Senior / Principal Security Architect (AI/OT)

Xcel Energy•Minneapolis, MN

1d•Hybrid

About The Position

Xcel Energy is seeking to fill two Senior/Principal Security Architect roles: one focused on AI/IAM and another focused on OT security. The AI/IAM Security Architect will ensure the secure design, deployment, and operation of Xcel's artificial intelligence (AI) and machine learning (ML) capabilities, while also leading security architecture for Identity & Access Management (IAM) enterprise-wide. This role involves providing security oversight for AI-enabled products and platforms, including generative AI/LLM solutions, and for IAM capabilities like authentication, authorization, privileged access, and identity governance. The OT Security Architect will ensure the secure design and delivery of technology services across both Information Technology (IT) and Operational Technology (OT) environments, with a focus on industrial and critical infrastructure facilities. This role will partner with operations and engineering teams to define practical security approaches that protect reliability and safety while enabling business outcomes. Both roles require collaboration with various teams, advising stakeholders on security methods, and championing best practices and standards to reduce risk.

Requirements

Minimum of 8 years’ experience in IT including 5 years’ direct experience in IT engineering and cyber security (for Senior roles).
5 years of experience in systems architecture or systems engineering (for Principal roles).
10 years of experience in Information Security (for Principal roles).
3 years of experience designing complex systems (for Principal roles).
3 years of experience with systems integration and engineering (for Principal roles).
Demonstrated verbal/written communication and presentation skills.
Demonstrated experience collaborating with internal stakeholders, 3rd parties, and management.
Ability to influence without direct authority.
Experience with technology implementation projects for enterprise-scale organizations.

Nice To Haves

Information Security experience in the electric utility industry.
Hands-on experience with AI models and solutions (including generative AI/LLMs), such as model selection/integration, training or fine-tuning, retrieval-augmented generation (RAG), inference services, and model monitoring/operations in a production environment.
Strong understanding of AI security threats and mitigations (e.g., prompt injection, insecure tool/function calling, data leakage, jailbreaks, model inversion/extraction, poisoning, and supply-chain risks).
Experience with enterprise IAM patterns and controls (e.g., SSO/federation, OAuth2/OIDC, RBAC/ABAC, conditional access, managed identities/service principals, and PAM), applied across enterprise applications and cloud platforms; experience applying these patterns to AI/ML platforms and data services is a plus.
Experience with IAM architecture and/or operations, such as identity governance (IGA), access reviews and attestations, role engineering, conditional access, and privileged access management (PAM).
Knowledge of relevant regulations and compliance requirements such as NERC-CIP, TSA, and SOX, plus emerging AI/privacy and IAM-related regulatory expectations as applicable.
Experience partnering with product, data, platform, and MLOps/DevOps teams to deliver secure AI solutions and to implement IAM controls (e.g., least privilege access, service identity, and privileged access workflows).
Familiarity with AI governance and risk management practices (e.g., model inventory, documentation, human oversight, third-party model/vendor risk).
5+ years of experience in security architecture, cybersecurity engineering, or control systems engineering, including work that interfaces with industrial/OT environments.
Hands-on experience with OT/ICS technologies and environments (e.g., SCADA, PLC/HMI, DCS) and the operational constraints of critical infrastructure.
Knowledge of network segmentation concepts and secure remote access patterns for OT/vendor connectivity.
Experience with OT security frameworks and guidance (e.g., IEC 62443, NIST SP 800-82) and applying them pragmatically in operating environments.
Experience working with vendors/contractors supporting industrial equipment and control systems, including secure access and support models.
Certifications such as GICSP, CISSP, CCSP, CCSK, or AWS Certified Security.
Knowledge of relevant regulations and compliance requirements such as NERC CIP, TSA, and 10 CFR 810.

Responsibilities

Design security reference architectures and guardrails for AI/ML and generative AI solutions and for enterprise IAM capabilities, including authentication, authorization, privileged access, identity governance, and secure integration patterns.
Define and maintain control baselines and guardrails for AI-enabled platforms and enterprise IAM (e.g., model inventory, risk tiering, approval gates; identity standards, access reviews, and privileged access requirements) and ensure compliance drift is detected and addressed.
Conduct threat modeling and risk assessments for AI use cases (e.g., prompt injection, data leakage, model inversion/extraction, supply-chain risks) and provide advisory services to programs and operations.
Partner with product and engineering teams to embed security requirements into the AI lifecycle (data sourcing, training/fine-tuning, evaluation, deployment, monitoring, and retirement).
Ensure AI solutions and IAM controls align with applicable regulatory expectations and internal policies (e.g., privacy, critical infrastructure requirements), including controls for sensitive data used in AI workflows.
Work with the business to define security patterns and reference architectures for industrial control environments (e.g., SCADA, DCS, PLC/HMI).
Define and govern segmentation (zones/conduits), secure remote access, and monitoring strategies for OT networks and vendor/contractor connectivity.
Develop security control baselines, hardening standards, and exception processes for OT assets and supporting infrastructure; ensure compliance drift is managed.
Partner with controls engineering, field technicians, plant operations, and maintenance teams to implement security improvements that work in real-world operating environments.
Improve detection and response for OT environments, including logging/telemetry requirements, playbooks, and tabletop exercises with operations.
Create products such as use cases and implementation patterns.
Ensure adherence to regulatory frameworks such as NERC CIP and TSA Security Directive 2, including applicability to OT facilities and supporting IT/cloud services where used.