-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
504 lines (468 loc) · 55.2 KB
/
index.html
File metadata and controls
504 lines (468 loc) · 55.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5, viewport-fit=cover">
<meta name="theme-color" content="#070b17">
<meta name="color-scheme" content="dark">
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="referrer" content="strict-origin-when-cross-origin">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self' https://plausible.io; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<title>Dr. Devam R Shah — CISO & AI Security Leader</title>
<meta name="description" content="Dr. Devam R Shah — CISO & DPO leading AI security and AI governance at Locus (IKEA). LLM security, NIST AI RMF, ISO 42001, EU AI Act, GDPR, DPDPA.">
<meta name="author" content="Dr. Devam R Shah">
<meta name="robots" content="index, follow, max-image-preview:large, max-snippet:-1">
<link rel="canonical" href="https://devamshah.github.io/">
<link rel="icon" type="image/svg+xml" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Cdefs%3E%3ClinearGradient id='g' x1='0' y1='0' x2='0' y2='1'%3E%3Cstop offset='0' stop-color='%23eab84e'/%3E%3Cstop offset='1' stop-color='%23a37d38'/%3E%3C/linearGradient%3E%3ClinearGradient id='h' x1='0' y1='0' x2='0' y2='1'%3E%3Cstop offset='0' stop-color='%23fff' stop-opacity='.12'/%3E%3Cstop offset='1' stop-color='%23fff' stop-opacity='0'/%3E%3C/linearGradient%3E%3C/defs%3E%3Crect width='64' height='64' rx='14' fill='%230a0f22'/%3E%3Cpath d='M32 6L12 16v16c0 14 8.5 22.5 20 26c11.5-3.5 20-12 20-26V16Z' fill='url(%23g)'/%3E%3Cpath d='M32 6L12 16v16c0 14 8.5 22.5 20 26c11.5-3.5 20-12 20-26V16Z' fill='url(%23h)'/%3E%3Cpath d='M24 20h10c7 0 12 5 12 12s-5 12-12 12H24Z' fill='%230a0f22'/%3E%3Cpath d='M30 26h4c3.3 0 6 2.7 6 6s-2.7 6-6 6h-4Z' fill='url(%23g)'/%3E%3C/svg%3E">
<link rel="apple-touch-icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Cdefs%3E%3ClinearGradient id='g' x1='0' y1='0' x2='0' y2='1'%3E%3Cstop offset='0' stop-color='%23eab84e'/%3E%3Cstop offset='1' stop-color='%23a37d38'/%3E%3C/linearGradient%3E%3ClinearGradient id='h' x1='0' y1='0' x2='0' y2='1'%3E%3Cstop offset='0' stop-color='%23fff' stop-opacity='.12'/%3E%3Cstop offset='1' stop-color='%23fff' stop-opacity='0'/%3E%3C/linearGradient%3E%3C/defs%3E%3Crect width='64' height='64' rx='14' fill='%230a0f22'/%3E%3Cpath d='M32 6L12 16v16c0 14 8.5 22.5 20 26c11.5-3.5 20-12 20-26V16Z' fill='url(%23g)'/%3E%3Cpath d='M32 6L12 16v16c0 14 8.5 22.5 20 26c11.5-3.5 20-12 20-26V16Z' fill='url(%23h)'/%3E%3Cpath d='M24 20h10c7 0 12 5 12 12s-5 12-12 12H24Z' fill='%230a0f22'/%3E%3Cpath d='M30 26h4c3.3 0 6 2.7 6 6s-2.7 6-6 6h-4Z' fill='url(%23g)'/%3E%3C/svg%3E">
<!-- Open Graph -->
<meta property="og:type" content="profile">
<meta property="og:site_name" content="Dr. Devam R Shah">
<meta property="og:locale" content="en_US">
<meta property="og:url" content="https://devamshah.github.io/">
<meta property="og:title" content="Dr. Devam R Shah — CISO & AI Security Leader">
<meta property="og:description" content="CISO & DPO leading AI security & AI governance at Locus (IKEA). LLM security, NIST AI RMF, ISO 42001, EU AI Act. Builds Verida, Vedha, Nimantrika.">
<meta property="og:image" content="https://devamshah.github.io/assets/og-card.png">
<meta property="og:image:type" content="image/png">
<meta property="og:image:width" content="1200">
<meta property="og:image:height" content="1200">
<meta property="og:image:alt" content="Dr. Devam R Shah — CISO & AI Security Leader">
<meta property="profile:first_name" content="Devam">
<meta property="profile:last_name" content="Shah">
<!-- Twitter -->
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Dr. Devam R Shah — CISO & AI Security Leader">
<meta name="twitter:description" content="CISO & DPO leading AI security & AI governance at Locus (IKEA). Builds Verida, Vedha, Nimantrika in the open.">
<meta name="twitter:image" content="https://devamshah.github.io/assets/og-card.png">
<meta name="twitter:image:alt" content="Dr. Devam R Shah — CISO & AI Security Leader">
<!-- Structured Data -->
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"Person","@id":"https://devamshah.github.io/#person","name":"Dr. Devam R Shah","givenName":"Devam","familyName":"Shah","honorificPrefix":"Dr.","jobTitle":"CISO & DPO | AI Security & AI Governance Leader","description":"Chief Information Security Officer, Data Protection Officer, and AI security leader. Runs AI security and AI governance at Locus (Ingka/IKEA) for a logistics AI platform powering 1.5B+ deliveries across 30+ jurisdictions.","image":"https://devamshah.github.io/assets/website_headshot.jpg","url":"https://devamshah.github.io/","sameAs":["https://www.linkedin.com/in/thedevam/","https://github.com/DevamShah"],"knowsAbout":["AI Security","AI Governance","AI Risk Management","LLM Security","AI Compliance","NIST AI RMF","ISO/IEC 42001","EU AI Act","MLSecOps","AI Red Teaming","Responsible AI","AI DPIA","AI Third-Party Risk Management","Prompt Injection","Model Security","AI Data Protection","AI Privacy","AI Incident Response","AI Threat Modeling","OWASP Top 10 for LLMs","AppSec Automation","AI SOC","Chief Information Security Officer","Data Protection Officer","Zero Trust Architecture","DevSecOps","SAST","SCA","Cloud Security","SOC 2","ISO 27001","ISO 27701","HITRUST","HIPAA","GDPR","DPDPA","Board-level Cyber Risk","Crisis Leadership"],"worksFor":{"@id":"https://devamshah.github.io/#locus"},"alumniOf":[{"@type":"CollegeOrUniversity","name":"Symbiosis Centre for Information Technology (SCIT)"},{"@type":"CollegeOrUniversity","name":"L.D. College of Engineering"},{"@type":"EducationalOrganization","name":"ISTM (Doctorate — AI and Cyber Security)"},{"@type":"EducationalOrganization","name":"Asian School of Cyber Laws"}],"knowsLanguage":["en","hi","gu"],"nationality":"Indian"}
</script>
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"WebSite","@id":"https://devamshah.github.io/#website","name":"Dr. Devam R Shah — CISO & AI Security Leader","url":"https://devamshah.github.io/","description":"Portfolio of Dr. Devam R Shah — CISO & DPO leading AI security and AI governance at Locus (IKEA group).","author":{"@id":"https://devamshah.github.io/#person"},"inLanguage":"en"}
</script>
