TonyAI
Tony Trujillo
Founder & Principal Engineer
Scan to save contact
Scan to connect

TonyAI Shield Click a shield to expand details
PhalanxAI Security LLC

Zero Trust doesn't slow AI down. It makes AI trustworthy.

Agentic AI · MCP Security · Zero Trust Engineering · Identity · AI Governance

💰 AI Cost Engineering
RAG pre-filter — retrieve only what's needed
Prompt caching — stop paying for repeated context
Spend caps — hard limits, no surprise bills
Model tiering — Haiku for simple tasks, Opus for hard ones
Context budgeting — 2k tokens, not 100k
Internal RAG — on-prem retrieval, zero per-query API cost
★ New
Production-Grade Zero Trust OBO Platform 🎬 60-sec demo
Toggle details

One Zero Trust OBO contract. Four languages. Cryptographically sealed audit log. Built natively on AWS Cognito.

How do you guarantee bulletproof authorization across a fragmented polyglot stack?

  • 4 Native Implementations: Shared auth contract running seamlessly across Python, Java, TypeScript, and C#.
  • Policy as Code — Hot-Swappable: Cedar (sub-millisecond in-memory) and OpenFGA/Zanzibar (gRPC) toggled via feature flags. Authorization logic lives in code, not config files.
  • Tamper-Proof Auditing: Every lifecycle event hits an HMAC-SHA256 hash-chained log. Tampering instantly breaks the chain; verified live via GET /audit.
  • Least Privilege by Default: Zero-trust JWT validation enforces minimum-scope access across all four runtimes. Trust boundary defined in code, not firewall rules. Backed by 240+ integration tests.
  • 100% Automated IaC: CloudFormation completely models the serverless infrastructure, including API Gateway, custom-branded Cognito Managed Login, and Lambdas.
TypeScript / ExpressJava 17 / Spring Boot 3C# / ASP.NET CorePython / FastAPI CedarOpenFGA / ZanzibargRPC AWS CognitoAWS LambdaAPI GatewayAWS SAM (IaC)Docker Compose JWT RS256HMAC-SHA256RFC 8693 (OBO)RFC 9562 (UUIDv7)
NIST 800-207Zero TrustSOC2OWASP A01 / A07 / A09
Autonomous Agentic OBO (Okta) 🎬 60-sec demo
Toggle details

Agentic AI with no standing authority. The agent acts only within the human's live permissions — cryptographic delegation, not assumed trust.

When an AI agent triggers a high-value transaction or accesses sensitive data, who actually authorized it?

  • Cryptographic Delegation: Uses RFC 8693 Token Exchange to mint highly scoped tokens containing explicit actor context (sub=user, act=agent).
  • DPoP Protection: Binds access tokens to the runtime client via RFC 9449, rendering intercepted tokens completely useless to attackers.
  • Agentic Workflow Gate: 6-step enforcement — Okta OIDC → ReBAC → token exchange → DPoP binding → JTI check → kill switch. Every step in the agentic workflow is a trust boundary.
  • AI Governance Audit Chain: Streams every agentic action into an append-only HMAC-SHA256 log. Non-repudiation — provable who authorized what, when, and under which permissions.
  • Replay Defenses: Mitigates token theft with aggressive JTI replay prevention, short-lived lifecycles, and RP-initiated logouts.
TypeScript / Node / ExpressReact Okta Identity Platform RFC 8693 Token ExchangeDPoP (RFC 9449) OIDC / SAML 2.0ReBAC BFS EngineJWT RS256 / JTI HMAC-SHA256 Audit ChainPostgreSQLDocker Compose
NIST 800-207SOC2OWASP A01 / A07OWASP LLM06 (AI Security)
Custom Token Exchange Engine (AWS Cognito) 🎬 45-sec demo
Toggle details

Custom token exchange engine on AWS Cognito. Issues 15-minute scope-locked OBO JWTs where the IdP won't — stateless enforcement at every API call.

How do you enforce short-TTL, granular permissions on every API call when using an IdP that lacks native token exchange support?

  • Custom RFC 8693 Plane: Engineered a lightweight AWS Lambda Layer that intercepts user tokens and self-mints independent, cryptographically isolated RS256 OBO tokens.
  • Least Privilege at the Exchange Layer: Real-time ReBAC graph traversal at token issuance — permissions scoped to exactly the target action, nothing broader. Trust boundary enforced before the token leaves the gate.
  • Dual-Layer Fail-Closed Lock: Enforces instant global revocation via a synchronized system that writes the unique jti to a DynamoDB blocklist while wiping active sessions from ElastiCache Redis.
  • Ultra-Fast Validation: Downstream Spring Boot microservices act as lean OAuth2 Resource Servers, running sub-millisecond local cryptographic signature checks with zero runtime IdP overhead.
Java 17 / Spring Boot 3Spring SecurityOAuth2 Resource Server AWS Cognito AWS Lambda (Custom RFC 8693 Engine)DynamoDB Global TablesAmazon ElastiCache Redis TypeScript / ReactJWT RS256 / JTI BlocklistReBAC BFS EngineVite HMRAWS SAM (IaC)
NIST 800-207Zero TrustSOC2OWASP A01 / A07
Autonomous Code Reviewer (Auth0 + MCP) 🎬 60-sec demo
Toggle details

Autonomous AI agent with zero standing privileges. Every PR reviewed under a verified, ephemeral machine identity — fails closed, every time.

