Germán Fuentes Capella

Germán Fuentes Capella

AI changes how we build products. The need to understand, monitor and protect remains.

About me

My career has moved across engineering, CTO, and CISO roles. That path is unusual and intentional: I think security and governance work better when they are built from within engineering, instead of decided from outside.

An area that I always find troubling is SDLC. Well built, it is meant to support velocity without sacrificing quality. In practice, what I often see is slow delivery, a lot of bureaucracy, and engineering quality quietly degrading.

AI agents make that tension harder to ignore. They move fast, touch sensitive systems, and most teams have not defined what they are allowed to do.


What I find deeply interesting

Engineering practice is more than writing code. Most of the work is in understanding and defining requirements, evaluating constraints, guaranteeing quality throughout the process: automated testing, integration testing, code metrics. The code is a small part. The discipline around it is what makes the difference between a team that ships reliably and one that doesn’t. I treat delivery as something to measure and optimise: where does work slow down, where does governance create friction, are the changes we make actually improving things.

Governance driven by engineering rather than imposed on it. I am less interested in specific standards as ends in themselves and more interested in what we can improve through automation, and how that makes shift-left security a real outcome rather than a slide in a deck. When governance lives inside the engineering process, teams stop fighting it.

Compliance automation as a way to reduce pressure on teams and make the work more enjoyable. The underlying logic is simple: automate once, reap the benefits forever. Every hour a team stops spending on manual evidence collection is an hour that can go into something that scales. The goal is making compliance feel like engineering, instead of administration.

AI and agentic workflows are where all of this converges right now. How do you introduce controls that maximise the value of AI agents while reducing the risks they introduce? That means SDLC governance, but also PII detection, hallucination detection, and defining what agents are allowed to touch in the first place.


Selected work

PPRO

Payments unicorn regulated under CSSF and FCA.

  • Served as interim CTO and interim CISO
  • Reorganised the engineering organisation in cross-functional domains to improve ownership and delivery
  • Worked on reliability and availability across the platform
  • Led the move from the data centre to the cloud
  • Built technology that allowed treasury to manage cash flows across a complex payments environment
  • Led the operational resilience strategy and delivered the DORA programme end to end, including the Register of Information submission.

ONPEX

CSSF-supervised BaaS institution in Luxembourg.

  • Worked as CTO and Head of Service Delivery
  • Built and operated the banking infrastructure supporting cross-border payment flows
  • Enabled non-EU merchants to sell into European markets through traditional payment channels
  • Built the operational setup for repatriating funds to merchants’ countries of origin

PAY.ON and ACI Worldwide

Payments infrastructure and orchestration providers operating at scale.

  • Built the technical foundation in payments orchestration and integrations
  • Worked across banking connections, wallets, card schemes, and digital payment methods
  • Built and operated integration-heavy systems in high-change delivery environments

Talks and tooling

I speak and write about applying engineering practices to audits, compliance, and AI governance.

  • At LeadDev Berlin, I spoke about treating audits as test plans and embedding compliance controls into engineering workflows.
  • For GDC Council, I focused on governance at the speed of tech: automation, observability, and risk-based decision-making.
  • For the Association of Internal Auditors in Luxembourg, I am preparing a talk on auditing organisations that deploy continuously. The argument: traditional sampling breaks down when systems change thousands of times a year. Data analytics and continuous evidence collection are how internal audit keeps up.