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"Organization","@id":"https://devamshah.github.io/#locus","name":"Locus","parentOrganization":{"@type":"Organization","name":"Ingka Group (IKEA)"},"url":"https://locus.sh/","description":"Cloud-native logistics AI platform powering 1.5B+ deliveries across 30+ jurisdictions."}
</script>
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What does an AI security CISO actually do?","acceptedAnswer":{"@type":"Answer","text":"An AI security CISO owns the governance, risk, and controls for AI systems — from model supply chain and prompt injection defense to AI DPIA, AI TPRM, and NIST AI RMF / ISO 42001 alignment. Dr. Devam Shah leads this function at Locus (IKEA), running AI security governance, LLM security reviews, and AI red teaming alongside traditional CISO responsibilities."}},{"@type":"Question","name":"How do you govern LLMs and generative AI in an enterprise?","acceptedAnswer":{"@type":"Answer","text":"AI governance combines policy (acceptable use, data classification, model inventory), controls (input/output guardrails, prompt injection testing, PII redaction, rate limiting), and oversight (AI DPIA, AI TPRM, human-in-the-loop for high-risk decisions). At Locus, Dr. Shah established AI governance aligned to NIST AI RMF and ISO/IEC 42001, with automated guardrails across AI-assisted development pipelines."}},{"@type":"Question","name":"What is MLSecOps and how is it different from DevSecOps?","acceptedAnswer":{"@type":"Answer","text":"MLSecOps extends DevSecOps to the ML/LLM lifecycle — covering training data integrity, model provenance, adversarial robustness, prompt injection, model theft, and inference-time abuse. It adds AI-specific controls on top of SAST, SCA, DAST, and secrets scanning. Dr. Shah builds MLSecOps pipelines using open-source tooling and custom AI guardrails."}},{"@type":"Question","name":"How do you approach AI red teaming?","acceptedAnswer":{"@type":"Answer","text":"AI red teaming tests models and AI-powered applications against prompt injection, jailbreaks, data extraction, model evasion, and indirect injection via RAG sources. Vedha — Dr. Shah's open-source autonomous AI pentester — automates this across the OWASP Top 10 for LLMs and extends into traditional pentesting workflows."}},{"@type":"Question","name":"What does a DPO need to know about AI?","acceptedAnswer":{"@type":"Answer","text":"A DPO handling AI systems must run AI DPIAs, assess legal basis for training and inference, manage cross-border transfers under GDPR and DPDPA, track automated decision-making under EU AI Act high-risk categories, and coordinate with the CISO on model security. Dr. Shah operates as both CISO and DPO — making AI privacy and AI security a unified function rather than two siloed ones."}},{"@type":"Question","name":"Are you available for AI security board advisory or fractional CISO work?","acceptedAnswer":{"@type":"Answer","text":"Dr. Shah advises boards and executive teams on AI security strategy, AI governance program design, AI risk translation, and AI compliance readiness (NIST AI RMF, ISO/IEC 42001, EU AI Act). Contact via email or LinkedIn to discuss."}}]}
</script>
<!-- Analytics -->
<!-- Plausible -->
<script defer data-domain="devamshah.github.io" src="https://plausible.io/js/script.js"></script>
<!-- Preload LCP hero -->
<link rel="preload" as="image" href="assets/website_headshot.webp" type="image/webp" fetchpriority="high">
<!-- Preload critical fonts (self-hosted, latin subset) -->
<link rel="preload" as="font" type="font/woff2" href="fonts/outfit-var.woff2" crossorigin>
<link rel="preload" as="font" type="font/woff2" href="fonts/instrument-serif.woff2" crossorigin>
<!-- Stylesheets -->
<link rel="stylesheet" href="css/bundle.min.css">
</head>
<body>
<a href="#main" class="skip-link">Skip to content</a>
<!-- Scroll Progress -->
<div class="scroll-progress" id="scrollProgress"></div>
<!-- Lightbox -->
<div class="lightbox" id="lightbox" role="dialog" aria-modal="true" aria-label="Photo lightbox" aria-hidden="true">
<button class="lightbox-close" id="lightboxClose">ESC to close</button>
<img src="" alt="" id="lightboxImg">
<div class="lightbox-caption" id="lightboxCaption"></div>
</div>
<!-- Keyboard Shortcuts Modal -->
<div class="shortcuts-modal" id="shortcutsModal" role="dialog" aria-modal="true" aria-label="Keyboard shortcuts" aria-hidden="true">
<div class="shortcuts-box">
<h2>Keyboard Shortcuts</h2>
<div class="shortcut-row"><span class="shortcut-desc">Home / Top</span><span class="shortcut-key">H</span></div>
<div class="shortcut-row"><span class="shortcut-desc">About</span><span class="shortcut-key">A</span></div>
<div class="shortcut-row"><span class="shortcut-desc">Expertise</span><span class="shortcut-key">E</span></div>
<div class="shortcut-row"><span class="shortcut-desc">Career</span><span class="shortcut-key">C</span></div>
<div class="shortcut-row"><span class="shortcut-desc">Projects</span><span class="shortcut-key">P</span></div>
<div class="shortcut-row"><span class="shortcut-desc">Blog</span><span class="shortcut-key">B</span></div>
<div class="shortcut-row"><span class="shortcut-desc">Contact</span><span class="shortcut-key">K</span></div>
<div class="shortcut-row"><span class="shortcut-desc">Close this modal</span><span class="shortcut-key">?</span></div>
</div>
</div>
<!-- ===== HEADER ===== -->
<header id="siteHeader">
<div class="container">
<a href="#" class="nav-brand">
<div class="nav-dot"></div>
<div class="nav-id">
<span class="slash">~/</span>dr.devam.r<span class="dot">.</span>shah
<span style="color:var(--text-muted);font-size:10px;margin-left:6px">chief information security officer · ai security & governance</span>
</div>
</a>
<nav>
<ul id="navMenu">
<li><a href="#ai-security-leader" data-section="ai-security-leader">about</a></li>
<li><a href="#ai-security-expertise" data-section="ai-security-expertise">expertise</a></li>
<li><a href="#ai-security-experience" data-section="ai-security-experience">career</a></li>
<li><a href="#ai-security-projects" data-section="ai-security-projects">projects</a></li>
<li><a href="#ai-security-credentials" data-section="ai-security-credentials">credentials</a></li>
<li><a href="#ai-security-blog" data-section="ai-security-blog">blog</a></li>
