> Agentic AI Security Architect

Michel Hjazeen

Agentic AI Security Architect

I secure the autonomous systems most organizations haven't built defenses for yet.

Certification programs across security, privacy, AI governance & risk

Financial supervisory bodies engaged directly

€4B+

In M&A transaction value secured through due diligence

Trusted by global leaders in enterprise software, commerce technology, and Tier-1 AI research. Track record spanning systemically important banks, blockchain & crypto ecosystems, global semiconductor leaders, Fortune 500 industrials, and high-growth fintechs scaling from Series A to IPO.

Systemically Important Banks

Blockchain & Crypto

Global Semiconductors

Fortune 500 Industrials

High-Growth Fintechs

Series A → IPO

MBA│CISSP│CISM│CRISC│CDPSE│ISO 27001 LA│ISO 42001 LI

SYSTEM ONLINE

mike@portfolio ~ zsh


 ███╗   ███╗██╗ ██████╗██╗  ██╗███████╗██╗
 ████╗ ████║██║██╔════╝██║  ██║██╔════╝██║
 ██╔████╔██║██║██║     ███████║█████╗  ██║
 ██║╚██╔╝██║██║██║     ██╔══██║██╔══╝  ██║
 ██║ ╚═╝ ██║██║╚██████╗██║  ██║███████╗███████╗
 ╚═╝     ╚═╝╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚══════╝

Agentic AI Security Architect | I secure the autonomous systems most organizations haven't built defenses for yet.

Type "help" to see available commands.

mike@portfolio ~ $

Recent Thoughts

“AI Governance Frameworks: From ISO 42001 to Practical Implementation”

Research · Jan 2025

“The CISO's Guide to EU AI Act Compliance”

Whitepaper · Feb 2025

“Defense-in-Depth for LLM Applications”

Article · Mar 2025

“Quantifying AI Risk for Board-Level Reporting”

Article · Apr 2025

“M&A Security Due Diligence in the AI Era”

Case Study · May 2025

View All →

The Arc of Expertise

Foundation

Audit & Assurance at Scale

Full-population analytics across 100+ entities — before the industry caught up

Most audit teams still sample. I stopped sampling years ago. Built full-population data analytics programs that replaced legacy tick-and-tie with continuous insight — across continents, regulatory regimes, and entity structures that would break most frameworks. When you've designed assurance for 100+ affiliates simultaneously, you develop an instinct for where controls actually fail versus where they just look weak on paper. That instinct doesn't come from certifications. It comes from volume.

Full-Population TestingContinuous AssuranceData AnalyticsRisk-Based AuditSOXIT Audit

Regulatory Navigation

Six supervisory bodies. Six different ways to say "prove it."

FINMA doesn't think like BaFin. MAS doesn't care about the same things as HKMA. I've sat across the table from all of them — not as a consultant briefing from slides, but as the person who had to make the answers hold up under scrutiny. That kind of exposure builds a regulatory instinct that makes navigating anything from the EU AI Act to DORA feel like pattern recognition, not panic.

FINMABaFinMASHKMA/SFCAPRA/ASICSupervisory Engagement

Governance Architecture

Control frameworks that survive contact with reality

There's a version of governance that looks perfect in a policy document and collapses the moment engineering ships a feature. I've spent my career designing the other kind — frameworks that work across privacy, financial controls, and operational domains without becoming the reason a startup misses its window. From first audits to multi-jurisdictional enterprises, the principle is the same: governance should be infrastructure, not friction.

Internal ControlsPrivacy & Data ProtectionGovernance DesignOperational ExcellenceMulti-Jurisdictional Compliance

Customer Trust & Revenue

Security that closes deals, not just tickets

Figured out early that a SOC 2 report isn't just a compliance artifact — it's a sales weapon. Built the playbooks for turning certifications, audit reports, and security posture into the reason enterprise buyers pick you over the competitor. Led customer-facing security assessments, supported due diligence on both sides of the table, and built trust architectures where security wasn't just defending the product — it was the product's competitive edge.

Sales EnablementARR GrowthCustomer TrustSecurity ReviewsDue DiligenceCompetitive Moat

Enterprise Security

Security Program Architecture

Built 0-to-1 security programs for startups, scaleups, and enterprises alike

Architected security programs from blank pages across every company stage — helping startups and scaleups with limited capacity build pragmatic, audit-ready security from day one, and designing ISMS frameworks for larger organizations. Embedded security and privacy by design into product development, led threat modeling across application and infrastructure layers, and built programs that scale with the organization rather than against it.