How do you catch hardcoded secrets or injection vulnerabilities before merge using an agent with its own verified cryptographic identity?

  • Verified Webhook Pipe: Intercepts GitHub PR events, immediately verifying payloads via secure cryptographic HMAC signatures.
  • Workload Identity — Zero Standing Privilege: Fetches short-lived, 1-hour Auth0 M2M tokens scoped to one repo. The agent's workload identity expires — no persistent access, instant global revocation.
  • Agentic MCP Architecture: Leverages Model Context Protocol (MCP) to supply Claude with deep context, moving beyond naive regex to reason deeply about diffs.
  • Inline Guardrails — OWASP LLM Top 10: Streams vulnerability findings directly back to GitHub, pinning OWASP violations to the exact line. LLM output governed, not trusted.
  • Deterministic Audit Trail: Logs every agent action into an HMAC-signed audit entry, strictly enforcing a fail-closed posture across all error paths.
Python / FlaskClaude APIModel Context Protocol (MCP) Auth0 M2M GitHub WebhooksTerraform (IaC)HMAC-SHA256ngrok
OWASP Top 10OWASP A02 / A03SOC2Zero Trust
Phalanx — IETF A2A Certificate Implementation Toggle details

Cryptographic identity at birth for every AI agent — zero standing access, policy-locked from first call.

How do you give every AI agent a verifiable identity at birth — and guarantee it has zero standing access from first call?

  • Multi-Agent Trust — IETF A2A: Every agent receives an X.509 cert at birth. Multi-agent workflows enforced at the identity layer — no cert, no call, no exceptions.
  • MCP Security Gate: Verifies identity + ReBAC on every invocation in the agentic workflow. No bypass path — least privilege enforced at the trust boundary.
  • Credential-Blind Agents: HashiCorp Vault owns all secrets. Agents never hold credentials — workload identity is ephemeral, scoped, and revocable.
  • HMAC-SHA256 Audit Chain: Every decision hashed and chained. AI governance built in — full chain of custody across every agent action.
  • Guardrails — Pre-LLM: Poison pill detection kills injected payloads before the LLM processes them. OWASP LLM Top 10 enforcement at the gate, not the prompt.
IETF A2AMCP Security GateVaultReBACmTLSJWT/JWKHMAC-SHA256Python
SOC2HIPAAPCI-DSSFIPS 140-3OWASP Top 10MITRE ATLAS
Zero Trust Payments with AI 📷 Preview demo
Toggle details

AI recommends. Policy decides. Money never moves on AI confidence alone.

How do you put AI in a payments pipeline without letting it move money on its own authority?

  • Guardrails — Deterministic Gate: Prompt Evaluation Gate sits pre-execution. Pure Python, four checks, zero LLM variance, zero overrides. Fail one, hard stop. No AI confidence bypasses policy.
  • Human-in-the-Loop by Design: AI recommends. Human-defined policy executes. Money never moves on model confidence alone — the architecture enforces HITL, not a setting.
  • AI Governance Audit Trail: Every recommendation, gate decision, and outcome KMS-signed and immutably logged. Regulators get cryptographic proof, not log files.
  • ReBAC Kill Switch: Revoke one relationship — the entire agentic transaction chain dies instantly. Least privilege enforced at the trust boundary, not the API.
Prompt Evaluation GateReBACPythonClaude SonnetKMSJWT RS256DynamoDBRedis
PCI-DSSSOC2NIST 800-207OWASP Top 10
IETF Internet-Draft — Agent-to-Agent Trust
Toggle details

First author defining the IETF standard for agent-to-agent trust — every clause runs as working code.

★ IETF AUTHOR
Datatracker → GitHub PoC →

What does it take to define agent-to-agent trust as an Internet Standard — and ship working code that proves every clause?

  • Multi-Agent Trust Standard: Defines how agents verify each other's identity across agentic workflows — X.509 chain validation, CRL lookup, file-locked replay protection. 8-stage fail-closed, no fallback.
  • Policy as Code — Dual Signature: Policy updates require both the template owner's signature and the Policy Authority countersign. Governance enforced in code, not process.
  • 50/50 Conformance + 34/34 Red-Team: 100% pass rate against every IETF draft vector and every attack scenario. OWASP LLM Top 10 and MITRE ATLAS attack patterns covered. No known gaps.
X.509 PKICedar PolicyPython 3.12Claude SonnetAWS KMSS3SHA-256 Audit ChainTerraform (IaC)Docker Compose
IETF Standards TrackNIST 800-207OWASP Top 10Zero Trust
Secure RAG — Zero Trust Demo
Toggle details

Same AI, same query, different identity — different answer. Zero Trust enforces it, not the prompt.

How do you serve the right data to the right identity — and prove the wrong identity never saw it?