<li><a href="#ai-security-contact" class="nav-cta" data-section="ai-security-contact">connect</a></li>
</ul>
</nav>
</div>
</header>
<main id="main">
<!-- ===== HERO ===== -->
<section class="hero snap-section" id="hero" aria-labelledby="hero-heading">
<div class="hero-grid-bg"></div>
<div class="container">
<div class="hero-content">
<div class="hero-terminal" id="heroTerm">
<div class="term-line"><span class="term-prompt">$</span> <span class="term-cmd">whoami</span></div>
<div class="term-line"><span class="term-out">dr.devam.r.shah — CISO & DPO | AI Security & AI Governance Leader</span></div>
<div class="term-line"><span class="term-prompt">$</span> <span class="term-cmd">cat /etc/mission</span></div>
<div class="term-line"><span class="term-comment"># securing AI systems. governing AI risk. translating it into board-level business strategy.</span></div>
</div>
<div class="hero-layout">
<div class="hero-text">
<div class="hero-eyebrow">CISO & DPO | AI Security & AI Governance Leader</div>
<h1 id="hero-heading">AI Security Leadership,<br>from <em>Code to Boardroom.</em></h1>
<p class="hero-desc">A decade of building and defending. Today I run <strong>AI security and AI governance</strong> at Locus (Ingka / IKEA) for a logistics AI platform powering <strong>1.5B+ deliveries across 30+ jurisdictions</strong>. Previously secured <strong>35M+ student records across 33 countries</strong> and treated <strong>1 million+ vulnerabilities</strong> across enterprise environments. I translate AI risk, prompt injection, and model security into board-level business strategy — and build AI security tools in the open.</p>
</div>
<div class="hero-photo">
<picture>
<source type="image/webp" srcset="assets/website_headshot.webp">
<img src="assets/website_headshot.jpg" alt="Dr. Devam R Shah — CISO & AI Security Leader" width="400" height="400" fetchpriority="high" decoding="async">
</picture>
</div>
</div>
<!-- Status panel — horizontal bar below grid -->
<div class="hero-status-bar">
<div class="panel-bar">
<div class="mac-dot r"></div><div class="mac-dot y"></div><div class="mac-dot g"></div>
<span class="panel-title">devam@portfolio — status</span>
</div>
<div class="panel-body panel-body-horizontal">
<div class="pr"><span class="pk">role</span><span class="pv hl">CISO & DPO</span></div>
<div class="pr"><span class="pk">industries</span><span class="pv">7 verticals</span></div>
<div class="pr"><span class="pk">jurisdictions</span><span class="pv">30+ global</span></div>
<div class="pr"><span class="pk">focus</span><span class="pv hl">AI Security & Governance</span></div>
<div class="pr"><span class="pk">approach</span><span class="pv gn">● AI-first</span></div>
</div>
</div>
<!-- Tool Ticker -->
<div class="tool-ticker">
<div class="ticker-track" id="tickerTrack">
<span class="ticker-item"><span class="tdot"></span>Claude Code</span>
<span class="ticker-item"><span class="tdot"></span>Snyk MCP</span>
<span class="ticker-item"><span class="tdot"></span>CodeRabbit</span>
<span class="ticker-item"><span class="tdot"></span>Semgrep</span>
<span class="ticker-item"><span class="tdot"></span>Trivy</span>
<span class="ticker-item"><span class="tdot"></span>OWASP ZAP</span>
<span class="ticker-item"><span class="tdot"></span>SonarQube</span>
<span class="ticker-item"><span class="tdot"></span>Wiz</span>
<span class="ticker-item"><span class="tdot"></span>Palo Alto</span>
<span class="ticker-item"><span class="tdot"></span>Cortex XDR</span>
<span class="ticker-item"><span class="tdot"></span>Okta</span>
<span class="ticker-item"><span class="tdot"></span>Terraform</span>
<span class="ticker-item"><span class="tdot"></span>Docker</span>
<span class="ticker-item"><span class="tdot"></span>Kubernetes</span>
<span class="ticker-item"><span class="tdot"></span>Ansible</span>
<span class="ticker-item"><span class="tdot"></span>Python</span>
<!-- Duplicate for seamless loop -->
<span class="ticker-item"><span class="tdot"></span>Claude Code</span>
<span class="ticker-item"><span class="tdot"></span>Snyk MCP</span>
<span class="ticker-item"><span class="tdot"></span>CodeRabbit</span>
<span class="ticker-item"><span class="tdot"></span>Semgrep</span>
<span class="ticker-item"><span class="tdot"></span>Trivy</span>
<span class="ticker-item"><span class="tdot"></span>OWASP ZAP</span>
<span class="ticker-item"><span class="tdot"></span>SonarQube</span>
<span class="ticker-item"><span class="tdot"></span>Wiz</span>
<span class="ticker-item"><span class="tdot"></span>Palo Alto</span>
<span class="ticker-item"><span class="tdot"></span>Cortex XDR</span>
<span class="ticker-item"><span class="tdot"></span>Okta</span>
<span class="ticker-item"><span class="tdot"></span>Terraform</span>
<span class="ticker-item"><span class="tdot"></span>Docker</span>
<span class="ticker-item"><span class="tdot"></span>Kubernetes</span>
<span class="ticker-item"><span class="tdot"></span>Ansible</span>
<span class="ticker-item"><span class="tdot"></span>Python</span>
</div>
</div>
<div class="hero-metrics">
<div class="metric"><div class="metric-val" data-count="10" data-suffix="+">0</div><div class="metric-label">Years in Security</div></div>
<div class="metric"><div class="metric-val" data-count="7" data-suffix="">0</div><div class="metric-label">Industries Secured</div></div>
<div class="metric"><div class="metric-val" data-count="1" data-suffix="M+">0</div><div class="metric-label">Vulns Treated (Career)</div></div>
<div class="metric"><div class="metric-val" data-count="30" data-suffix="+">0</div><div class="metric-label">Jurisdictions</div></div>
</div>
</div>
</div>
</section>
<!-- ===== TRUST BAR ===== -->
<div class="trust-bar">
<div class="container">
<div class="trust-bar-label">AI Compliance & Security Frameworks Delivered</div>
<div class="trust-bar-items">
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>ISO/IEC 42001</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>NIST AI RMF</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>EU AI Act</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>SOC 2 Type II</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>ISO 27001</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>ISO 27701</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>HITRUST</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>HIPAA</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>GDPR</span>
