About

CRAIG ALLAN-MCWILLIAMS


I build security for AI systems that make decisions and take actions without human supervision — what the industry is starting to call agentic infrastructure, and what I’d argue is one of the least-protected attack surfaces in modern enterprise today.

My flagship project is raucle — an open-source library (Apache-2.0) that produces a cryptographic capability receipt for every action an AI agent takes. The receipt is signed, content-addressed, and verifiable by any third party without contacting the vendor. It is built for the audit problem regulated industries actually have: proving what your agents did, under what authority, and against what policy. The technique is under submission at IEEE Security & Privacy 2027. The repository is at github.com/craigamcw/raucle.

The hard questions I work on: how do you set meaningful trust boundaries for autonomous agents? How do you audit their decision-making in real time? How do you stop an AI system becoming a lateral movement vector into critical infrastructure?

These aren’t hypothetical — organisations deploying agents at scale face them now.

As a practitioner I’ve spent 25 years as a security engineer and architect across banking, government, and global enterprise — building CI/CD pipeline security, hardening AWS environments at scale, engineering SIEM and forensics capabilities, and leading security programmes from the ground up. I hold SABSA Chartered Architect, CISSP, AWS Security Specialty, CCSK, and MITRE ATT&CK certifications, and I think about security as a system property, not a bolt-on.

I bring both sides of the table: the technical depth to architect and engineer secure infrastructure, and the commercial fluency to explain why it matters to a board.

What I care about: agentic AI security · open-source tooling · securing systems that organisations don’t yet know how to name · building before the threat arrives


Core Expertise

  • Agentic AI Security
  • Security Engineering
  • AWS Cloud Security
  • CI/CD Pipeline Security
  • SABSA Security Architecture
  • DevSecOps
  • Enterprise Risk Management