Huanran Wang
Member of Technical Staff in AI Infra, AMD
Actions
Agentic AI engineer and software architect with 13 years of experience spanning embedded systems, automotive safety, and AI infrastructure. Currently Member of Technical Staff at AMD, working on ROCm software, AI data center, and system-level performance for large-scale AI workloads. Previously Software Architect, leading AI safety/assurance and advanced system architecture with model-based and data-driven systems engineering. Spent 5.5 years at Ford Motor Company as Technical Expert and Software Engineer, applying machine learning and computer vision to automotive systems under ISO 26262 functional safety. Started in embedded systems at BlackBerry, shipping award-winning products on QNX and Android platforms.
Your Harnessed AI Agent Is Half-Safe: How Assured Autonomy Completes the Other Half
Your LLM agent's permission system passes every action individually. The agent writes a script, creates a config file, calls the Python interpreter. Every action is allowed. **The composed effect is credential exfiltration to an external endpoint.** This is not hypothetical -- [CVE-2026-21852](https://cve.mitre.org/) and [CVE-2025-59536](https://cve.mitre.org/) both demonstrate it in production.
The root cause is not a bug -- it is a half-built safety stack. Two engineering communities have each solved half of this problem independently:
- **Harness engineering** (the AI engineer's approach) built fast, practical safety: permissions, sandboxes, LLM guardrails, tool schemas. Systems like Claude Code, OpenHands, LangChain, and AutoGPT ship real runtime protection.
- **Assured autonomy** (the automotive/aerospace safety engineer's approach) built formal, proven safety: safety envelopes, Simplex architectures, deterministic runtime monitors, assume-guarantee contracts. Forty years of work on constraining autonomous systems -- never applied to LLM agents.
We analyzed **389 techniques from 111 papers** (120 formal citations) and found **4 complementary pairs** where each community's strengths cover the other's blind spots. Only 4.6% of techniques are both runtime AND formal -- the quadrant you actually need.
**Three things you can use:**
1. **The LLM-Simplex pattern** -- 500 lines of deterministic Python (no LLM in the safety path) checking 5 structural invariants. Catches 96% of structural attacks vs. 8% for keyword filters.
2. **Complementary defense proof** -- combining structural invariant checking with content filtering covers 31% of unsafe actions vs. 22% or 11% alone. The two approaches catch almost entirely different threats (only 8 of 133 caught actions overlap).
3. **Defense-in-Depth Compliance Index (DCI)** -- adapted from nuclear engineering and ISO 26262 common-cause failure analysis. Score how much of your safety stack survives a prompt injection. Claude Code: 0.80. OpenHands: 0.875. If yours is below 0.80, your next investment should be a non-LLM layer.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top