Security Control Sets for AI-Agent Tool-Chains Using Most Restrictive Set Composition Tools can be added to agentic ecosystems without per-combination threat modeling, even under combinatorial growth by attaching policies to each tool and then compositing a control set based on execution contexts. Empirical evaluation across 120 tools.
What it enables. Production deployment of multi-tool agentic systems without exponential governance cost. Every tool invocation authorizes against the intersection of all contributing policies (catalog, tenant, engagement); adding a tool can only tighten the authorization envelope. Operators tune control strictness by context: high-assurance deployments use narrow control sets that block more chains; exploratory deployments use broader sets that admit more tools at the cost of higher residual risk. The framework provides both authorization composition and emergent-failure detection, the two properties required for safe agentic deployment at production scale.
P2. Separable Expert Architecture for Privacy-Preserving Model Personalization Per-user model personalization through device-bound LoRA adapters, expert routing bias vectors, and steering vectors. Trains personalized models without ingesting user data into the base model weights; supports GDPR compliance and data-residency requirements; preserves personalization quality through DPO-trained per-user adapters at rank 4, 16, and 20.
What it enables. Personalization at scale where the base model never ingests user data. Per-user adapters are device-bound and trained on the user's own preference signal; the base model trains on generic corpora only from a collection of LoRAs. Aligns with GDPR right-to-erasure by construction: deleting a user's proxy removes the personalization without retraining the base. Compatible with mixture-of-experts deployments and supports per-tenant or per-region adapter isolation for data-residency regimes.
P3. Verifiable Semantics for Agent-to-Agent Communication Microsoft AI & Wabash College. 2026. Link, Featured by Mustafa Suleyman, CEO, MAI.
Certification protocol that tests two agents on shared observable events and admits only terms with statistically reliable agreement into a certified core vocabulary, restricting downstream reasoning to that core. Reduces agent disagreement by 72 to 96 percent in simulation and 51 percent on fine-tuned language models; logs every certification decision to a public ledger for third-party audit; supports drift detection through recertification and vocabulary recovery through renegotiation.
What it enables. An auditable foundation for agent-to-agent communication in production environments. Every certification decision is logged in a public ledger that third parties can independently verify. Operators tune the protocol to their risk profile: safety-critical contexts use strict thresholds, yielding a smaller certified vocabulary with higher confidence in alignment; exploratory contexts use relaxed thresholds, yielding a larger vocabulary with more tolerance for residual disagreement. The framework provides both auditability and reproducibility, the two properties required for reliable multi-agent deployments at scale.
Patents
PAT1. Application Firewalls Based on Self-Modeling Service Flows US Patent 11,831,608 (NVIDIA). Machine-learning firewall that learns per-application service flow schemas, intercepts inbound service inputs, and predicts whether each input will produce an anomalous status response before allowing it through. 2023.
PAT2. Semantic DeepFake Prevention via Sensor Noise and Tamper-Evident Streams Distinguishing camera-captured from synthesized imagery using the noise signature of the originating image sensor, bound to a tamper-evident chain that survives standard image processing operations. Allows downstream verifiers to detect manipulated or synthetic content without trusting the capturing device. 2024.
PAT3. Dynamic Safety Filters. Patent application pending (Microsoft AI). Model-side attention activations and embedding similarity used to identify policy-relevant patterns across user inputs, cluster related violations, and generalize safety decisions beyond exact string matches. The filter dynamically detects semantically similar unsafe requests, applies context-aware blocking or routing, and updates enforcement boundaries based on learned violation clusters rather than static keyword rules. 2025.
PAT4. Ephemeral Proxy Artifacts in Machine Learning Models. Patent application pending (Microsoft AI). Per-user LoRA adapters combined with expert routing bias and steering vectors, generating personalized model output while keeping user data outside the base model weights. 2026.
