On the asymmetry between cheap generation and expensive verification, and why the next decade's most important infrastructure is the layer we use to check what AI systems actually did.
Zeeshan Khan
Notes from building AI systems — and on the trust problems that define the next decade.
How do we know a system is doing what it claims to be doing? Most of what I write here comes from asking that question across very different domains, for a long time now.
I'm a product and engineering leader working across AI, supply chains, and cybersecurity. I lead AI product and engineering at Jazzware in hospitality. I run SurroundApps, where we build verification infrastructure for industries where trust used to run on faith — garment supply chains, charitable giving, home healthcare, device security. Earlier work has spanned MIT's AI Lab, DARPA-funded research, physical security systems for public safety and defense at Cisco, DNA sequencing platforms at Illumina, and national-scale identity systems including Bangladesh's biometric SIM verification rollout.
I grew up in Dhaka, came to MIT in the era when AI still meant rule-based systems, and have spent the years since watching the field — and the trust problems it creates — evolve through every major shift. I'm based in Silicon Valley and direct SurroundApps's work in Bangladesh remotely.
Essays
What an AI agent should carry with it: a verifiable record of what it is, what it's authorized to do, and who is responsible when it goes wrong. With three precedents — SBOM, DSCSA, and the EU's Digital Product Passport — and what the AI version has to do differently.
Notes on what each AI wave has gotten right, what each has gotten wrong, and what the current wave is still figuring out.