  • Identity-Gated RAG: JWT claims map to ReBAC policies that filter Bedrock Knowledge Base lookups at query time. Least privilege enforced at the retrieval layer — Claude never sees data it's not cleared for.
  • Guardrails Before the LLM: Enforcement stack strips unauthorized context before a single token reaches Claude. OWASP LLM Top 10 — no prompt-level workaround, no jailbreak path to PHI.
  • AI Governance — Full Chain of Custody: Every query, retrieval, and response bound to a single immutable correlation ID. Audit trail proves the right identity got the right data. Nothing silent.
AWS Bedrock KBPineconeReBACJWT RS256PythonMCP ResourcesClaude CodeRedisTerraform (IaC)
HIPAASOC2NIST 800-207OWASP Top 10
Last Mile Zero Trust — Platform
Toggle details

No static credentials. No inbound firewall holes. Every hop enforced, no hop trusted.

How do you connect a cloud MCP agent to an on-prem database with zero static credentials and zero inbound firewall rules?

  • Outbound-Only Transport: On-prem relay polls AWS SQS — no inbound ports, no VPN, no firewall hole. Trust boundary is architectural, not a rule.
  • Vault PKI — Least Privilege Credentials: Short-lived X.509 certs replace every static DB credential. Scoped to read or write — nothing broader. Cert expires, access is gone.
  • JWT → ReBAC → DB Trust Chain: Agentic workflow enforces identity at every hop. JWT claims → ReBAC evaluation → cert-gated DB access. No hop trusted, no step skipped.
  • AI Governance Audit Trail: Every agentic request logged — identity, resource, scope, outcome. ALLOWED or DENIED. Full chain of custody, nothing silent.
HashiCorp VaultAWS SQSReBACJWT RS256PostgreSQL 16MCPPythonRedisTerraform (IaC)Docker Compose
SOC2PCI DSS v4FIPS 140-3NIST 800-207
Sentinel FIPS — AWS-Native FIPS 140-3
Toggle details

KMS-signed decisions, locked in S3 Object Lock — even root can't delete the evidence.

How do you prove an authorization decision was made correctly — and that no one, including root, can alter the record after the fact?

  • AI Governance — Immutable by Design: Decisions committed as hashes to S3 Object Lock (COMPLIANCE mode). Root cannot delete. Regulators get cryptographic proof of every authorization decision.
  • FIPS 140-3 KMS Signatures: Every auth decision and audit entry signed in real time with validated KMS keys. Cryptographic proof, not a log statement — FedRAMP High ready.
  • Policy as Code — Cedar + AVP: Authorization logic in Cedar, evaluated serverless in Lambda. Microsecond multi-tenant policy gate — least privilege enforced at the decision layer, not the perimeter.
AWS KMSS3 Object LockCedar / AVPAWS LambdaDynamoDBCloudTrailPythonAWS SAM (IaC)
FIPS 140-3FedRAMP HighNIST 800-53SOC2
Sentinel MCP — AWS Ops Toolkit
Toggle details

Security investigations: 45 minutes → 60 seconds. Plain English in, forensically verified answer out.

How do you let an AI agent investigate live AWS infrastructure — and guarantee every query it runs is signed, tracked, and provable?

  • Agentic Workflow — MCP Forensics: Natural language drives an autonomous multi-service AWS investigation. The agentic workflow spans CloudTrail + CloudWatch + DynamoDB in a single governed query.
  • 45 min → 60 sec: Security investigations that required a senior engineer now run in under a minute — same depth, deterministic output, guardrails on every LLM action.
  • AI Governance — KMS-Signed Queries: Every LLM-driven infrastructure query signed via AWS KMS and bound to an immutable tracking ID. No agentic action is unverifiable.
FastMCPPythonBoto3CloudTrailCloudWatchAWS KMSDynamoDB
SOC2OWASP Top 10NIST 800-207
RAG Knowledge Assistant — Enterprise AI Adoption
Toggle details

Sensitive data never leaves the building. AI answers from local context — no cloud API, no data exposure, no runaway spend.

How do you deploy AI-assisted onboarding without letting sensitive data escape the building or costs spiral out of control?

  • Local-First RAG — Trust Boundary: Context parsing and retrieval stay entirely on-prem. The trust boundary is architectural — sensitive records never touch an external API, not a policy promise.
  • Auto-Ingestion Pipeline: Corporate docs, internal ADRs, and runbooks parsed and indexed automatically. New engineers productive in hours, not weeks.
  • Guardrails + Hard Spend Caps: AI governance built in — programmatic token budgeting, hard cost ceilings, and inference guardrails. Predictable spend, no runaway LLM costs.
  • Cost Savings at Scale: Local retrieval eliminates per-query cloud API costs entirely. At enterprise scale, internal RAG cuts AI inference spend by 60–80% versus cloud-only retrieval — architectural savings, not a promise.
TypeScriptNode.jsAnthropic SDKJSON Knowledge StoreToken Budgeting
SOC2OWASP Top 10Zero Trust
← Portfolio
← Portfolio Zero Trust ATM Demo