Ami Heines

AI security & governance architect — securing, gating, and governing AI and cloud systems for regulated industries

Ami Heines

AI Security & Governance Architect

I secure, govern, and run the systems companies can’t afford to get wrong — now including their AI.

AI security and governance, backend architecture, and tamper-proof audit trails for regulated industries: guardrails and hard spend caps for LLM apps and agents, GRC / compliance platforms, and self-hosted infrastructure I run myself. Three decades shipping software end to end — and I still write the code.

  • Building software since 1993
  • CISOteria — GRC SaaS architect (7 yrs)
  • National Cyber Directorate GRC portal — backend lead
  • Flixel founder · 7 patents
  • IDF Major (ret.)
  • EOSIO StackExchange — #11 globally
  • B.Sc. Math & Physics, TAU

What I do

AI security & governance

Guardrails for LLM apps and agents: prompt-injection and abuse defense, hard spend caps, PII redaction, output validation, and audit trails — mapped to EU AI Act / ISO 42001 controls. Built as Guardrail, a fail-closed AI gateway. (smallestbusiness.com)

GRC & compliance engineering

Seven years as backend architect for CISOteria (GRC / compliance SaaS) and the Israel National Cyber Directorate portal. I turn regulatory obligations into working, enforced controls — not slideware.

Backend & full-stack architecture

Multi-tenant SaaS, API and data-layer design, legacy modernization, containerization — owned end to end, for regulated industries. Data visualization when the data needs to be legible (D3.js, React).

Tamper-proof audit trails

Immutable, independently verifiable audit logs and evidence — self-hosted BFT chains, no third-party dependency. Wire-fraud prevention (ChainVault), art provenance (Verarta), and verifiable records for AI systems.

Selected work

CISOteria

CISOteria

Security-compliance (GRC) SaaS · backend architect, 2019–present

Multi-tenant CISO / compliance platform on AWS Marketplace. I own the API, data model, and architecture — Node.js + a modernized PHP core, MariaDB / Redis / Docker, vulnerability dashboards and analytics, SSO / SAML.

CISOteria — asset risk graph (D3)

CISOteria — asset risk graph (D3)

Compliance data-viz · D3.js hierarchy

A D3 hierarchy I built for CISOteria: an asset’s risk score traced down to the systems and infrastructure it depends on — colour-coded by risk, so the weakest link is obvious.

Israel National Cyber Directorate — GRC portal

Israel National Cyber Directorate — GRC portal

grc.cyber.gov.il · built at CISOteria · backend lead

The Israel National Cyber Directorate’s governance-risk-compliance portal, powered by CISOteria (“Cyber OS”). I led most of the backend and built parts of the front end.

IMS — interactive weather map

IMS — interactive weather map

Israel Meteorological Service · front-end / data-viz

Map-overlay work I contributed to the Israel Meteorological Service (ims.gov.il) — data overlays on their interactive synoptic forecast maps.

ChainVault

ChainVault

Private-blockchain deal room

Tamper-proof real-estate closing platform with on-chain wire-fraud prevention — a 4-node Antelope / BFT chain and a client-side-encrypted document vault.

Verarta

Verarta

Art provenance on a private chain

Immutable provenance records for artworks — no third-party dependency, full audit trail.

Smallest Business

Smallest Business

Cloud & AI-cost engineering

My consultancy and a daily learn-in-public series on cutting cloud bills and controlling AI spend.

I write more often at smallestbusiness.com

My main blog lives there — near-daily posts on cutting cloud bills and controlling AI / LLM spend. This site keeps the occasional longer piece; the frequent writing is over there.

Read smallestbusiness.com

Available for short- and long-term engagements. If your infrastructure is something you can’t afford to get wrong, let’s talk.