AI Architect · Governance · Secure Infrastructure
I build AI products—and the governance and infrastructure that decide whether they're safe to trust once the demo is over. Four decades of running real systems is what I bring to that second part. I work as the architect: I make the design and engineering decisions and direct AI to write the code.
Building an internal AI business-intelligence platform—it consolidates company data and produces AI-generated reports that surface what actually needs attention, with role-based access over the output.
Authoring company policy and guidance for AI use, and designing how the organization accesses LLMs safely and cost-effectively—controlled proxying and vendor strategy instead of ungoverned tool sprawl.
The foundation under both—an AI system is only as trustworthy as the boundaries, access control, and observability around it.
Architect, not implementer: I make the design and engineering decisions and direct AI to write the code—grounded in decades as an applied programmer and systems administrator.
Current AI Unit work—LLM systems I architected and built end to end, from ingestion and retrieval through access control, cost governance, and audit.
Turns the company's Slack, HR, finance, and BI data into role-scoped executive briefings and an investigative Q&A assistant for leadership. Multi-source ingestion (Slack, Tableau, BigQuery, HiBob, Google Drive) normalized into a common model; a two-stage Investigator that plans retrieval before it answers, with authority-tiered citations. A capability + data-scope authorization model gates every generated artifact, and provenance/lineage is a day-one invariant—every brief is auditable back to its inputs. Evolved from a Slack-only first version. 217 modules.
A thin LLM proxy between the whole organization and the Anthropic API—the control plane for company LLM usage. Transparent streaming data plane forwards requests and proxies Anthropic's SSE byte-for-byte. Outbound DLP scans for secrets before they leave, fail-closed, with a matched secret never reaching the logs. Key management (encryption at rest with rotation) and cost governance: per-key quotas, rate limiting, and spend reconciliation against Anthropic's Usage & Cost Admin API. RBAC with the control plane isolated from the data plane. 84 modules.
The foundation under the AI work—four decades building and securing real systems at national and multi-petabyte scale.
Designing and operating globally distributed systems. Multi-cloud environments, VPN/proxy infrastructure, high-availability with zero-downtime deployments.
Security Officer at Ukrainian Ministry of Justice—national-scale registries, information security policy. Network security architecture, access control, compliance.
Decades of authoritative and recursive DNS management at scale, with DoH/DoT/DNSSEC support and multi-layer DDoS protection.
20+ years managing email infrastructure—from UUCP era to modern systems. Deep protocol understanding, not just configuration copying.
Past work—the depth behind the architecture above, built and operated at scale.
Architected and managed distributed infrastructure serving tens of thousands of concurrent users. VPN (WireGuard, OpenVPN, IKEv2/IPsec), HTTP/HTTPS proxy systems, DNS filtering with 512K+ domains. Behavior scoring for bot detection, request coalescing, dynamic peer management.
High-performance DNS with modern protocol support. Multi-protocol (UDP/TCP, DoT, DoH), DNSSEC validation and signing, rate limiting, DNS tunneling detection, multi-layer DDoS protection.
Built OpenStack cloud infrastructure from ground up. Managed Swift storage cluster, complex network topology across 15 racks of physical and virtual servers. DDoS mitigation at scale.
Production services I designed and specified, implemented with AI—proof the method ships real systems. Ran on ~400 servers serving real traffic.
HTTP/HTTPS proxy with flexible routing—multiple upstreams, outgoing IP selection per request. Behavior scoring system for intelligent bot detection with heuristics based on connection patterns, request velocity, and TLS fingerprinting. Built-in Prometheus exporter, pluggable authentication (BasicAuth, REST API, RADIUS, ephemeral tokens), request coalescing to prevent thundering herd.
Two-component system replacing legacy PHP. bifrost-cm: Connection manager for WireGuard, OpenVPN, IKEv2/IPsec—authentication, session tracking, IP pool allocation, multi-IP SNAT for traffic balancing. bifrost-dns: DNS proxy with category-based filtering (512K+ domains, 12 categories) according to client profile/preferences, O(1) domain lookup, server-level policy overrides.
Backend API for managing distributed proxy servers. Server self-registration with approval workflow, configuration distribution (40+ parameters per server with hot-reload), port rotation with grace periods, ephemeral authentication tokens with TTL, audit trail for all changes.
Plus custom Prometheus exporters for infrastructure monitoring.
I believe AI-assisted development is the inevitable future of software engineering. Not "AI will replace programmers"—but architects and engineers who leverage AI will outperform those who don't.
My workflow: I design systems, make architecture decisions, write detailed specifications and task descriptions. Claude Code handles implementation. I review, iterate, and take responsibility for the result.
The track record: 41,000+ lines of production Rust—systems that replaced legacy PHP, handled 500K+ concurrent connections, filtered 512K+ domains. The same method now builds AI products and the governance around them.
I help teams put AI into production safely—and keep it there. Engagements are scoped per project; reach out with what you're trying to do.
Policies, guardrails, and a sane plan for how an organization adopts and accesses LLMs—proxying, vendor strategy, cost control—instead of ungoverned tool sprawl.
Designing AI systems that survive past the prototype: access control, failure modes, observability.
The foundation under it all—from someone who ran national-scale and multi-petabyte systems.
Decisions are mine; implementation is AI-accelerated—which is exactly why I can advise on doing it well.