J. Zico Kolter
Last reviewed
Jun 8, 2026
Sources
12 citations
Review status
Source-backed
Revision
v1 · 1,770 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
Jun 8, 2026
Sources
12 citations
Review status
Source-backed
Revision
v1 · 1,770 words
Add missing citations, update stale details, or suggest a clearer explanation.
J. Zico Kolter (full name Jeremy Zico Kolter) is an American computer scientist who is a professor and head of the Machine Learning Department at Carnegie Mellon University. He is known for foundational work in adversarial robustness, implicit-layer deep learning, and the security of large language models, and for chairing the Safety and Security Committee of OpenAI's board of directors, a panel with the authority to delay the release of AI models on safety grounds. He is also a co-founder and chief scientist of the AI security company Gray Swan AI. As of late 2025 he was 42 years old. [1][2][3][4]
Kolter earned a Bachelor of Science in computer science from Georgetown University in 2005. By his own account he began studying artificial intelligence as a Georgetown freshman in the early 2000s, well before the field's modern resurgence, and he attended OpenAI's 2015 launch party years before joining its board. [4][11]
He pursued graduate study at Stanford University, completing a PhD in computer science in 2010 under the supervision of Andrew Ng. [2][4] His doctoral and early research ranged widely across applied machine learning: with Ng he published "Energy Disaggregation via Discriminative Sparse Coding" at NIPS 2010, an influential early method for inferring the power consumption of individual appliances from a single household electricity meter, and he contributed to Stanford's "LittleDog" project on learning-based quadruped locomotion. After Stanford he held a postdoctoral fellowship at the Massachusetts Institute of Technology from 2010 to 2012. [2][4]
Kolter describes his group as working on machine learning very broadly, with recurring emphasis on making deep learning more robust and secure, on embedding structured computation inside neural networks, and on understanding how training data shapes model behavior. Several of his lines of work have become standard references. [1]
A signature theme of Kolter's research is treating components of a neural network not as fixed sequences of operations but as the solutions to optimization problems or equations. With his student Brandon Amos he introduced OptNet at ICML 2017, a method for embedding a quadratic optimization problem as a differentiable layer so that a network can learn to solve constrained problems end to end. [5]
He extended this idea with Shaojie Bai and Vladlen Koltun in "Deep Equilibrium Models" (NeurIPS 2019), which replaced a deep stack of layers with a single layer whose output is the fixed point of a nonlinear equation. Because the fixed point is found by a root-finding solver and differentiated implicitly, a deep equilibrium model can represent an effectively infinite-depth network while using constant memory. The deep equilibrium model, or DEQ, helped popularize the broader category of "implicit models" in deep learning. [6]
Kolter is a leading figure in the study of certified, or provable, robustness: building classifiers that come with mathematical guarantees that no small perturbation of an input can change their prediction. Carnegie Mellon credits him with developing some of the first methods for creating deep learning models with guaranteed robustness against adversarial examples. [2]
The best known result in this area is "Certified Adversarial Robustness via Randomized Smoothing" (ICML 2019), written with Jeremy Cohen and Elan Rosenfeld. Randomized smoothing constructs a robust classifier by averaging predictions over many noisy copies of an input, which yields a provable guarantee that scales to large datasets such as ImageNet where earlier certification methods could not. The technique became one of the most widely used approaches to certified robustness. [7]
In July 2023 Kolter, with Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, and Matt Fredrikson, published "Universal and Transferable Adversarial Attacks on Aligned Language Models." The paper introduced Greedy Coordinate Gradient (GCG), an automated method that searches for an adversarial suffix, a string of seemingly meaningless tokens, which, when appended to a prompt, reliably causes an aligned model to comply with requests it would otherwise refuse. [8]
The work was notable because the attacks were both automated, rather than hand-crafted, and transferable: suffixes optimized against open-weight models often succeeded against closed commercial systems such as ChatGPT, Claude, and Bard to which the authors had no internal access. The paper became one of the most cited results on the jailbreaking of large language models and reframed adversarial robustness as a central problem for deployed AI systems, foreshadowing the security focus of Kolter's later industry and board roles. [8]
