AI Security & Governance

Joao Coelho

Security Architect — AI Governance & GRCI work on making AI-agent security practical — turning frameworks like the NIST AI RMF, ISO/IEC 42001, and the EU AI Act into controls that teams can actually implement. Currently finishing my master's and building in the open.

Selected Work

MAY 2026 · FREE REFERENCE

NIST AI RMF → Agent Controls Mapping

A control reference for tool-using LLM agents and MCP-based deployments. The NIST AI RMF tells you the outcome to aim for — it doesn't tell you the control. This document pairs all 72 subcategories with concrete controls for AI agents that act in production, plus the evidence a security reviewer will actually ask for.

All four functions · 72 subcategories · CC BY 4.0

Read the mapping

View on Github

Writing

Articles forthcoming as I publish through my master's program — follow on LinkedIn

LinkedIn Profile

about

I'm a security architect focused on AI governance and GRC. My work sits between the policy layer — NIST AI RMF, ISO/IEC 42001, EU AI Act, SOC 2, CAIQ — and the engineering layer where AI agents actually run. The thing I find most interesting is the gap between the two: frameworks rarely say what a control looks like when an agent can call tools, reach MCP servers, and act in production.I'm finishing my master's and treating this as a practice in public. The published work here is what I'm building as I go. I'd rather ship something useful and let smarter people tell me where it's thin than wait until I feel like an expert to start.
If you're working on similar problems — vCISO, security architect, GRC lead at a SaaS company shipping AI — I'd like to hear from you.CISSP candidate, PMP holder. Based in Reston, VA. Currently Senior Associate, Security Engineering and Management at AIG.

Contact

Email: [email protected]
LinkedIn: https://www.linkedin.com/in/joaocoelho1/
For research collaborations, speaking, or advisory inquiries: get in touch by email.