AI research
Papers and publications
Recent papers and long-form publications, newest first. Where a public arXiv version exists, it is linked directly.
The current thread running through the work is AI safety, agent security, model unlearning, LLM robustness, confidential systems, and infrastructure at cloud scale.
2026
Optimizing Agent Planning for Security and Autonomy
This paper argues that deterministic, information-flow-based defenses for AI agents become much more practical once planning is optimized correctly. The work focuses on preserving strong security guarantees against indirect prompt injection without paying unnecessary costs in task completion or token usage.
GRP-Obliteration: Unaligning LLMs With a Single Unlabeled Prompt
GRP-Obliteration studies how fragile safety alignment can be after deployment. It shows that a model can be substantially unaligned with a surprisingly small amount of unlabeled fine-tuning signal, which sharpens the case for stronger post-deployment defenses.
Hey, That’s My Model! Introducing Chain & Hash, an LLM Fingerprinting Technique
Chain & Hash tackles the problem of model theft and misuse by proposing an LLM fingerprinting method with concrete properties such as persistence, robustness, and unforgeability. It is about proving lineage, not just detecting similar behavior.
Redefining the Software Engineering Profession for AI
An ACM article on how AI changes the core expectations of software engineering practice, mentorship, and technical judgment.
2025
The Price of Intelligence
This ACM article argues that LLM deployment comes with structural risks around memorization, manipulation, and control, and that those risks have to be treated as system properties rather than edge cases.
A Representation Engineering Perspective on the Effectiveness of Multi-Turn Jailbreaks
This paper analyzes why multi-turn jailbreaks remain effective even against stronger aligned models. By looking at the attack through internal representation changes, it explains how conversational state can be gradually steered into unsafe regions.
LogiPlan: A Structured Benchmark for Logical Planning and Relational Reasoning in LLMs
LogiPlan introduces a benchmark for testing whether LLMs can reason over structured relationships and carry out planning across them. The emphasis is on the kinds of relational reasoning that matter for knowledge graphs, infrastructure, and business workflows.
LLMail-Inject: A Dataset from a Realistic Adaptive Prompt Injection Challenge
LLMail-Inject captures prompt-injection attempts in a more realistic adversarial setting. The dataset is designed to help evaluate defenses against attacks that adapt over time instead of following a fixed benchmark script.
Securing AI Agents with Information-Flow Control
This work applies information-flow control to AI agents so that systems can reason formally about what an agent is allowed to read, trust, and act on. The goal is to block prompt injection and unsafe tool use with system-level guarantees instead of ad hoc heuristics.
Jailbreaking is (Mostly) Simpler Than You Think
This paper proposes the Context Compliance Attack, an optimization-free jailbreak that exploits how many AI systems use prior conversation context. It shows that some safety failures come less from exotic prompt engineering and more from structural weaknesses in conversation design.
Obliviate: Efficient Unmemorization for Protecting Intellectual Property in Large Language Models
Obliviate targets verbatim memorization in language models with a lightweight post-training approach. The paper focuses on reducing copyrighted text leakage while preserving model utility better than heavy-handed unlearning or shallow output filtering.
Lessons From Red Teaming 100 Generative AI Products
This paper distills what Microsoft learned from red teaming more than 100 generative AI products. It proposes a threat-modeling vocabulary and a set of practical lessons for running safety and security assessments at scale.
Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack
Crescendo shows how a harmless-looking multi-turn conversation can gradually walk an aligned model into unsafe output. The work became one of the clearest demonstrations that jailbreak risk cannot be evaluated only on single-prompt attacks.
2024
The Price of Intelligence: Three Risks Inherent in LLMs
A Queue article distilling three persistent risks in LLM systems: memorization, manipulation, and the difficulty of auditing behavior once models are deployed at scale.
Confidential Computing Proofs
This article explains how confidential-computing systems can produce proofs about code and execution, so attestation says something meaningful about what is running and why it should be trusted.
2023
Why Should I Trust Your Code?
This article explains why trusted execution environments still need transparent build and deployment evidence before users can believe the code inside them is actually trustworthy.
Confidential Computing: Elevating Cloud Security and Privacy
A concise ACM overview of why confidential computing matters for cloud platforms that need to protect sensitive data while it is actively being processed.
Confidential Consortium Framework: Secure Multiparty Applications with Confidentiality, Integrity, and High Availability
This paper presents the Confidential Consortium Framework as a foundation for secure multiparty applications that need confidentiality, integrity, and availability together. It connects confidential computing ideas to practical, high-availability distributed systems.
Who’s Harry Potter? Approximate Unlearning in LLMs
This paper explores whether a model can forget a subset of its training data without full retraining. It became an early and influential example of targeted unlearning for copyrighted content inside large language models.
Why Should I Trust Your Code? Confidential Computing Enables Users to Authenticate Code Running in TEEs, but Users Also Need Evidence This Code Is Trustworthy.
An expanded Queue treatment of the same software-trust problem, with more detail on attestation, supply chains, and what trustworthy deployment evidence should look like.
Confidential Computing: Elevating Cloud Security and Privacy: Working toward a More Secure and Innovative Future
A Queue essay on how confidential computing extends cloud security guarantees from data at rest and in transit to data while it is in active use.
2022
Singularity: Planet-Scale, Preemptive and Elastic Scheduling of AI Workloads
Singularity describes Microsoft’s global scheduler for AI training and inference workloads. The paper is about cost, utilization, reliability, and how to preempt and resize jobs across a planet-scale cloud environment.
IA-CCF: Individual Accountability for Permissioned Ledgers
IA-CCF extends permissioned ledgers with stronger individual accountability guarantees. The goal is to make it easier to attribute faults and misbehavior even in systems that already rely on Byzantine fault tolerance for baseline safety.
2021
Toward Confidential Cloud Computing
This article lays out the case for extending hardware-enforced protection to data while it is in active use, making confidential computing a first-class cloud security primitive.
Virtual Machine Preserving Host Updates for Zero Day Patching in Public Cloud
This systems paper explains how a public cloud can patch hosts urgently without forcing tenant VMs to stop, reducing both exposure time and operational disruption.
Toward Confidential Cloud Computing: Extending Hardware-Enforced Cryptographic Protection to Data While in Use
A longer Queue version of the confidential-computing argument, with additional focus on trust boundaries, attestation, and practical deployment models.
2020
Toward ML-Centric Cloud Platforms
This paper frames how cloud platforms need to evolve when machine-learning workloads become central, with emphasis on utilization, scheduling, and infrastructure design.
Protean: VM Allocation Service at Scale
Protean covers large-scale VM allocation in Azure, focusing on the practical tradeoffs required to place workloads efficiently while honoring real-world operational constraints.
Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud Provider
This paper studies the real workload mix behind serverless computing at Azure scale. It looks at cold starts, provisioning tradeoffs, and the operational data needed to make serverless platforms both fast and cost-effective.
Selected repositories
RefChecker
A tool for validating academic references, finding broken citations, and catching hallucinated bibliography entries.
Other public projects
TaskManagerBitmap, DesktopOrganizerBot, and other experiments live on the GitHub profile.