Security Controls Assurance Lead

About The Position

Requirements

• Thrive at the pace of a hypergrowth company. You’re comfortable making calls with incomplete information and reprioritizing as scope shifts.
• Have supported technology control programs through SOX readiness or as a public company or with equivalent rigor (FedRAMP, large multi-framework SOC 2/ISO portfolios).
• Have genuine engineering fluency, possibly from an earlier engineering career: you can read code and Terraform, follow a CI/CD pipeline end to end, and challenge a design on its technical merits.
• Have programming skills in Python or at least one systems language such as Go, Rust, or C/C++.
• Have deep familiarity with developer platform, release engineering, or infrastructure control domains.
• Are a strong collaborator and communicator.
• Use Claude and other LLMs as daily working tools, and have grounded, specific views on which audit and assurance workflows AI can run today and which it can't yet.
• Translate framework and regulatory language into acceptance criteria engineers can build against, and translate engineering reality back into assurance language auditors and leadership can rely on.
• Default to getting the requirement designed into the system rather than papering over the gap with procedure.

Nice To Haves

• Have a combination of audit or advisory experience (Big 4 or equivalent) with in-house experience at an AI-forward tech company — in either order
• Have defined or assessed controls for AI/ML systems or agents acting in production environments
• Have stood up continuous controls monitoring or automated evidence programs

Responsibilities

• Define the control framework and requirements for autonomous AI operators in collaboration with Security, Internal Audit, and Engineering, including change review and approvals, human-in-the-loop, and evidence collection. Assess implementations against those requirements.
• Pressure-test major infrastructure, system, and agent framework changes for control impact during design, before decisions become expensive rework.
• Set the compliance bar for home-built systems. Collaborate with teams to define what the internal system must provide from day one, such as auditability, segregation of duties, and change control over the tool itself.
• Define the criteria for where and when AI can operate, supplement, or replace a manual process or control, including the human-in-the-loop thresholds and evidence documentation.
• Establish the validation, evidence, and governance standards that allow AI-performed and AI-assisted processes and controls to withstand external audit and regulatory scrutiny.
• Assess the introduction of new compliance frameworks and changes in scope (new regulations, certifications, products, or entities), providing a sufficient technical and compliance lens on their impact to control design, evidence requirements, and engineering effort before commitments are made.
• Stand up or advise on audit workflows for the assurance team, including Claude-driven control testing, automated evidence collection, walkthrough preparation, and framework mapping against our common controls framework, materially raising automated evidence coverage and cutting audit prep time.

Benefits

• competitive compensation
• benefits
• optional equity donation matching
• generous vacation
• parental leave
• flexible working hours
• a lovely office space in which to collaborate with colleagues