Eight years in forensic and cyber investigation, alongside a decade in enterprise data governance and AI risk management. Every case came back to one question: what made this possible? That methodology now applies to agentic AI systems.
Zürich · Switzerland
The pattern that defines this work emerged from forensic investigation: individually authorised steps producing outcomes no one sanctioned, at speed, across organisational boundaries, leaving partial traces no single system captured. Sophisticated insider cases have this structural signature. So does agentic AI control failure.
The full arc — from forensic reconstruction to institutional framework design to AI control architecture — is what makes the approach operational rather than theoretical.
I founded AI Resilience Lab to translate that lens into operational governance for organisations deploying agentic AI. The work is holistic by design: AI agents operate across IT, Risk, Compliance, Data Protection, and the business simultaneously, and governing them requires architecture that spans all five functions.
Prior to founding AI Resilience Lab, I served as Head of Data Compliance at EY Germany at Director level, building the enterprise data governance framework across approximately 10,000 employees. I led the Data Risk Assessment for MS Copilot — one of the first enterprise-wide AI data risk assessments conducted at a major professional services firm — and implemented a Data Risk Control Framework aligned to ISO 27001 across internal operations and EU offices. At KPMG, I served as Senior Manager leading AI governance projects, deepening the regulatory translation work that now forms the analytical core of AI Resilience Lab.
The work focuses on regulated institutions and the technology and AI companies serving them — organisations deploying agentic AI that need governance encoded into the processes that run every day.
Available for underwriting assessments, agentic control assessments, governance advisory mandates, agentic control failure workshops, and forensic second opinions. Speaking engagements on agentic AI governance and control architecture, by enquiry.
Financial services and insurance firms navigating FINMA and EU AI Act obligations. Technology providers and AI companies that need governance built into their agentic systems from day one — for their own deployments and for the regulated institutions they serve.
EU AI Act deployer obligations take effect August 2026. FINMA model risk guidance applies to Swiss financial institutions now. I map agentic AI deployments against these frameworks and identify what they require at the operational level, in the architecture itself.
The deliverable is the operational governance layer itself, built with the organisation — live behavioural monitoring, agentic identity management, and risk controls embedded across every department the agent touches.
Non-human identities operating with delegated access require governance that human-centric IAM was not designed to provide. Sequence-level authorisation, behavioural drift detection, and human oversight architecture are the practitioner disciplines that fill that gap.
Every engagement starts with the same question: what has this system been explicitly prevented from doing? If you cannot answer that with evidence, that is where we start.