<span class="trust-item"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg>DPDPA</span>
</div>
</div>
</div>
<!-- ===== ABOUT ===== -->
<section id="ai-security-leader" class="snap-section" aria-labelledby="about-heading">
<div class="container">
<div class="reveal"><div class="section-label">About</div><h2 class="section-heading" id="about-heading">Who I Am</h2></div>
<!-- ROW 1: Three content cards -->
<div class="about-cards stagger">
<div class="about-card">
<div class="about-card-icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/><path d="M9 12l2 2 4-4"/></svg></div>
<h3>CISO & DPO Building AI Security at Scale</h3>
<p>CISO and DPO at Locus (Ingka / IKEA), running AI security and AI governance for a logistics AI platform powering 1.5B+ deliveries across 30+ jurisdictions. A decade spanning AI SaaS, healthcare, logistics, edtech, robotics, and cloud-native platforms — translating AI risk and board-level cyber risk into business strategy.</p>
</div>
<div class="about-card">
<div class="about-card-icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M13 2L3 14h9l-1 8 10-12h-9l1-8z"/></svg></div>
<h3>Crisis-Tested AI & Cyber Leadership</h3>
<p>The hardest security problems aren't technical — they're organizational. Brought in to stabilize companies during active breaches, PHI exposure, and ransomware incidents. Built incident response, AI incident response, and 24x7 SOC operations from scratch. Led post-acquisition security due diligence for global enterprises. Every role has started with a hard problem and ended with a resilient organization.</p>
</div>
<div class="about-card">
<div class="about-card-icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="4 17 10 11 4 5"/><line x1="12" y1="19" x2="20" y2="19"/></svg></div>
<h3>A CISO Who Builds AI Security Tools</h3>
<p>Ships production-grade Python AI security tooling in the open — Verida (AppSec false-positive reduction), Vedha (autonomous AI pentester), Nimantrika (safe outbound automation). Designs AI product architectures from first principles and builds entire AppSec pipelines using open-source tooling. The best AI security leaders understand what they're protecting because they've built it themselves.</p>
</div>
</div>
<!-- ROW 2: Quote block -->
<div class="about-quote-row reveal">
<div class="about-quote">
<blockquote>"The wise warrior avoids the battle."</blockquote>
<cite>— Sun Tzu, The Art of War</cite>
</div>
<p class="about-philosophy">The best security is invisible. It prevents the incident from ever existing. Proactive architectures, quiet resilience, systems that hold when tested.</p>
</div>
<!-- ROW 3: Gallery photos -->
<div class="about-gallery reveal">
<div class="photo-grid-item" data-caption="Quantic Cyber Security Excellence Awards 2025 — Locus"><img src="assets/quantic-award.jpeg" alt="Quantic Cyber Security Excellence Awards 2025" width="400" height="300" loading="lazy"><div class="photo-caption">Quantic Award 2025</div></div>
<div class="photo-grid-item" data-caption="IKEA / Ingka Group — Security Team"><img src="assets/ikea-team.jpeg" alt="IKEA Ingka Group Team" width="400" height="300" loading="lazy"><div class="photo-caption">IKEA / Ingka</div></div>
<div class="photo-grid-item" data-caption="CISO of the Year — iValue Awards, Teachmint"><img src="assets/ivalue-award.jpeg" alt="iValue CISO of the Year Award" width="400" height="300" loading="lazy"><div class="photo-caption">CISO of the Year</div></div>
<div class="photo-grid-item" data-caption="CXO Cywayz — Cyber Security & AI Conference Speaker"><img src="assets/cxo-speaker.jpeg" alt="CXO Cywayz Conference Speaker" width="400" height="300" loading="lazy"><div class="photo-caption">CXO Speaker</div></div>
</div>
<!-- ROW 4: Tag cloud -->
<div class="about-tags reveal">
<span class="tag-pill">AI Security</span><span class="tag-pill">AI Governance</span>
<span class="tag-pill">LLM Security</span><span class="tag-pill">MLSecOps</span>
<span class="tag-pill">Board-level AI Risk</span><span class="tag-pill">Zero Trust</span>
<span class="tag-pill">Crisis Leadership</span><span class="tag-pill">Privacy Architecture</span>
<span class="tag-pill">OT/IoT Security</span><span class="tag-pill">Open Source</span>
</div>
</div>
</section>
<!-- ===== EXPERTISE ===== -->
<section id="ai-security-expertise" class="snap-section" aria-labelledby="expertise-heading" style="background:var(--bg-primary)">
<div class="container">
<div class="reveal"><div class="section-label">Expertise</div><h2 class="section-heading" id="expertise-heading">AI Security & Governance Expertise</h2><p class="section-sub">AI security, AI governance, and enterprise cyber programs that scale with the business — powered by automation and agentic AI. Click any domain to explore.</p></div>
<div class="expertise-grid stagger" id="expGrid">
<article class="exp-tile" tabindex="0"><div class="exp-icon-wrap"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg></div><h3>AI Security, AI Governance & LLM Defense</h3><p>Running AI security and AI governance for an enterprise AI platform at scale. LLM security guardrails, prompt injection defense, model supply chain controls, AI DPIA, AI TPRM. Aligned to NIST AI RMF, ISO/IEC 42001, EU AI Act, and OWASP Top 10 for LLMs.</p><div class="exp-tags"><span class="exp-tag">LLM Security</span><span class="exp-tag">AI Governance</span><span class="exp-tag">NIST AI RMF</span><span class="exp-tag">ISO 42001</span><span class="exp-tag">EU AI Act</span><span class="exp-tag">Prompt Injection</span><span class="exp-tag">MLSecOps</span></div></article>
<article class="exp-tile" tabindex="0"><div class="exp-icon-wrap"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M18 10h-1.26A8 8 0 109 20h9a5 5 0 000-10z"/></svg></div><h3>AppSec Automation & Cloud DevSecOps</h3><p>AI-assisted AppSec pipelines at enterprise scale. SAST, SCA, DAST, container, IaC, and secrets scanning — with open-source tooling and agentic AI triage reducing false positives and late-stage vulnerabilities.</p><div class="exp-tags"><span class="exp-tag">Semgrep</span><span class="exp-tag">Trivy</span><span class="exp-tag">OWASP ZAP</span><span class="exp-tag">SonarQube</span><span class="exp-tag">Claude Code</span><span class="exp-tag">Snyk MCP</span><span class="exp-tag">CodeRabbit</span></div></article>
