Work & Systems
A deep dive into the platforms and infrastructure I've architected to enable organizations to scale securely.
Platform Engineering
GitOps-first multi-cloud platform
Normalized app delivery across clouds with tenant-aware namespaces, promotion pipelines, and SLOs baked into templates.
"Blast radius alignment is a delivery problem, not just a security one."
The Challenge
When scaling beyond a handful of teams, ad-hoc deployment scripts and manual AWS/GCP console clicks become the biggest bottleneck to engineering velocity and the primary source of operational friction.
The Approach
I designed a multi-tenant platform using the ArgoCD, Kustomize, and Helm stack to completely normalize how applications are delivered, regardless of whether they target AWS EKS or GCP GKE.
- Established strict tenant-aware namespaces with hard quotas and network policies enforced by default.
- Built automated promotion pipelines that enforce blast radius containment and risk alignment before production rollouts.
- Embedded operational readiness—standardized logging, metrics, and SLO definitions—directly into the base deployment templates.
AI Orchestration & Security
Agentic AI & Workflow Guardrails
Architecting sandbox environments and secure IAM scopes for autonomous coding and orchestration agents, ensuring safe execution of LLM-generated workflows within enterprise guardrails.
"AI agents without strict identity boundaries and network sandboxing are a devastating compliance risk waiting to happen."
The Challenge
Autonomous AI agents and tools like OpenDevin, Cursor, and n8n bring immense leverage but introduce massive security and stability risks if given unrestricted access to production environments or over-privileged tokens.
The Approach
I'm exploring the architecture required to securely host and execute Agentic AI workflows at enterprise scale.
- Designing secure execution sandboxes on Kubernetes to isolate LLM-generated code execution.
- Mapping strict OAuth2 scopes and Zanzibar-style relationship based permissions to autonomous agents acting on behalf of users.
- Providing robust identity solutions for machine-to-machine interactions between workflow orchestrators and edge endpoints.
Identity & Tenancy
Open-source IAM replacing AWS Cognito
Replaced managed identity with open-source IAM — auth boundaries that survive org growth, audits, and SSO complexity.
"Cost and lock-in tradeoffs should be made explicit before you're three years in."
The Challenge
Managed identity providers like AWS Cognito often fail to scale gracefully when business requirements evolve to require complex B2B multi-tenancy, custom enterprise SSO integrations, and fine-grained authorization rules.
The Approach
I led the architecture and migration away from restrictive managed services toward an open-source, API-first identity stack using the ORY ecosystem (Hydra, Kratos, Keto).
- Modeled and implemented strict auth boundaries and token flows that isolated tenants cryptographically and survived rigorous compliance audits.
- Built predictable self-service onboarding flows for new applications integrating into the identity platform.
- Decoupled authentication from authorization, allowing for highly complex, relationship-based access control (Zanzibar model) using Keto.
Reliability & Operations
Platform reliability guardrails
Paved-road patterns and pre-flight checks so platform changes ship fast without breaking security or compliance.
"Guardrails beat gates. Teams self-serve when the path is obvious."
The Challenge
Security and compliance gates traditionally slow down platform teams. Attempting to review every change manually results in alert fatigue and delayed releases.
The Approach
I implemented a "paved-road" philosophy, replacing manual approval gates with automated guardrails embedded directly into the developer workflow.
- Introduced Open Policy Agent (OPA) to enforce security checks, identity standards, and required secrets configurations as pre-flight checks in CI.
- Co-owned Service Level Objectives (SLOs) and incident runbooks with product engineering teams, shifting from opaque platform operations to shared responsibility.
- Documented all cost and reliability trade-offs using Architecture Decision Records (ADRs) to ensure long-term visibility.