Stephen D.Thomas

Leading AI infrastructure initiatives, global cloud architecture, and AI board membership for a $40B multi-strategy investment firm. Built global AI infrastructure from the ground up. Pioneered the firm's first internal AI chat system. Designing C2PA content provenance systems, Agent-to-Agent protocols, and institutional-grade AI automation. Led Farallon's cloud program alongside the Head of Cyber Security. Managing team while continuing to architect and build multi-cloud infrastructure.

• Built global AI infrastructure from the ground up — started with Azure OpenAI as the firm's first AI infrastructure architect, navigated Microsoft's governance process to onboard subscriptions with Content Filtering and Abuse Monitoring exemptions removed, then expanded to Anthropic, Claude on Vertex, Google Gemini, and xAI Grok
• Served as AI Board Member — provided strategic direction on AI adoption, governance, and risk for the firm
• Pioneered Farallon's first internal AI chat system — deployed before ChatGPT was publicly available, establishing the firm's AI-first culture
• Architected and secured every AI service deployment with executive approvals for zero data retention — no provider touches firm data without contractual guarantees
• Deployed multi-cloud AI infrastructure across Azure OpenAI (first), Anthropic, Claude on Vertex, Google Gemini, and xAI Grok — sole infrastructure architect for every AI platform at the firm
• Developed Mixture-of-Agents modules inferring against multiple LLM providers (Anthropic, Gemini, Grok, Azure OpenAI) for various investment and operational tasks
• Implemented pieces of Open Brain Platform tracked via Azure Subscription for centralized AI governance and cost attribution
• Built custom AI-powered newsletter generator with content and image generation — automated institutional communications
• Developing proprietary AI agent-to-agent (A2A) communication protocols — the standards layer for how autonomous agents authenticate, negotiate, and coordinate across distributed systems without human intervention
• Building TAMP (Trusted Agent Messaging Protocol) — a security framework governing how AI agents exchange messages, verify identity, and maintain tamper-evident audit trails across the fleet
• Implementing C2PA (Coalition for Content Provenance and Authenticity) outputs — every AI-generated artifact is cryptographically signed with provenance metadata so the firm knows exactly what created it, when, and from what inputs
• Building and standardizing MCP (Model Context Protocol) server architecture — tool registries, context compression, authentication patterns, and multi-tenant agent access control
• Leading all AI infrastructure initiatives: 170+ agent fleet orchestration, memory systems, multi-model routing, and mixture-of-agents reasoning chains
• Building AI-driven investment operations automation: NAV, PAC, reconciliation, compliance monitoring, research synthesis, and portfolio analytics
• Stood up .NET 9 Aspire during architecture discussions — containerized orchestration for local development and cloud deployment
• Led Farallon's cloud program with assistance of the Head of Cyber Security — joint accountability for security posture across all cloud services
• Continued to grow technical depth across AI, security, and cloud-native patterns while leading the team
• Managing and mentoring cloud engineering team while continuing to architect and build hands-on — never left the keyboard

Sole cloud architect responsible for every cloud system at a $40B global hedge fund — ran the entire cloud operation single-handedly for 3 years. Built 9 public cloud regions from zero across Azure, AWS, and GCP. Every Terraform module, every network, every identity, every observability platform, every security control — architected, engineered, and operated by one person. Redesigned the firm's global network for cloud-native operations. Built full cloud management platform (Fusion Nexus), Atlassian Cloud replacement (Fusion Forge), and all developer, analytics, and observability tooling. Implemented baseline security patterns including private endpoints and managed identities across every service.