<article class="exp-tile" tabindex="0"><div class="exp-icon-wrap"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2"/><rect x="9" y="3" width="6" height="4" rx="1"/><path d="M9 14l2 2 4-4"/></svg></div><h3>AI Privacy, DPDPA, GDPR & AI Compliance</h3><p>CISO and DPO across 30+ jurisdictions. AI DPIAs, cross-border transfers, automated decision-making. HITRUST, SOC 2 Type II, ISO 27001, ISO 27701, HIPAA, GDPR, DPDPA, COPPA.</p><div class="exp-tags"><span class="exp-tag">AI DPIA</span><span class="exp-tag">GDPR</span><span class="exp-tag">DPDPA</span><span class="exp-tag">SOC 2</span><span class="exp-tag">ISO 27001</span><span class="exp-tag">HIPAA</span><span class="exp-tag">HITRUST</span></div></article>
<article class="exp-tile" tabindex="0"><div class="exp-icon-wrap"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="12" cy="12" r="10"/><circle cx="12" cy="12" r="6"/><circle cx="12" cy="12" r="2"/><path d="M12 2v4M12 18v4M2 12h4M18 12h4"/></svg></div><h3>AI Red Teaming & Crisis Security</h3><p>Red-teaming AI systems and traditional infrastructure. OWASP LLM Top 10, jailbreak and data-extraction testing, indirect prompt injection via RAG. Crisis leadership through PHI breaches, ransomware, and AI incident response.</p><div class="exp-tags"><span class="exp-tag">AI Red Teaming</span><span class="exp-tag">OWASP LLM Top 10</span><span class="exp-tag">Incident Response</span><span class="exp-tag">Bug Bounty</span><span class="exp-tag">Crisis Mgmt</span></div></article>
<article class="exp-tile" tabindex="0"><div class="exp-icon-wrap"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M12 2L2 7l10 5 10-5-10-5z"/><path d="M2 17l10 5 10-5"/><path d="M2 12l10 5 10-5"/></svg></div><h3>Enterprise Security Architecture & AI SOC</h3><p>Zero Trust deployments, AI-augmented SOCs processing millions of EPS, SIEM, EDR/XDR, SASE, UEBA/CASB. Identity-first architecture across global enterprises.</p><div class="exp-tags"><span class="exp-tag">Zero Trust</span><span class="exp-tag">AI SOC</span><span class="exp-tag">SIEM</span><span class="exp-tag">Cortex XDR</span><span class="exp-tag">Okta</span><span class="exp-tag">CASB</span><span class="exp-tag">SASE</span></div></article>
<article class="exp-tile" tabindex="0"><div class="exp-icon-wrap"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="4 17 10 11 4 5"/><line x1="12" y1="19" x2="20" y2="19"/></svg></div><h3>Security Engineering & AI Tooling</h3><p>A CISO who ships code. Python AI security tools, MCP integrations, agentic automation for SecOps and GRC. Open-source: Verida, Vedha, Nimantrika.</p><div class="exp-tags"><span class="exp-tag">Python</span><span class="exp-tag">Claude API</span><span class="exp-tag">MCP</span><span class="exp-tag">Open Source</span><span class="exp-tag">Agentic AI</span></div></article>
</div>
</div>
</section>
<!-- ===== CAREER ===== -->
<section id="ai-security-experience" class="snap-section" aria-labelledby="career-heading">
<div class="container">
<div class="reveal"><div class="section-label">Career</div><h2 class="section-heading" id="career-heading">AI Security & CISO Experience</h2><p class="section-sub">From bug bounty hunter to AI security CISO — a decade of building and defending across 7 industries and 30+ jurisdictions.</p></div>
<div class="timeline reveal">
<article class="tl-entry featured"><div class="tl-node"></div><div class="tl-header"><div class="tl-role">CISO & DPO<span class="tl-current-badge">Current</span></div><div class="tl-date">Sep 2024 — Present</div></div><div class="tl-org">Locus (Ingka Group | IKEA)</div><p class="tl-desc">Leading AI security, AI governance, privacy, and compliance for a cloud-native logistics AI platform serving 1.5B+ deliveries across 30+ jurisdictions. Established AI security governance with LLM guardrails, AI DPIAs, and AI TPRM aligned to NIST AI RMF and ISO/IEC 42001. Delivered SOC 2 Type II. Led post-acquisition security due diligence for Ingka Group (IKEA), driving remediation of 70,000+ SAST/SCA/OSS vulnerabilities (current-role scope). Lean team of 5, $1M budget. Reduced late-stage vulnerabilities by 96%.</p><div class="tl-badges"><span class="tl-badge">SOC 2 Type II</span><span class="tl-badge">AI Governance</span><span class="tl-badge">LLM Security</span><span class="tl-badge">NIST AI RMF</span><span class="tl-badge">ISO 42001</span><span class="tl-badge">GDPR</span><span class="tl-badge">Agentic AI</span></div></article>
<article class="tl-entry" tabindex="0"><div class="tl-node"></div><div class="tl-header"><div class="tl-role">CISO & Head of IT</div><div class="tl-date">Dec 2022 — Sep 2024</div></div><div class="tl-org">Teachmint</div><p class="tl-desc">Led IT, Security, Privacy, and Compliance for a global edtech SaaS platform supporting 35M+ student records across 33 countries. Built the entire AppSec pipeline using open-source tooling (Semgrep, Trivy, OWASP ZAP, SonarQube) — eliminating enterprise licensing. Secured AI-enabled IoT ecosystem across 600+ schools with 4,500+ smart classrooms powered by 15,000+ customized devices.</p><div class="tl-badges"><span class="tl-badge">35M+ Records</span><span class="tl-badge">Open-Source AppSec</span><span class="tl-badge">CISO of the Year</span><span class="tl-badge">GDPR/COPPA</span><span class="tl-badge">IoT Security</span></div></article>
<article class="tl-entry" tabindex="0"><div class="tl-node"></div><div class="tl-header"><div class="tl-role">Head of Information Security</div><div class="tl-date">Oct 2021 — Dec 2022</div></div><div class="tl-org">Byju's Great Learning</div><p class="tl-desc">Established global security and privacy across 100+ countries, 2,000+ employees, and 5,000+ contracted teachers. Led security integration during Byju's acquisition, aligning strategy with 300% annual growth. Deployed company-wide Zero Trust architecture. First-time ISO 27001 & ISO 27701 certifications enabling 50+ enterprise B2B deals with global banks, Big4, and Big Tech.</p><div class="tl-badges"><span class="tl-badge">100+ Countries</span><span class="tl-badge">Zero Trust</span><span class="tl-badge">ISO 27001/27701</span><span class="tl-badge">50+ B2B Deals</span><span class="tl-badge">M&A Integration</span></div></article>
