Toward AI systems that are secure, frugal, and governable as they evolve.

Today's agentic systems combine LLM reasoning, tool use, persistent memory, and multi-agent delegation — a surface area that traditional AppSec was never designed to cover. Our work formalises control objectives for agent runtimes: blast-radius bounds for tool-calls, integrity guarantees on memory, and attestation across agent-to-agent hand-offs.

Current investigations include defenses against prompt-injection chains via RAG, model inversion in fine-tuned domain models, data poisoning in continual-learning pipelines, and evasion attacks on inference platforms (vLLM, Hugging Face, Slurm-scheduled jobs).

LLM cost today scales with context length; intelligence does not. We study how to replace recomputation with accumulated experience: structured episodic memory, distilled procedural skills, and verifiable retrieval that lets an agent answer a recurring class of questions without re-paying for the reasoning each time.

The goal is a measurable reduction in tokens-per-decision on production workloads, without sacrificing factuality — a prerequisite for any agentic system that must run continuously inside an enterprise budget.

Modern AI stacks rewrite themselves: weights are updated, prompts are rewritten by other prompts, agents spawn agents. Single-layer policy is insufficient. We are developing a meta-control approach that treats the AI system itself as the object of governance — explicit invariants on the trajectory of change, with audit trails that survive across model swaps and platform migrations.

The framing draws on classical control theory, software supply-chain integrity, and threat modeling adapted for systems whose own behaviour is the deployment artefact.