Ami Heines

AI security & governance for regulated industries

Ami Heines

AI security & governance

I make your AI systems safe to ship — and able to survive an audit.

Companies are shipping AI faster than they can govern it — in Grant Thornton’s 2026 survey, 78% of leaders weren’t confident they could pass an independent AI-governance audit within 90 days. That’s the gap I close: guardrails and hard limits on live LLM apps and agents, tamper-evident audit trails that stand up to a regulator, and the EU AI Act / ISO 42001 controls behind them. Thirty years building the systems regulated industries can’t afford to get wrong — I design it, build it, and can run it.

  • Building software since 1993
  • CISOteria — GRC SaaS architect (7 yrs)
  • National Cyber Directorate GRC portal — backend lead
  • Flixel founder · 7 patents
  • IDF Major (ret.)
  • EOSIO StackExchange — #11 globally
  • B.Sc. Math & Physics, TAU

What I do

AI security & governance

Guardrails and hard limits for live LLM apps and agents — prompt-injection and abuse defense, PII redaction, output validation, and spend caps — plus the EU AI Act / ISO 42001 controls to back them up. Built and running as Guardrail, a fail-closed AI gateway.

Audit-readiness & tamper-evident trails

The evidence an auditor, regulator, or board actually asks for: independently verifiable, tamper-evident audit trails for your AI systems and records — self-hosted, no third-party dependency. My blockchain background, pointed at AI governance.

GRC & compliance engineering

Seven years as backend architect for CISOteria (GRC / compliance SaaS) and the Israel National Cyber Directorate portal. I turn regulatory obligations into working, enforced controls — not slideware.

Fractional architect for regulated SaaS

Multi-tenant SaaS, API and data-layer design, legacy modernization, containerization — owned end to end. Available as a fractional architect when you need senior ownership, not just hands.

Selected work

CISOteria

CISOteria

Security-compliance (GRC) SaaS · backend architect, 2019–present

Multi-tenant CISO / compliance platform on AWS Marketplace. I own the API, data model, and architecture — Node.js + a modernized PHP core, MariaDB / Redis / Docker, vulnerability dashboards and analytics, SSO / SAML.

CISOteria — asset risk graph (D3)

CISOteria — asset risk graph (D3)

Compliance data-viz · D3.js hierarchy

A D3 hierarchy I built for CISOteria: an asset’s risk score traced down to the systems and infrastructure it depends on — colour-coded by risk, so the weakest link is obvious.

Israel National Cyber Directorate — GRC portal

Israel National Cyber Directorate — GRC portal

grc.cyber.gov.il · built at CISOteria · backend lead

The Israel National Cyber Directorate’s governance-risk-compliance portal, powered by CISOteria (“Cyber OS”). I led most of the backend and built parts of the front end.

IMS — interactive weather map

IMS — interactive weather map

Israel Meteorological Service · front-end / data-viz

Map-overlay work I contributed to the Israel Meteorological Service (ims.gov.il) — data overlays on their interactive synoptic forecast maps.

ChainVault

ChainVault

Private-blockchain deal room

Tamper-proof real-estate closing platform with on-chain wire-fraud prevention — a 4-node Antelope / BFT chain and a client-side-encrypted document vault.

Verarta

Verarta

Art provenance on a private chain

Immutable provenance records for artworks — no third-party dependency, full audit trail.

Smallest Business

Smallest Business

Cloud & AI-cost engineering

My consultancy and a daily learn-in-public series on cutting cloud bills and controlling AI spend.

More from me

Controlling the AI you can’t fully trust — its cost, its abuse, and its compliance.

I write near-daily about the practical side — cutting cloud bills and keeping AI spend and abuse under control — at smallestbusiness.com . Get the posts by email, or read them there.

Or read at smallestbusiness.com →

Not sure where your AI exposure is? Start small: a fixed-price AI Security & Audit-Readiness Teardown — a written read on what’s exposed and what to fix first. Or book a call and tell me what you’re building.

View CV / résumé