Siegfried-Thor Bolz
Freelance · Available EN / DE

Siegfried-Thor Bolz

Enterprise AEMaaCS Architect & AI Risk Auditor for AI in Enterprise CMS

15+ years building secure enterprise content platforms on Adobe Experience Manager — now auditing the AI inside them against the EU AI Act, NIST AI RMF and ISO/IEC 42001.

📍 Germany · Remote across EU 🏢 Managing Director, CQ-Factory GmbH

Tap a topic to see how I help

Adobe Experience Manager & AEMaaCS

Adobe Experience Manager has been my home CMS for 15+ years — and it is still the core of what I do. I architect, optimise and migrate enterprise AEM platforms end to end, from AEM 6.5 OnPrem to AEM as a Cloud Service (AEMaaCS), staying deep in the parts that make a CMS genuinely hard: the JCR content repository, Sling Models, Core Components, Editable Templates, Experience Fragments, Context-Aware Configurations and complex authoring workflows.

My current flagship is an AI-first enterprise CMS on AEMaaCS — migrating tens of thousands of pages and large media archives out of heterogeneous legacy systems into one unified cloud platform, with an intelligent DAM, an in-editor AI co-pilot, agentic content workflows and automatic multilingual translation. I have also led CoreMedia → AEMaaCS migrations for a leading European telecommunications provider, designing complex B2C, B2B and B2P customer journeys.

When AEM is the wrong fit, I map AEM Exit strategies toward composable, headless architectures (Storyblok, Next.js / Nuxt, microservices on Google Cloud Run). And because I have hardened AEM for government and telecommunications clients, I now extend that platform depth into AI risk auditing and cybersecurity — the red thread of my offer: from a rock-solid CMS to a governed, secure, end-to-end AI integration.

AEM 6.5 OnPrem → AEMaaCSAEM as a Cloud ServiceCoreMedia → AEM migrationAEM Exit StrategyHeadless CMSComposable architectureStoryblokNext.js / NuxtMicroservices on Cloud RunJCR & Sling ModelsCore ComponentsEditable TemplatesExperience FragmentsContext-Aware ConfigOSGi servicesIntelligent DAMIn-editor AI co-pilotMultilingual translationCustomer journeys (B2C/B2B/B2P)Vendor lock-in exitAEM security hardeningAI Risk Auditing for AEM
See related projects on LinkedIn ↗

AI Governance, Compliance & Risk Management

Modern content platforms increasingly embed AI — personalisation, automated content generation, semantic search and conversational assistants. Every one of those features is now a governance and compliance question, and answering it is where my career is heading: external AI Risk Auditor for organisations adopting AI.

On my current AI-first CMS, AI risk governance is baked in, not bolted on — designed for compliance with the NIST AI RMF and the EU AI Act, with me acting as AI Auditor for AI Risk Governance and Compliance across the platform. I assess each use case against the frameworks that matter — EU AI Act, NIST AI RMF, ISO/IEC 42001 and ISO/IEC 27001 — and produce real evidence: risk classification, model cards, an AI-SBOM, and a living risk register rather than a one-off checklist.

Because I come from hands-on CMS engineering and security, I review the actual implementation — data flows, prompts, integrations and access paths — not just the paperwork. Most compliance auditors do not read code. I do. In May 2026 I completed two specialised programmes that sharpen exactly this lens: the University of Oxford’s Managing Enterprise AI Risks and the Generative AI & Agentic AI for Finance certification (final score 100%).

AI GovernanceAI ComplianceAI Risk ManagementEU AI ActNIST AI RMFISO/IEC 42001ISO/IEC 27001OWASP LLM Top 10OWASP Agentic Top 10AI risk classificationHigh-risk AI systemsConformity assessmentFRIAModel cardsAI-SBOMLiving risk registerThree Lines of DefenceExplainability (XAI)Agentic AI riskHuman-in-the-loopAuditable & regulatory-ready AIAI audit evidence
Read: AI Audit for Enterprise CMS → See related projects on LinkedIn ↗

AI Engineering & RAG on Content Platforms

Content is the perfect fuel for Retrieval-Augmented Generation (RAG) — and a CMS is where that content already lives, structured and governed. I design and review GenAI and RAG systems on top of content platforms: LLM integration, vector search over CMS content, semantic retrieval and agentic workflows that turn a repository into an answer engine.

