Juliette Pluto
Adversarial robustness for frontier AI systems at Google DeepMind. Previously: trusted execution environments, privacy-preserving ML, and web platforms at scale.
Experience
Google DeepMind · Staff Software Engineer
2020-04 — present · NYC · promoted to Senior 2024, Staff 2026
- Security evaluations for model selection: Started GDM's first effort to defend against prompt injection. Established the core security evaluation bundle used directly by GenAI leadership for frontier model selection, and expanded adversarial evaluation coverage across critical production agentic surfaces: Workspace, Cloud, and Search.
- Prompt injection robustness for Gemini: Originated and socialized a novel mitigation strategy for adaptive prompt injection robustness, overcoming initial resistance and securing resourcing for implementation. Under the same data budget, the strategy delivered a 5x improvement on an internal automated red-teaming benchmark.
- Data-centric mitigations for an enterprise deployment: Picked by leadership to close a critical prompt injection robustness gap for a multi-billion-dollar enterprise contract. Analyzed failure modes and targeted training distributions, doubling robustness on an internal benchmark; advised the customer's Head of ML Safety and helped secure final acceptance.
- User Instruction Classifier: Invented an early policy-based defense that saturated the team's internal benchmark — 99.97% robustness against its adaptive prompt injection attacks. The result was diagnostic, not a solution: saturation exposed where the benchmark fell short of the real threat model, and shifted mitigation work toward attack classes the defense can't beat. The technique was later adopted to improve resilience against human red-teaming in production safety systems.
- Threat intelligence for Google Search: Discovered unaddressed attack surfaces in Google Search before the wider organization was aware of them. Directed a cross-org technical response staffed by four engineers, and co-authored sections of the Google-wide Prompt Injection Playbook.
- Trusted execution environments & privacy-preserving ML (pre-2024): Designed a Trusted Execution Environment orchestrator to reduce the Trusted Computing Base for remote-attested production ML launches (e.g., Gboard). Engineered attested browser-to-enclave end-to-end encryption and prevented critical zero-day vulnerabilities during infrastructure design.
N26 · Software Engineer
2018-01 — 2020-03 · Berlin
Joined the web platform rebuild as one of four engineers and helped scale the team past 20 as N26 became a unicorn. Led full-stack product work, mentored engineers, and improved production reliability and performance: 30% fewer production errors, 20% faster time-to-first-meaningful-paint, 1.4s faster time-to-interactive.
Language Academy · Lead Engineer
2016-08 — 2017-12 · Berlin
Clue · Web Developer & Design Researcher
2015-10 — 2016-08 · Berlin
Papers
- The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against LLM Jailbreaks and Prompt Injections. Nasr, Carlini, Sitawarin, Schulhoff, Hayes, Ilie, Pluto, Song, Chaudhari, Shumailov, Thakurta, Xiao, Terzis, Tramèr. arXiv:2510.09023, 2025.
- Lessons from Defending Gemini Against Indirect Prompt Injections. Shi, Lin, Song, Hayes, Shumailov, Yona, Pluto, Pappu, Choquette-Choo, Nasr, Sitawarin, Gibson, Terzis, Flynn. arXiv:2505.14534, 2025.
- Gemini 2.5: Pushing the Frontier with Advanced Reasoning, Multimodality, Long Context, and Next Generation Agentic Capabilities. Gemini Team, incl. Pluto. arXiv:2507.06261, 2025.
Talks
- DICE Attestation on AMD SEV-SNP. With Ivan Petrov. OC3 2024.
- Beyond the Paper: Operationalizing Auto Red Teaming for Measurable Model Evaluation & Development. AI Red Team Colloquium.