• Ran every cloud system at the firm single-handedly for 3 years — sole architect, sole engineer, sole operator across Azure, AWS, and GCP
• Built the entire cloud infrastructure from zero — every resource, every module, every network, every identity, every policy
• Designed and deployed a global multi-cloud footprint spanning 9 public cloud regions across Azure, AWS, and GCP — covering North America, Europe, and Asia-Pacific
• Architected global network re-architecture to be cloud-native — redesigned the firm's entire network topology for modern cloud connectivity
• Implemented Azure Virtual WAN with global VWAN hubs, ExpressRoute circuits, and site-to-site VPNs — unified global network backbone spanning all regions and cloud providers
• Implemented baseline security patterns across all services — private endpoints and managed identities as the default; no public-facing data plane, no stored credentials
• Deployed ExpressRoute circuits and GCP tunnels for private intra-cloud connectivity across all three providers
• Built every Terraform module from scratch with security baked in by design — every module scanned with tfsec and Trivy before deployment; security is not a layer added after, it is the foundation
• Created centralized Terraform templates consumed by both infrastructure and development teams — standardized patterns for consistent, secure deployments across the firm
• Operated a 100% code-based infrastructure — zero manual provisioning, zero console configuration; every resource, every policy, every secret is defined in code and version controlled
• Implemented Azure Policy as Code — governance guardrails deployed and enforced through Terraform alongside infrastructure, ensuring compliance is automated and auditable, not manual
• Built Fusion Nexus — full cloud management and operations platform with Developer Sandboxes based on custom business process, time-based environments with approval workflows, and automated vulnerability patching across all packages
• Built Fusion Forge — Atlassian Cloud replacement; internal project management platform replacing Jira with custom workflows tailored to the firm's operations
• Architected, engineered, and implemented Dynatrace for legacy application observability — full APM, distributed tracing, and infrastructure monitoring
• Architected, engineered, and implemented New Relic for modern cloud-based application observability — end-to-end monitoring for containerized workloads
• Architected, engineered, and implemented Farallon's data warehouse and analytics infrastructure — Synapse, Fabric, Power BI, and Purview in a hybrid deployment, all on private networking with no public endpoints
• Deployed Azure Arc to extend Azure management and governance to on-premises and multi-cloud resources — unified control plane across hybrid infrastructure
• Architected, engineered, and implemented Plotly Enterprise with multiple environments — secure analytics visualization for investment teams
• Implemented Global Secure Access to enable multiple groups to use applications like Plotly externally and on mobile devices — secure remote access without VPN dependency
• Architected, engineered, and implemented all Power BI related infrastructure and tooling — including Power BI QA analysis tooling for data quality validation
• Architected, engineered, and maintained GitHub, Azure DevOps, and Bitbucket Cloud — sole owner of all source control and CI/CD platforms across the firm
• Managed every cloud-based solution including Entra ID — continuously strengthening security posture, migrating SSO applications to Entra ID, and developing Entra ID role deployment processes
• Implemented Container App Environments and Container App Jobs — serverless container orchestration for batch and event-driven workloads
• Implemented Private State Tokens and custom cookie management for secure, privacy-preserving authentication flows
• Managed the full Microsoft Defender suite — Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps across all environments
• Migrated from legacy MDM to Microsoft Intune — modern endpoint management for the entire device fleet
• Migrated from legacy MFA to Microsoft Authenticator — phishing-resistant authentication across the enterprise
• Implemented passwordless sign-in with Windows Hello for Business and Entra ID Conditional Access policies
• Managed all Entra ID and Defender for Cloud Apps Conditional Access policies — risk-based, location-based, and device-compliance-based access controls
• Led vendor due diligence for all cloud and SaaS vendors — security assessments, contractual requirements, and risk evaluation
• Built out API management for the firm's custom NAV/PAC solution — designed OAuth 2.0 authentication and zero-trust access controls for all portfolio analytics API endpoints
• Designed and implemented DR (Disaster Recovery) strategies across all cloud regions — cross-region failover, backup policies, RTO/RPO targets, and tested recovery runbooks
• Built custom Service Principal lifecycle management with automated secret rotation via Key Vault
• Designed Zero-Retention Data Sandboxes for secure investment data operations
• Built NAV, PAC, and reconciliation processes in Azure — institutional-grade financial operations automation
• Served as the primary cloud contact for every business group across the firm — translated business requirements into cloud architecture and ensured priorities and goals were met
• Enabled multiple groups across the firm to adopt cloud services — drove cloud adoption from zero to enterprise-wide
• Trained and mentored helpdesk teams; built all internal operational tooling