Kolter joined the Carnegie Mellon faculty in 2012 and has held a wide set of affiliations across the university, including the Computer Science Department, the Software and Societal Systems Department, the Robotics Institute, the CyLab Security and Privacy Institute, and the Electrical and Computer Engineering Department in the College of Engineering. In July 2024 he became professor and head, or department head, of the Machine Learning Department in CMU's School of Computer Science. [2][4]
Alongside academia he has worked in industry. He previously served as chief data scientist at the enterprise AI firm C3.ai and as chief expert, also described as chief scientist, at the Bosch Center for Artificial Intelligence. He sits on the board of directors of Qualcomm and is an advisor to the bank BNY. His honors include a DARPA Young Faculty Award and a Sloan Research Fellowship, and his group has earned best-paper recognition at venues including NeurIPS, ICML (honorable mention), AISTATS (a test-of-time award), IJCAI, KDD, and the IEEE Power and Energy Society General Meeting (PESGM). In 2025 he was named a recipient of funding under the Schmidt Sciences AI safety science program. [1][2][4]
In 2023 Kolter co-founded Gray Swan AI, an AI security company that grew directly out of the Carnegie Mellon adversarial-robustness research that produced the GCG attack. His co-founders include Matt Fredrikson, who serves as chief executive, and Andy Zou; Kolter is the company's chief scientist. Gray Swan builds tools for evaluating and protecting large language model deployments, including a real-time safeguard product, a continuous adversarial-testing service, and a public AI red-teaming arena. In 2026 the company raised a $40 million Series A round co-led by Wing Venture Capital and Madrona. [1][8][9]
On August 8, 2024, OpenAI announced that Kolter had joined its board of directors and would serve on the board's Safety and Security Committee. The committee had been formed earlier, in May 2024, originally including chief executive Sam Altman and other directors, to make recommendations on safety and security decisions for the company's projects. [2][3][10]
On September 16, 2024, OpenAI reconstituted the body as an independent board oversight committee chaired by Kolter, with Altman stepping off. The other members are Adam D'Angelo, the co-founder and chief executive of Quora; retired U.S. Army General Paul Nakasone, a former commander of U.S. Cyber Command and director of the National Security Agency; and Nicole Seligman, a former executive vice president and general counsel of Sony Corporation. The committee is briefed on safety evaluations for major model releases and, together with the full board, has the authority to delay a release until safety concerns are addressed. As one of its first acts it conducted a 90-day review of OpenAI's safety and security practices and made recommendations to the board. [10][12]
Kolter has emphasized that his mandate is broad rather than focused only on speculative long-term dangers. "Very much we're not just talking about existential concerns here," he said in 2025. "We're talking about the entire swath of safety and security issues and critical topics that come up when we start talking about these very widely used AI systems." He has cited cybersecurity, the potential misuse of models to design weapons, model vulnerabilities, and effects on users' mental health among his concerns, and has said the committee has "the ability to do things like request delays of model releases until certain mitigations are met," while declining to say whether it has ever done so. [11][12]
Kolter's role gained additional weight in November 2025, when agreements between OpenAI and the attorneys general of California and Delaware made his safety oversight a central feature of the company's restructuring into a public benefit corporation controlled by a nonprofit foundation. Under those agreements he was granted full observation rights to the for-profit board's meetings and access to safety information, intended to ensure that safety considerations are not overridden by commercial pressures. As of 2026 he continues to lead the Machine Learning Department at Carnegie Mellon, serve as chief scientist of Gray Swan AI, and chair the OpenAI Safety and Security Committee. [11][12]
| Year | Milestone |
|---|---|
| 2005 | BS in computer science, Georgetown University |
| 2010 | PhD in computer science, Stanford University (advisor Andrew Ng) |
| 2010 to 2012 | Postdoctoral fellowship, MIT |
| 2012 | Joins Carnegie Mellon University faculty |
| 2017 | OptNet (differentiable optimization layer), ICML |
| 2019 | Deep Equilibrium Models (NeurIPS) and randomized smoothing (ICML) |
| 2023 | Co-founds Gray Swan AI; publishes the GCG jailbreak paper |
| July 2024 | Becomes head of CMU's Machine Learning Department |
| August 8, 2024 | Joins OpenAI's board of directors |
| September 16, 2024 | Named chair of OpenAI's independent Safety and Security Committee |
| November 2025 | Oversight role made central to OpenAI's restructuring via state attorney general agreements |