<article class="tl-entry" tabindex="0"><div class="tl-node"></div><div class="tl-header"><div class="tl-role">CISO</div><div class="tl-date">Oct 2019 — Sep 2021</div></div><div class="tl-org">Meditab Group of Companies</div><p class="tl-desc">Appointed by Group Chairman to stabilize the organization during a major security crisis — managing a large-scale PHI breach and ongoing ransomware incidents. Built and led global security teams across 3 geographies (25+ professionals, 24x7 SOC). Secured OT/IoT environments for pharmaceutical robotics (30+ robotic platforms, 1,000+ sensors per system). Achieved HITRUST i1, SOC 2 Type II, ISO 27001, ISO 27701, and HIPAA.</p><div class="tl-badges"><span class="tl-badge">Crisis Leadership</span><span class="tl-badge">PHI Breach</span><span class="tl-badge">Ransomware</span><span class="tl-badge">OT/IoT Robotics</span><span class="tl-badge">HITRUST</span><span class="tl-badge">5,000+ Workforce</span></div></article>
<article class="tl-entry compact"><div class="tl-node"></div><div class="tl-header"><div class="tl-role">Information Security Manager, Cloud</div><div class="tl-date">Jul 2015 — Sep 2019</div></div><div class="tl-org">Tata Consultancy Services</div><p class="tl-desc">Enterprise security governance and architecture across TCS data centers, cloud environments, and critical infrastructure — including the EKA supercomputer used for Indian defense and space research. Key role in corporate security modernization across 1,000+ remote offices. Enterprise incident response for critical infrastructure environments.</p><div class="tl-badges"><span class="tl-badge">TCS</span><span class="tl-badge">Defense & Space</span><span class="tl-badge">1,000+ Offices</span><span class="tl-badge">EKA Supercomputer</span><span class="tl-badge">Zero Trust</span></div></article>
</div>
</div>
</section>
<!-- ===== MID-PAGE CTA ===== -->
<div class="mid-cta">
<div class="container decrypt-reveal">
<p class="mid-cta-text">Looking for an AI security leader who's <strong>been in the trenches</strong> and <strong>speaks the boardroom's language</strong>?</p>
<a href="mailto:devamshah91@gmail.com" class="c-btn primary">Let's Talk</a>
<a href="https://www.linkedin.com/in/thedevam/" class="c-btn ghost" target="_blank" rel="noopener">LinkedIn</a>
</div>
</div>
<!-- ===== PROJECTS ===== -->
<section id="ai-security-projects" class="snap-section" aria-labelledby="projects-heading" style="background:var(--bg-primary)">
<div class="container">
<div class="reveal"><div class="section-label">Projects</div><h2 class="section-heading" id="projects-heading">AI Security Tools I'm Building</h2><p class="section-sub">Open-source AI security tools, agentic AI pentesting, and frameworks — built in the open.</p></div>
<div class="projects-grid stagger">
<article class="proj-card" tabindex="0"><div class="proj-status active"><span class="sdot"></span> Active Development</div><h3>Verida — AppSec False-Positive Reduction</h3><div class="proj-tagline">"Cutting noise from AppSec."</div><p>Open-source AppSec correlation engine reducing SAST/SCA false positives through reachability analysis and AI-assisted triage. Designed for CI/CD.</p><div class="proj-stack"><span>Python</span><span>SAST</span><span>SCA</span><span>AI Triage</span><span>Open Source</span></div></article>
<article class="proj-card" tabindex="0"><div class="proj-status shipped"><span class="sdot"></span> Shipped & Open Source</div><h3>Vedha — Autonomous AI Pentester</h3><div class="proj-tagline">"Autonomous AI red team."</div><p>Fork of Shannon — an autonomous AI pentester that plans, executes, and reports. Covers OWASP Top 10 for LLMs and traditional web/API pentesting.</p><div class="proj-stack"><span>Python</span><span>LLM</span><span>Agentic AI</span><span>AI Red Teaming</span><span>Open Source</span></div></article>
<article class="proj-card" tabindex="0"><div class="proj-status active"><span class="sdot"></span> Active Development</div><h3>Nimantrika — Safe Outbound Automation</h3><div class="proj-tagline">"Safe outbound, on your terms."</div><p>Human-mimicking LinkedIn outbound automation. Safe-mode defaults, full jitter, no 24/7 ops — built to protect the account as the load-bearing asset.</p><div class="proj-stack"><span>Python</span><span>Playwright</span><span>Automation</span><span>Safety-first</span></div></article>
<article class="proj-card" tabindex="0"><div class="proj-status meta"><span class="sdot"></span> Framework</div><h3>Product Factory Blueprint</h3><div class="proj-tagline">"From idea to production. Systematically."</div><p>Proprietary methodology for building AI products at scale. 9-phase lifecycle, 7 quality gates, 8 development agents. Nyaya AI is the reference implementation.</p><div class="proj-stack"><span>Methodology</span><span>AI Products</span><span>Architecture</span><span>9 Phases</span><span>7 Gates</span></div></article>
</div>
<div class="oss-cta reveal"><div><h3>I build in the open.</h3><p>Security tools should be transparent, community-driven, and accessible.</p></div><a href="https://github.com/DevamShah" class="oss-btn" target="_blank" rel="noopener">View GitHub →</a></div>
</div>
</section>
<!-- ===== CREDENTIALS ===== -->
<section id="ai-security-credentials" class="snap-section" aria-labelledby="credentials-heading">
<div class="container">
<div class="reveal"><div class="section-label">Credentials</div><h2 class="section-heading" id="credentials-heading">AI Security Credentials & Recognition</h2></div>
<div class="cred-grid stagger">
<div class="cred-block" tabindex="0"><h3><span style="color:var(--gold)"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" style="vertical-align:-2px" aria-hidden="true"><path d="M22 10v6M2 10l10-5 10 5-10 5z"/><path d="M6 12v5c0 1.7 2.7 3 6 3s6-1.3 6-3v-5"/></svg></span> Education</h3><div class="cred-item"><strong>Doctorate in Management Studies</strong>Thesis: AI and Cyber Security<br><em>ISTM · 2021–2023</em></div><div class="cred-item"><strong>MBA — IT Business Management</strong><em>Symbiosis (SCIT) · 2013–2015</em></div><div class="cred-item"><strong>Diploma in Cyber Laws</strong><em>Asian School of Cyber Laws · 2013–2014</em></div><div class="cred-item"><strong>Computer Engineering</strong><em>L.D. College of Engineering · 2009–2013</em></div></div>