As an AI Backend Engineer & RAG Architect I have built production pipelines on Google Cloud: LangChain and FastAPI microservices on Cloud Run, embeddings on Vertex AI (Matching Engine, Pinecone), Gemini 2.5 Pro, Redis (Memorystore) caching and BigQuery analytics. Real deliverables include a RAG-powered intranet chatbot, an in-editor AI co-pilot, and AI product recommendations linking AEM to a SAP PIM system via semantic search.

Building these systems is exactly what lets me audit them. I test third-party RAG and agentic stacks against the threats the Oxford and Packt programmes put front and centre — prompt injection, data and model poisoning, PoisonedRAG, confused-deputy, memory poisoning and tool misuse — mapped to the OWASP Top 10 for LLM Applications, the OWASP Agentic Top 10 (T1–T15) and MITRE ATLAS.

RAGRetrieval-Augmented GenerationRAG over CMS contentRAG-powered chatbotLLM integrationVector SearchSemantic searchAgentic AIAI agentsLangChainFastAPI · PythonGoogle Cloud · Cloud RunVertex AIVertex Matching EnginePineconeGemini 2.5 ProMemorystore (Redis)BigQuerySAP PIM integrationPrompt injectionData & model poisoningPoisonedRAGConfused deputy · Tool misuseOWASP Agentic Top 10 (T1–T15)MITRE ATLAS
See related projects on LinkedIn ↗

Cybersecurity & Adversarial AI

Enterprise CMS platforms are high-value attack surfaces — public-facing, content-rich and heavily integrated — and AI only widens that surface. I build security in from the architecture stage: OWASP Top 10 coverage, hardened content and headless APIs, secure authoring and publishing flows, threat modelling and secure-by-design patterns instead of fixes bolted on after launch.

This comes from 15+ years of secure enterprise Java and AEM for government and telecommunications clients — integrating security code scanners, remediating real vulnerabilities (for example HTTP Method Override), keeping Maven dependencies patched, and securing API routing with FastAPI gateway validation and IAM. My working toolchain: Burp Suite, OWASP ZAP, Snyk and SonarQube.

As AI moves into the content stack, I extend the same rigour to adversarial AI and LLM security: AI red teaming, agentic threat modelling and AI-generated-code risks (the Stanford confidence-competence gap, slopsquatting, supply-chain exposure). Cybersecurity is the backbone that lets me give clients one end-to-end path — from a solid CMS to a governed, secure and audited AI integration.

Web Application SecurityOWASP Top 10Penetration testingSecurity analysisBurp SuiteOWASP ZAPSnykSonarQubeThreat modelingHardened content APIsFastAPI gateway validationIAM-secured endpointsHTTP Method Override fixMaven dependency securitySecure SDLCSecure by designZero TrustAdversarial AILLM securityAI red teamingAgentic threat modellingAI-generated code risks
See related projects on LinkedIn ↗
Live project

AI Governance Watch

My public, continuously-watched reference library of the AI governance standards an external AI risk auditor must keep current — each with an audit-oriented summary, the clauses you would cite, and a PR-gated provenance trail for every change. It is a live demonstration of the discipline I bring to client work: keeping a regulatory map current against a fast-moving target, with a defensible, evidence-backed trail.

NIST AI RMFEU AI ActISO/IEC 42001ISO/IEC 23894DORACSA Agentic ProfileBerkeley CLTCUK AI White PaperNIST ITL Landscape
Explore AI Governance Watch ↗
What I do

Optimize AEM, exit it — or audit the AI inside it

A hands-on Adobe Experience Manager (AEMaaCS) expert now moving into external AI Risk Auditing — sharpened by the University of Oxford "Managing Enterprise AI Risks" programme and Packt's "Generative AI & Agentic AI for Finance" certification. Three engagement paths:

🛡️

AEM & AEMaaCS

Optimise robust AEM OnPrem infrastructures or migrate to AEM as a Cloud Service (AEMaaCS) — semantic, lossless migration of JCR, Sling Models and complex workflows.

The AEM Exit

When AEM is the wrong fit, transition to agile, composable architectures — headless CMS, modern front-ends and microservices on the cloud. Escape lock-in without losing your content.

⚖️

AI Governance & Audit

AI embedded in CMS and web stacks needs auditor controls: EU AI Act, NIST AI RMF, ISO/IEC 42001, model cards, AI-SBOM and a living risk register.

"Most compliance auditors don't read code. I do."

How I run a CMS AI audit →
Let's talk

Need AEM support, an AEM exit, or an AI audit?

I deliver the architecture, the code and the security. Available for projects in German 🇩🇪 and English 🇺🇸.