AI security & governance
I make your AI systems safe to ship — and able to survive an audit.
Companies are shipping AI faster than they can govern it — in Grant Thornton’s 2026 survey, 78% of leaders weren’t confident they could pass an independent AI-governance audit within 90 days. That’s the gap I close: guardrails and hard limits on live LLM apps and agents, tamper-evident audit trails that stand up to a regulator, and the EU AI Act / ISO 42001 controls behind them. Thirty years building the systems regulated industries can’t afford to get wrong — I design it, build it, and can run it.
- Building software since 1993
- CISOteria — GRC SaaS architect (7 yrs)
- National Cyber Directorate GRC portal — backend lead
- Flixel founder · 7 patents
- IDF Major (ret.)
- EOSIO StackExchange — #11 globally
- B.Sc. Math & Physics, TAU
What I do
AI security & governance
Guardrails and hard limits for live LLM apps and agents — prompt-injection and abuse defense, PII redaction, output validation, and spend caps — plus the EU AI Act / ISO 42001 controls to back them up. Built and running as Guardrail, a fail-closed AI gateway.
Audit-readiness & tamper-evident trails
The evidence an auditor, regulator, or board actually asks for: independently verifiable, tamper-evident audit trails for your AI systems and records — self-hosted, no third-party dependency. My blockchain background, pointed at AI governance.
GRC & compliance engineering
Seven years as backend architect for CISOteria (GRC / compliance SaaS) and the Israel National Cyber Directorate portal. I turn regulatory obligations into working, enforced controls — not slideware.
Fractional architect for regulated SaaS
Multi-tenant SaaS, API and data-layer design, legacy modernization, containerization — owned end to end. Available as a fractional architect when you need senior ownership, not just hands.
Selected work

CISOteria
Security-compliance (GRC) SaaS · backend architect, 2019–present
Multi-tenant CISO / compliance platform on AWS Marketplace. I own the API, data model, and architecture — Node.js + a modernized PHP core, MariaDB / Redis / Docker, vulnerability dashboards and analytics, SSO / SAML.

CISOteria — asset risk graph (D3)
Compliance data-viz · D3.js hierarchy
A D3 hierarchy I built for CISOteria: an asset’s risk score traced down to the systems and infrastructure it depends on — colour-coded by risk, so the weakest link is obvious.

Israel National Cyber Directorate — GRC portal
grc.cyber.gov.il · built at CISOteria · backend lead
The Israel National Cyber Directorate’s governance-risk-compliance portal, powered by CISOteria (“Cyber OS”). I led most of the backend and built parts of the front end.

IMS — interactive weather map
Israel Meteorological Service · front-end / data-viz
Map-overlay work I contributed to the Israel Meteorological Service (ims.gov.il) — data overlays on their interactive synoptic forecast maps.

ChainVault
Private-blockchain deal room
Tamper-proof real-estate closing platform with on-chain wire-fraud prevention — a 4-node Antelope / BFT chain and a client-side-encrypted document vault.

Verarta
Art provenance on a private chain
Immutable provenance records for artworks — no third-party dependency, full audit trail.
Smallest Business
Cloud & AI-cost engineering
My consultancy and a daily learn-in-public series on cutting cloud bills and controlling AI spend.
More from me
Controlling the AI you can’t fully trust — its cost, its abuse, and its compliance.
I write near-daily about the practical side — cutting cloud bills and keeping AI spend and abuse under control — at smallestbusiness.com . Get the posts by email, or read them there.
Or read at smallestbusiness.com →Not sure where your AI exposure is? Start small: a fixed-price AI Security & Audit-Readiness Teardown — a written read on what’s exposed and what to fix first. Or book a call and tell me what you’re building.