Hello from hi120ki

About Me

I am an AI & Platform Security Engineer focused on AI system security, including hands-on experience designing secure LLM infrastructure, authoring agent platform security guidelines, and researching attack surfaces specific to AI environments. Cloud security work spans Google Cloud, AWS, and Kubernetes, with particular depth in credential lifecycle management and policy enforcement at scale. I have investigated and published on prompt injection, unsafe agent behavior, and OAuth phishing in MCP environments, and share findings through technical articles and talks at AI engineering events in Japan.

Professional Experience

May 2025 - Present

Mercari, Inc. — AI Security Engineer, Tech Lead (AI Security Team)

Established security architecture for a company-wide LiteLLM-based LLM API proxy. Designed and implemented an OIDC-based short-lived API key issuance system (LLM Key Server), eliminating static LLM API keys across the organization with integrations for GitHub Actions and Google Apps Script.
- LLM Key Server: Providing Secure and Convenient Access to Internal LLM APIs
Led architecture of the company’s internal MCP gateway with forward compatibility for upcoming enterprise authorization specs. Independently researched and published analysis of OAuth phishing attacks via unauthenticated Dynamic Client Registration in MCP.
Authored comprehensive security guidelines for cloud-hosted AI agent environments, covering areas such as sandboxing, network controls, credential management, observability, prompt filtering, and supply chain security.
- Action Items for Agent Platform Security
- AI Security Challenges in 2026
Conducted AI-specific security reviews for internal and external AI products, identifying risks such as prompt injection, data leakage, and unsafe agent behavior. Developed and maintained company-wide AI security guidelines and led organization-wide training programs.
- How Mercari’s AI Security Team is Securing AI Native
Designed automated security check architecture for n8n AI workflows and mentored a junior engineer through implementation. Built automated user and API key lifecycle management for Devin Enterprise.
- Automating Secure Devin Management at Mercari
- Security Challenges of Devin Discovered Through Operation

Feb 2024 - Apr 2025

Mercari, Inc. — Security Engineer (Platform Security)

Extended the internal Token Server for Google Cloud workloads: implemented OIDC-based short-lived credential issuance via a custom Go library, eliminating long-lived PATs and private keys. Led elimination of long-lived GitHub credentials across multiple service teams in a multinational organization.
- Removing GitHub PATs and Private Keys From Google Cloud: Extending Token Server to Google Cloud

2022

Mercari, Inc. — Security Engineer (Intern)

Identified missing attack techniques in Microsoft’s Threat Matrix for Kubernetes and documented them as an extended threat model. Contributed new attack detection rules to the Falco open-source repository and merged multiple Pull Requests into the official project.
- Restructuring the Kubernetes Threat Matrix and Evaluating Attack Detection by Falco

2021

Recruit Co., Ltd. — Security Engineer (Intern)

Conducted vulnerability assessments on web applications and iOS applications. Built a source code parser to automate analysis of inspection targets, reducing manual effort in the assessment process.