Ashish A.

CISO (AI & Security), Tegra118/IC| Independent Researcher — AI-speed threats & mathematical frameworks | ISO 42001 · ISO 27001 Lead Auditor | ORCID: 0009-0006-0530-5235

Belle Mead, New Jersey, United States

About

On 7 April 2026, an AI system autonomously discovered thousands of zero-day vulnerabilities across global critical infrastructure. Hours. Not months. Not years. I've spent 20 years working cybersecurity for financial institutions — the Federal Reserve, Citigroup, Morgan Stanley, DTCC. I know what a broken control looks like from the inside. April 7th told me three ISO 27001 controls weren't just degraded. They were structurally broken. I did what I do when the tools stop working. I went to the math. Three controls — A.8.8, A.8.16, A.8.15 — fail not because they're implemented poorly. They fail because their founding operational assumption — that human response can close within the available window — no longer holds. I mapped every relevant MITRE ATT&CK v15 technique against each control, scored the Brewer & List class shift, and grounded it in DBIR breach data (n=12,195). The result: a control that reports green while providing zero protection. That's not a gap. That's a trap. I am also an independent researcher (ORCID: 0009-0006-0530-5235) working at the intersection of advanced mathematics and AI-speed security threats. The frameworks I apply draw on Ramanujan's mock theta functions and the Atiyah-Singer index theorem — tools developed decades before the internet existed, now uniquely suited to detecting structural failure in complex systems operating at machine speed. AI will not fix what AI broke. Speed layered on a broken architecture produces faster failure, not security. The correct response is architectural: identify which controls require redesign, which retain forensic value, and what a mathematically grounded direction signal actually looks like. That's what I'm building. 20 years. 600+ risk assessments. 7 of the first 12 ISO 27001 certifications in the United States. Federal Reserve. Citigroup. Morgan Stanley. DTCC. Reuters. The practitioner experience tells me what's broken. The mathematics tells me why — and what comes next.

Experience

  • CISO Trading and Portfolio Management/Tegra118 at InvestCloud, Inc.
    Apr 2017 - Present · 9 yrs 4 mos

  • Manager, Risk Assessments at PwC
    Mar 2015 - Mar 2016 · 1 yr 1 mo

    1. Mizuho Bank 2. Mitsubishi Union Bank 3. Mitsubishi Union Trust Bank

  • Manager at Deloitte
    Jun 2011 - Mar 2015 · 3 yrs 10 mos

    1. Capital One (SOC, PCI Compliance, Managed Security Services) 2. Citigroup (SOC, App Security) 3. KPMG (SOC) 4. SouthWest (SOC) 5. Wells Fargo (Risk Assessments)

  • Manager, GRC - Risk Assessments at Morgan Stanley
    May 2010 - May 2011 · 1 yr 1 mo

    1. GRC Process Review 2. Control Gap Remediation 3. Risk Assessments (All Division's covered twice)

  • Manager, SOX and Audit at Johnson & Johnson
    Apr 2007 - Apr 2010 · 3 yrs 1 mo

    1. SOX Compliance 2. Supply Chain Audit Lead