AI Security & Governance

Joao Coelho

Security Architect — AI Governance & GRCI work on making AI-agent security practical — turning frameworks like the NIST AI RMF, ISO/IEC 42001, and the EU AI Act into controls that teams can actually implement. Currently finishing my master's and building in the open.

Selected Work

MAY 2026 · FREE REFERENCE

NIST AI RMF → Agent Controls Mapping

A control reference for tool-using LLM agents and MCP-based deployments. The NIST AI RMF tells you the outcome to aim for — it doesn't tell you the control. This document pairs all 72 subcategories with concrete controls for AI agents that act in production, plus the evidence a security reviewer will actually ask for.

All four functions · 72 subcategories · CC BY 4.0

Read the mapping

View on Github

June 2026 · FREE REFERENCE

Threat Model: Tool-Using LLM Agent

A STRIDE threat model for a reference tool-using / MCP-based agent. Nineteen enumerated threats — across spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege — each with a primary mitigation and a worked residual-risk score. Every threat is traced to the NIST AI RMF, the SANS Critical AI Security Guidelines v1.4, and the OWASP Top 10 for Agentic Applications, and anchored to real 2025 incidents (EchoLeak, the GitHub MCP exploit, Gemini memory poisoning, the Replit production-DB deletion).

STRIDE · 19 threats · NIST / SANS / OWASP-mapped · CC BY 4.0

View on Github

Writing

Articles forthcoming as I publish through my master's program — follow on LinkedIn

LinkedIn Profile

about

I'm a security architect focused on AI governance and GRC. My work sits between the policy layer — NIST AI RMF, ISO/IEC 42001, EU AI Act, SOC 2, CAIQ — and the engineering layer where AI agents actually run. The thing I find most interesting is the gap between the two: frameworks rarely say what a control looks like when an agent can call tools, reach MCP servers, and act in production.I'm finishing my master's and treating this as a practice in public. The published work here is what I'm building as I go. I'd rather ship something useful and let smarter people tell me where it's thin than wait until I feel like an expert to start.
If you're working on similar problems — vCISO, security architect, GRC lead at a SaaS company shipping AI — I'd like to hear from you.CISSP candidate, PMP holder. Based in Reston, VA. Currently Senior Associate, Security Engineering and Management at AIG.

Contact

Email: [email protected]
LinkedIn: https://www.linkedin.com/in/joaocoelho1/
For research collaborations, speaking, or advisory inquiries: get in touch by email.