Security by DesignPrivacy by DesignThreat ModelingISMS ArchitectureStartups & ScaleupsTeam ScalingBCP/DR

Certification & Assurance

Delivered 18 certification programs across ISO, SOC 2, TISAX, and HIPAA

End-to-end ownership of certification programs across the full spectrum — ISO 27001, 22301, 27701, SOC 2 Type I/II, SOC 3, TISAX, and HIPAA. Built GRC automation pipelines that eliminate audit fatigue, achieved multiple consecutive clean SOC 2 Type II cycles, and engineered each certification as a strategic asset, not a checkbox.

ISO 27001ISO 22301ISO 27701SOC 2 Type IISOC 3TISAXHIPAAGRC Automation

Security-Driven Growth

Transformed GRC from cost center to revenue accelerator and competitive moat

Repositioned security and compliance as the differentiator that unlocks deals, accelerates pipeline velocity, and defends market position — whether helping a scaleup close its first enterprise contract or strengthening an established company's competitive posture. SOC 2 reports became sales collateral. Security became the answer to "why us." Every audit cycle became proof of operational excellence that drives ARR.

Revenue AccelerationDeal EnablementStartups & ScaleupsCompetitive PositioningM&A Security

Incident Response & Crisis Management

When the breach hits, playbooks matter more than panic

Designed incident response programs that actually work under pressure — not the kind that sit in a SharePoint folder until someone panics. Built tabletop exercises that stress-test response capabilities against realistic scenarios, created crisis communication playbooks that keep stakeholders informed without creating new problems, and established post-incident review processes that turn every incident into structural improvement. The organizations that recover fastest aren't the ones with the best technology — they're the ones that rehearsed.

Incident ResponseCrisis ManagementTabletop ExercisesBCP/DRPlaybook DesignPost-Incident Review

AI Governance

AI Governance Frameworks

Operationalized end-to-end AI governance aligned with ISO 42001 and NIST AI RMF

Designed and operationalized comprehensive AI governance from policy through execution — establishing AI Committees, building AI Impact Assessment processes, and creating governance structures that scale from research prototypes to production deployments. Built the organizational infrastructure for responsible AI at enterprise scale.

ISO 42001NIST AI RMFAI CommitteesAI PolicyResponsible AIAI Impact Assessment

AI Risk & Lifecycle Security

Embedded security across the full AI SDLC from training data to decommissioning

Built AI security into every stage of the lifecycle — training data governance, model development security, deployment controls, runtime monitoring, and decommissioning protocols. Designed model risk management frameworks and AI-specific threat models addressing prompt injection, data poisoning, and adversarial robustness.

AI SDLCModel Risk ManagementAI Threat ModelingTraining Data GovernancePrompt InjectionAdversarial ML

AI Regulatory Strategy

Led readiness programs for EU AI Act, NIS2, DORA, and emerging AI regulation

Navigated the evolving AI regulatory landscape — translating EU AI Act requirements into actionable compliance roadmaps, advising leadership on strategic positioning, and building compliance architectures designed to absorb regulatory changes without operational disruption.

EU AI ActNIS2DORARegulatory StrategyCompliance ArchitectureAI Classification

AI Organizational Governance

Governance that lives in the org chart, not just the policy manual

Stood up AI Committees and governance bodies that actually influence product decisions — not rubber-stamp review boards that meet quarterly and approve everything. Designed reporting structures, escalation paths, and decision frameworks that give the right people authority over the right risks at the right time. When AI governance works, engineering teams don't feel policed — they feel equipped.

AI CommitteesOrganizational DesignDecision FrameworksStakeholder AlignmentGovernance IntegrationCross-Functional Governance

Agentic Frontier

Agentic Security Architecture

Designing security for autonomous systems that act without human approval

Architecting security frameworks for the agentic AI era — where systems operate independently, chain tools, and take consequential actions at machine speed. Designing permission models, building agent-specific threat models for tool poisoning, goal hijacking, and action escalation, and creating defense architectures that preserve oversight without destroying utility.