<div class="cred-block" tabindex="0"><h3><span style="color:var(--gold)"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" style="vertical-align:-2px" aria-hidden="true"><path d="M14.5 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V7.5L14.5 2z"/><polyline points="14 2 14 8 20 8"/><path d="M12 18v-6"/><path d="M9 15l3-3 3 3"/></svg></span> Certifications</h3><div class="cert-pills"><span class="cert-pill">ISO 27001:2022 Lead Auditor</span><span class="cert-pill">CHFI</span><span class="cert-pill">CTIA</span><span class="cert-pill">ECSA</span><span class="cert-pill">CEH</span></div></div>
<div class="cred-block" tabindex="0"><h3><span style="color:var(--gold)"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" style="vertical-align:-2px" aria-hidden="true"><path d="M6 9H4.5a2.5 2.5 0 010-5H6"/><path d="M18 9h1.5a2.5 2.5 0 000-5H18"/><path d="M4 22h16"/><path d="M10 14.66V17c0 .55-.47.98-.97 1.21C7.85 18.75 7 20.24 7 22"/><path d="M14 14.66V17c0 .55.47.98.97 1.21C16.15 18.75 17 20.24 17 22"/><path d="M18 2H6v7a6 6 0 1012 0V2z"/></svg></span> Recognition</h3><div class="award-item"><strong>CISO of the Year</strong><span>2022, 2023, 2025</span></div><div class="award-item"><strong>Top Cybersecurity Voice</strong><span>LinkedIn · 2023</span></div><div class="award-item"><strong>Best Cybersecurity Compliance Initiative</strong><span>Quantic India · 2025 (Locus)</span></div><div class="award-item"><strong>Panelist — BSides Ahmedabad</strong><span>2025</span></div></div>
<div class="cred-block" tabindex="0"><h3><span style="color:var(--gold)"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" style="vertical-align:-2px" aria-hidden="true"><path d="M12 2l8 4v6c0 5.5-3.8 10.7-8 12-4.2-1.3-8-6.5-8-12V6l8-4z"/></svg></span> AI Security Credentials</h3><div class="cred-item"><strong>Ph.D. thesis: AI and Cyber Security</strong><em>ISTM · 2021–2023</em></div><div class="cert-pills"><span class="cert-pill">NIST AI RMF (practitioner)</span><span class="cert-pill">ISO/IEC 42001 (practitioner)</span><span class="cert-pill">EU AI Act readiness</span><span class="cert-pill">OWASP Top 10 for LLMs</span></div></div>
</div>
</div>
</section>
<!-- ===== FAQ ===== -->
<section id="ai-security-faq" class="snap-section" aria-labelledby="faq-heading" style="background:var(--bg-primary)">
<div class="container">
<div class="reveal"><div class="section-label">FAQ</div><h2 class="section-heading" id="faq-heading">AI Security, AI Governance & CISO Questions</h2><p class="section-sub">Short answers to the questions boards, recruiters, and engineers ask most often.</p></div>
<div class="faq-list reveal">
<details class="faq-item"><summary><h3>What does an AI security CISO actually do?</h3></summary><p>An AI security CISO owns the governance, risk, and controls for AI systems — from model supply chain and prompt injection defense to AI DPIA, AI TPRM, and NIST AI RMF / ISO 42001 alignment. Dr. Devam Shah leads this function at Locus (IKEA), running AI security governance, LLM security reviews, and AI red teaming alongside traditional CISO responsibilities.</p></details>
<details class="faq-item"><summary><h3>How do you govern LLMs and generative AI in an enterprise?</h3></summary><p>AI governance combines policy (acceptable use, data classification, model inventory), controls (input/output guardrails, prompt injection testing, PII redaction, rate limiting), and oversight (AI DPIA, AI TPRM, human-in-the-loop for high-risk decisions). At Locus, Dr. Shah established AI governance aligned to NIST AI RMF and ISO/IEC 42001, with automated guardrails across AI-assisted development pipelines.</p></details>
<details class="faq-item"><summary><h3>What is MLSecOps and how is it different from DevSecOps?</h3></summary><p>MLSecOps extends DevSecOps to the ML/LLM lifecycle — covering training data integrity, model provenance, adversarial robustness, prompt injection, model theft, and inference-time abuse. It adds AI-specific controls on top of SAST, SCA, DAST, and secrets scanning. Dr. Shah builds MLSecOps pipelines using open-source tooling and custom AI guardrails.</p></details>
<details class="faq-item"><summary><h3>How do you approach AI red teaming?</h3></summary><p>AI red teaming tests models and AI-powered applications against prompt injection, jailbreaks, data extraction, model evasion, and indirect injection via RAG sources. Vedha — Dr. Shah's open-source autonomous AI pentester — automates this across the OWASP Top 10 for LLMs and extends into traditional pentesting workflows.</p></details>
<details class="faq-item"><summary><h3>What does a DPO need to know about AI?</h3></summary><p>A DPO handling AI systems must run AI DPIAs, assess legal basis for training and inference, manage cross-border transfers under GDPR and DPDPA, track automated decision-making under EU AI Act high-risk categories, and coordinate with the CISO on model security. Dr. Shah operates as both CISO and DPO — making AI privacy and AI security a unified function rather than two siloed ones.</p></details>
<details class="faq-item"><summary><h3>Are you available for AI security board advisory or fractional CISO work?</h3></summary><p>Dr. Shah advises boards and executive teams on AI security strategy, AI governance program design, AI risk translation, and AI compliance readiness (NIST AI RMF, ISO/IEC 42001, EU AI Act). Contact via email or LinkedIn to discuss.</p></details>
</div>
</div>
</section>
<!-- ===== BLOG ===== -->
<section id="ai-security-blog" class="snap-section" aria-labelledby="blog-heading">
<div class="container">
<div class="reveal"><div class="section-label">Blog</div><h2 class="section-heading" id="blog-heading">Thoughts on AI Security & Governance</h2><p class="section-sub">Lessons from the trenches — AI risk, LLM defense, board-level security strategy, and building security tools in the open.</p></div>
<div class="blog-grid stagger">
<a class="blog-card" tabindex="0" href="/blog/2026/ai-governance-failing.html">
<div class="blog-card-body">
<div class="blog-meta">
<span class="blog-date">Apr 2026</span>
<span class="blog-category">AI Governance</span>
</div>
