# Jesbur Labs > Jesbur Labs LLC is the independent AI security and governance practice of Jessica Burnett, a software architect based in Colorado Springs, Colorado. Focus: red-teaming agentic AI systems against the OWASP Agentic Top 10, policy-as-code governance in OPA/Rego, and court-defensible audit trails. Jessica Burnett is a software architect with 20 years building and shipping software across full-stack and distributed systems, now specialized in AI governance and security. She contributed OWASP Agentic Top 10–mapped starter policy packs to Microsoft's Agent Governance Toolkit. ## What Jesbur Labs does - **Red-teaming agentic AI systems** against the OWASP Agentic Top 10 (ASI01 Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI03 Identity & Privilege Abuse, ASI04 Agentic Supply Chain Vulnerabilities, ASI05 Unexpected Code Execution, ASI06 Memory & Context Poisoning, ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Failures, ASI09 Human-Agent Trust Exploitation, ASI10 Rogue Agents). - **Policy-as-code governance** in OPA/Rego — enforceable at runtime, built on Microsoft's Agent Governance Toolkit. - **Court-defensible artifacts and audit trails** for independent auditors, government boards, and agencies. - **Standards mapping**: NIST AI RMF, ISO/IEC 42001, EU AI Act, Colorado AI Act (SB 24-205). ## Background - **Contributor, Microsoft Agent Governance Toolkit** — authored and merged OWASP Agentic Top 10–mapped starter policy packs (healthcare, financial services, general SaaS). - **Creator, AOGI (AI Orchestration Governance Infrastructure)** — an open-source, policy-as-code governance sandbox extending Microsoft's Agent Governance Toolkit, with OPA/Rego policy gates mapped to the OWASP Agentic Top 10. - **20 years of software architecture** — full-stack and distributed systems, SDLC ownership, Python, FastAPI, and cloud (Azure, AWS, GCP). - Languages: English, French. ## Note on the EU AI Act Article 15 requires high-risk AI systems to be resilient against adversarial manipulation — data and model poisoning, adversarial examples, and confidentiality attacks. The statute does not mandate "red-teaming" by name; adversarial testing is the practical means to evidence that resilience. High-risk obligations apply from December 2027. ## Contact - Email: jesburlabs@gmail.com - GitHub: https://github.com/jessburnett - LinkedIn: https://linkedin.com/in/jessicaburnett-tech - Location: Colorado Springs, CO, USA