Agentic SecurityAgent Threat ModelingPermission ModelsTool PoisoningGoal HijackingAction Escalation

AI Red Teaming & Safety

Breaking AI systems so the adversaries don't have to

Running adversarial evaluations against LLMs and agentic systems — prompt injection, jailbreaking, goal hijacking, tool misuse, and the attacks that don't have names yet. This portfolio site is a live demonstration: the embedded AI assistant is hardened against adversarial inputs, and visitors are invited to test its defenses. Red teaming isn't a phase you schedule before launch — it's a continuous discipline that shapes how trustworthy AI actually becomes.

AI Red TeamingAdversarial TestingPrompt InjectionSafety EvaluationJailbreak TestingContinuous Red Team

Autonomous Compliance

Building compliance frameworks for systems regulators haven't written rules for yet

Developing compliance architectures for autonomous AI decision-making — audit trails that capture machine-speed decisions, accountability frameworks for systems no regulation specifically addresses, and governance structures that remain effective as agents grow more capable. Today's design decisions become tomorrow's regulatory precedents.

Autonomous ComplianceAudit TrailsMachine-Speed GovernanceAccountability FrameworksRegulatory Precedent

Strategic Leadership

Board advisory, M&A security, and building programs for AI-native companies

Advising boards on governance strategy for a world shaped by autonomous AI. Leading M&A security workstreams, building security programs for AI-native companies where the product is the risk surface, scaling teams, and positioning security as a strategic board-level function.

Board AdvisoryM&A SecurityAI-Native ProgramsSecurity CultureTeam ScalingStrategic Governance

Projects & Impact

Security · M&A Advisory

€4B+

Transaction value secured

M&A Security & Privacy Due Diligence

Most M&A security due diligence is a checklist exercise that surfaces findings too late to influence the deal. I've led security workstreams across enterprise SaaS, global FMCG, and fintech transactions — on both sides of the table — where findings shaped deal terms, integration timelines, and go/no-go decisions at the board level. €4B+ in transactions where security wasn't an afterthought.

Due DiligenceISMS AssessmentRisk QuantificationPost-Acquisition RoadmapMulti-Jurisdictional

AI · Governance

Top 40

Globally — pioneering AI governance certification

AI Governance

AI governance is where compliance was 15 years ago — everyone knows they need it, nobody agrees on what it looks like. I've been in the room where these frameworks get built, not just adopted. Designed AI risk methodologies, impact assessments, and governance structures that earned one of the first 40 certifications globally under the leading international AI management standard. This isn't theoretical — it's operational, audited, and certified.

AI Risk ManagementAI Impact AssessmentsGovernance FrameworksRegulatory Readiness

Security · Business

Consecutive clean audit cycles

Enterprise Governance, Risk and Compliance Transformation

The dirty secret of GRC is that most programs exist to pass audits, not to actually reduce risk. I've built GRC programs from zero across multiple SaaS companies — the kind that deliver consecutive clean audits not because we crammed before the assessment, but because the controls were baked into how the company actually works. The result: security became the reason enterprise buyers chose the product over the competitor.

SOC 2ISO 27001ISO 22301ISO 27701TISAXSales Enablement

AI · Security

LIVE

Hardened AI running on this site

AI Red Teaming Lab

The AI assistant on this site isn't a chatbot — it's a live security demonstration. Hardened against prompt injection, jailbreaking, and data exfiltration. You're welcome to try to break it. That's the point.

Prompt Injection DefenseLLM SafetyRed Teaming

Try it yourself →

Technical · Security

6×

Faster audit preparation

Automated Compliance Pipeline

Audit prep used to take weeks of manual evidence gathering and screenshot collecting. I built automation pipelines that do it in hours — using Python and AI to map controls across frameworks, pull evidence programmatically, and flag gaps before the auditors arrive. The teams I've built these for don't dread audit season anymore.

PythonNLPAutomationEvidence Collection

Security · Regulatory

Major EU frameworks operationalized

EU Regulatory Strategy

The EU AI Act, NIS2, and DORA landed almost simultaneously — and most companies froze. I built the implementation roadmaps that turned regulatory panic into structured execution: clear ownership, realistic timelines, and milestones that boards could actually track. Compliance isn't a mystery — it's a project plan.

EU AI ActNIS2DORACompliance Roadmaps

Let's talk.

Working on something interesting in AI security? Building a governance program? Just want to exchange ideas? Reach out.

Get in touch ↗