$ whoami

jake.miller

practitioner-researcher · ai security & agent systems
writes ietf drafts, whitepapers, and exploit labs
ships research as code and talks, not theses

./read-research ./view-talks

papers draft-miller-ztip · draft-miller-ztnp

patents US10872097B2

repos agent-trust-protocols · zivisai/maul

medium @jakemillerindy

linkedin in/jakemillerindy

ex-Salesforce|3x Founder|Software Engineer|Adversarial AI Engineer

## research/

practitioner-led research on the security of ai systems and the protocols agents will run on. published in the open — ietf drafts, whitepapers, working code.

PINNED

type whitepaper · area ai security · status WIP · target Q2 2026

the exploit wasn't in the prompt

emergent exploit formation in agent swarms

Security teams are learning to defend AI agents against prompt injection, tool misuse, and unsafe permissions. Multi-agent systems introduce a harder failure mode: the exploit may not be present in the prompt at all. Each message can look benign, each agent authenticated, each tool call locally valid — and the swarm still produces a working exploit.

the first generation of ai attacks was injected.
the next generation may be emergent.

preprint coming soon →

ietf · internet-draft · active

zero trust identity protocol

draft-miller-ztip

A protocol foundation for verifiable identity in zero-trust systems — designed for a world where the principal making a request may be an agent, not a human.

ietf · internet-draft · active

zero trust network protocol

draft-miller-ztnp

Network-layer primitives for zero-trust enforcement between services and autonomous workloads. Identity, policy, and posture, carried on the wire.

github · ietf working drafts · typescript

agent trust protocols

agent-trust-protocols/agent-trust-protocols

A family of open, cryptographically verifiable protocols for trust negotiation, delegation, and authorization in agentic AI systems. Hosts ZTIP, ZTNP, reference implementations, and test vectors.

github · open source · apache-2.0

model & agent unsafe lab

zivisai/maul

A deliberately vulnerable AI application for red-team training and security research. Covers RAG pipelines, embedding attacks, agent-tool misuse, and SSE hijacking.

## publications/

essays and pattern libraries — written for practitioners, kept current as the field shifts.

type essay · venue medium · 2026

event-driven architecture: a primer, seven years later

Revisiting the 2018 primer through the lens of agentic AI — what still holds, what's changed, and how event-driven patterns shape the systems agents will run on.

read on medium →

zivis.ai · pattern library · living document

ai architecture patterns

zivis.ai/patterns

An opinionated, security-first pattern library for AI systems — agents, retrieval, prompting, memory, and emerging approaches, each with threat analysis.

medium · author profile

all writing on medium

@jakemillerindy

Long-form essays on architecture, ai security, and the engineering reality behind agentic systems.

## talks/

technical talks on ai security, agent-swarm attack surfaces, and the new failure modes of autonomous systems. calibrated for the audience — same underlying research, different depth.

the exploit wasn't in the prompt

emergent exploit formation in agent swarms

A new class of agentic security failure where unsafe behavior is synthesized through agent-to-agent interaction rather than directly supplied by a user, document, or attacker. Every message benign, every agent authenticated, every tool call locally valid — and the swarm still ships a working exploit. Live demo, taxonomy, and defenses (intent objects, semantic diffing, swarm-level kill conditions, agentic forensics).

agent-swarms multi-agent forensics

[00]

engineers / red teams

beyond prompt injection

Multi-agent attack surfaces and how locally valid steps assemble into globally exploitable chains.

tool-call compression, intent drift, delegation laundering
why audit logs prove action, not intent
building intent-bound tool calls and semantic diffs
test patterns for locally benign / globally unsafe flows

[01]

cisos / security leadership

the conversation is the attack surface

A threat-model shift for security leaders running ai in production — where injection ends and emergence begins.

why prompt-injection defenses miss emergent attacks
conversation-level threat modeling and kill conditions
what to demand from ai vendors and mcp integrations
what "enterprise-ready" means for autonomous agents

[02]

standards / protocol audiences

zero trust for the agent era

Identity and network-layer primitives for an internet where the principal making a request is an agent.

ztip / ztnp: what an agentic internet actually needs
cryptographic identity for non-human workloads
posture, policy, and provenance carried on the wire
why bolting agents onto today's auth is not enough

[03]

ai researchers / practitioners

agentic forensics

alt: "how did the system come to believe this was the right thing to do?"

An investigative discipline for multi-agent systems — reconstructing how a swarm formed unsafe operational intent.

from action provenance to intent and idea provenance
conversation graphs, idea lineage, dissent ledgers
distinguishing malicious influence from benign drift
forensic recoverability as a system requirement

[04]

boards / executive leadership

when the agent invents the attack

What boards need to ask differently when no one explicitly requested the unsafe action.

the shift from injected exploits to emergent ones
why signed receipts can prove "what" but not "why"
where liability lands in a multi-agent stack
buying signals: what mature ai security looks like

[ + ]

bespoke

custom keynote

Every talk can be tailored. Different audiences get different depth, framing, outcomes — same core insights.

students & emerging researchers
internal company offsites
workshops, panels, fireside chats

## /etc/principles

how the work runs, written down so it can be held against the output.

research that ships

every claim built on working code, repeatable labs, and traces you can replay. no hand-waving, no academic distance from the system.

published in the open

ietf drafts, whitepapers, repos, and demos — where the community can read, break, and extend the work. findings belong to the field.

adversarial honesty

show the failure mode before the fix. build the threat before the defense. the point is not to reassure — it is to be correct about what is broken.

## ~/about

practitioner-researcher. 20+ years in software, now hands-on with ai security and the protocols underneath it.

Jake Miller is a practitioner-researcher focused on how AI systems fail in real-world environments — across LLM applications, RAG pipelines, agents, tools, MCP architectures, APIs, workflows, and the infrastructure they depend on.

His work explores the gap between AI security theory and production reality: what breaks, how it breaks, whether it is exploitable, and what evidence is needed to prove a fix actually holds. He's especially interested in agentic systems, human-in-the-loop validation, continuous testing, prompt and workflow attack surfaces, and the emerging security boundaries between models, tools, memory, and data.

Jake has spent more than two decades building software across startup, enterprise, and private-equity-backed environments. He previously led engineering at ExactTarget / Salesforce Marketing Cloud on Journey Builder, growing from Senior Engineering Manager to Director of Software Engineering. He later co-founded Metaimpact as CTO and founded The Engineered Innovation Group as CEO.

Today, Jake builds and studies AI security systems through hands-on experimentation, field research, simulations, and platform work. The goal: help builders and defenders move beyond AI anxiety toward durable confidence — understanding what can break, how attackers may exploit it, and how teams can close the loop in real systems.

now building zivis · ai red-team platform & trust profiles
then exacttarget/salesforce · metaimpact · engineered innovation group
tags agent security · red teaming · ietf · zero trust · whitepapers

## ./contact

open inbox. i respond within 24 hours.

conferences & keynotes.

executive briefings & board sessions.

research collaborations & co-authorship.

press & analyst inquiries.

or → jake@zivis.ai