<h3>Why Your AI Governance Program Is Failing — And What to Fix First</h3>
<p class="blog-excerpt">Most enterprises treat AI governance as a checkbox exercise. After building AI governance programs across three companies, here's what actually works — and what's theater.</p>
<span class="blog-read-more">Read more</span>
</div>
<div class="blog-tags">
<span class="blog-tag">AI Governance</span>
<span class="blog-tag">NIST AI RMF</span>
<span class="blog-tag">ISO 42001</span>
</div>
</a>
<a class="blog-card" tabindex="0" href="/blog/2026/prompt-injection-architecture.html">
<div class="blog-card-body">
<div class="blog-meta">
<span class="blog-date">Mar 2026</span>
<span class="blog-category">LLM Security</span>
</div>
<h3>Prompt Injection Is Not a Bug — It's an Architecture Problem</h3>
<p class="blog-excerpt">Stop treating prompt injection like XSS. It's a fundamental trust boundary violation that requires architectural solutions, not input sanitization.</p>
<span class="blog-read-more">Read more</span>
</div>
<div class="blog-tags">
<span class="blog-tag">Prompt Injection</span>
<span class="blog-tag">LLM Security</span>
<span class="blog-tag">Architecture</span>
</div>
</a>
<a class="blog-card" tabindex="0" href="/blog/2026/open-source-appsec-pipeline.html">
<div class="blog-card-body">
<div class="blog-meta">
<span class="blog-date">Feb 2026</span>
<span class="blog-category">AppSec</span>
</div>
<h3>How We Reduced Late-Stage Vulnerabilities by 96% With Open-Source Tooling</h3>
<p class="blog-excerpt">Enterprise AppSec doesn't require enterprise licensing. Here's the open-source pipeline that outperformed six-figure commercial tools at Locus.</p>
<span class="blog-read-more">Read more</span>
</div>
<div class="blog-tags">
<span class="blog-tag">AppSec</span>
<span class="blog-tag">Open Source</span>
<span class="blog-tag">DevSecOps</span>
</div>
</a>
</div>
<div class="blog-cta reveal">
<a href="/blog/" class="c-btn ghost">View All Posts →</a>
</div>
</div>
</section>
<!-- ===== LIVE CLOCK ===== -->
<section class="live-clock-section" id="cyber-since-2015" aria-labelledby="clock-heading">
<div class="container">
<div class="reveal" style="text-align:center;margin-bottom:40px"><div class="section-label">Time in AI & Cyber Security</div><h2 class="section-heading" id="clock-heading" style="font-size:clamp(28px,3.5vw,40px)">Since July 2015</h2></div>
<div class="clock-grid reveal" id="liveClock">
<div class="clock-unit"><div class="clock-val" id="clockYears">0</div><div class="clock-label">Years</div></div>
<div class="clock-unit"><div class="clock-val" id="clockMonths">0</div><div class="clock-label">Months</div></div>
<div class="clock-unit"><div class="clock-val" id="clockDays">0</div><div class="clock-label">Days</div></div>
<div class="clock-unit"><div class="clock-val" id="clockSecs">0</div><div class="clock-label">Seconds</div></div>
</div>
<div class="epoch-display reveal" id="epochDisplay">
<div class="epoch-row">
<span class="epoch-fixed" id="epochStart">1,435,708,800</span>
<span class="epoch-arrow">→</span>
<span class="epoch-live" id="epochNow">0</span>
</div>
</div>
</div>
</section>
<!-- ===== AI CHAT ===== -->
<section class="chat-section" id="ai-security-chat" aria-labelledby="chat-heading" style="background:var(--bg-primary)">
<div class="container">
<div class="reveal"><div class="section-label">Ask Me Anything</div><h2 class="section-heading" id="chat-heading">Talk to my AI</h2><p class="section-sub">Your AI security & AI governance advisor. Ask about LLM defense, AI DPIA, AI red teaming, or how I'd handle a specific AI risk.</p></div>
<div class="chat-window reveal" id="chatWindow">
<div class="chat-bar panel-bar">
<div class="mac-dot r"></div><div class="mac-dot y"></div><div class="mac-dot g"></div>
<span class="chat-bar-title">devam.ai — ask Dr. Devam R Shah anything</span>
</div>
<div class="chat-messages" id="chatMessages">
<div class="chat-msg"><div class="chat-avatar ai">DS</div><div class="chat-bubble">Hi — I'm an AI trained on Devam's background as a CISO, DPO, and AI security leader. Ask about AI security, AI governance, LLM defense, or how he'd handle a specific challenge. <strong>Try: "How do you govern LLMs at Locus?" or "What's in your AI DPIA playbook?" or "Walk me through AI red teaming."</strong></div></div>
</div>
<div class="chat-input-area">
<label for="chatInput" class="sr-only">Ask Devam a question</label>
<input type="text" class="chat-input" id="chatInput" aria-label="Ask Devam a question" placeholder="Ask about experience, approach, challenges..." autocomplete="off">
<button class="chat-send" id="chatSend">Ask</button>
</div>
</div>
</div>
</section>
<!-- ===== CONTACT ===== -->
<section id="ai-security-contact" class="contact-section" aria-labelledby="contact-heading">
<div class="container">
<div class="contact-term reveal">
<div class="ct-line"><span class="ct-p">$</span> <span class="ct-c">devam --strategic-inquiry</span></div>
<div class="ct-line"><span class="ct-o">Listening. What's the challenge?</span></div>
<div class="ct-line"><span class="ct-p">$</span> <span class="ct-cursor"></span></div>
</div>
<div class="reveal">
<h2 id="contact-heading" class="decrypt-reveal">The right AI security leader<br>changes <em>everything.</em></h2>
<p class="contact-sub">Whether it's a board that needs AI risk translated into business language, an AI platform that needs securing, or a crisis that needs steady hands — I've been there. AI security strategy · AI governance · board advisory.</p>
<div class="contact-actions">
<a href="mailto:devamshah91@gmail.com" class="c-btn primary">Start a Conversation</a>
<a href="https://www.linkedin.com/in/thedevam/" class="c-btn ghost" target="_blank" rel="noopener">LinkedIn</a>
<a href="https://github.com/DevamShah" class="c-btn ghost" target="_blank" rel="noopener">GitHub</a>
</div>
</div>
</div>
</section>
</main>
<!-- ===== FOOTER ===== -->
<footer>
<div class="container">
<div class="footer-inner">
<p>© 2026 Dr. Devam R Shah · Securing AI systems · Governing AI risk · Built in the open</p>
</div>
</div>
</footer>
<!-- Back to Top -->
<button class="back-to-top" id="backToTop" aria-label="Back to top">↑</button>
<!-- Scripts -->
<script defer src="js/bundle.min.js"></script>
</body>
</html>