Security Engineer, GRC

PlaidSan Francisco, CA

About The Position

The Security Governance, Risk, and Compliance (GRC) team is part of Plaid’s security organization, focused on enabling the business by proactively managing information security risks and maintaining effective controls. Our mission is to reduce the likelihood and impact of security risks while operating a robust assurance program that builds trust with our customers, consumers, and data partners. We own Plaid’s security compliance frameworks, run our audits and risk programs, and partner across the company to keep Plaid’s platform secure, resilient, and aligned with industry and regulatory expectations. GRC Engineering is how we make all of that scale — turning compliance into code, evidence into telemetry, and audits into a continuous, automated capability. This role is foundational and high-ownership, defining an emerging discipline from the ground up. The goal is to turn most of our current manual and point-in-time compliance work into a continuous, data-driven, and scalable engineered system, and to set the technical direction for the field.

Requirements

  • Strong Python and SQL, with a proven track record of building API/webhook integrations that connect disparate systems.
  • Experience owning an internal tool or service end to end — design, build, operate, and maintain — with real users depending on it.
  • Hands-on experience with AWS and cloud-native security controls, including the ability to query cloud, GitHub, and SaaS logs.
  • Proficiency with dashboarding / data-visualization tools (e.g., Mode) to turn control and risk data into KPIs and signal.
  • Experience building and operating continuous controls monitoring end to end — collecting signal from live systems, writing and tuning the detection logic that compares state to a baseline, alerting, and driving remediation.
  • Demonstrated ability to model controls, policies, and framework mappings as structured, version-controlled data rather than docs and spreadsheets.
  • Hands-on experience with IaC (Terraform) and policy-as-code (OPA/Rego, Sentinel), including embedding compliance checks into CI/CD.
  • Proven ability to eliminate recurring operational toil — evidence pulls, access and vendor reviews, questionnaires, risk-register upkeep, status reports — with durable automation rather than one-off scripts.
  • Working knowledge of SOC 2, ISO 27001/27701, and NIST CSF/800-53, with the ability to map controls to evidence and crosswalk a single control across frameworks.
  • Experience conducting security or technology risk assessments and translating findings into data-driven mitigation.
  • Familiarity with the shift to continuous compliance (FedRAMP 20x, machine-readable Key Security Indicators) and how it changes evidence and control design.
  • Demonstrated ability to build and scale agentic / AI-assisted workflows (Claude, OpenAI) as leverage for the whole team.
  • Ability to work independently and cross-functionally across security, infrastructure, and engineering, with strong prioritization and the ability to influence without authority.

Nice To Haves

  • Direct experience with FedRAMP or FedRAMP 20x, or other public-sector / continuous-compliance authorizations.
  • Experience with audit / compliance automation platforms (Anecdotes, Drata, Vanta, Paramify, or similar).
  • Exposure to security incident response and triage.
  • Experience in a high-growth fintech or financial-services environment.
  • Degree in Computer Science, Cybersecurity, or a related field.

Responsibilities

  • Define the discipline and the architecture — how GRC Engineering works at Plaid, not just execute within it.
  • Build the foundation the function runs on — a codified source of truth for controls, policies, and evidence, fed by live pipelines and continuous controls monitoring.
  • Be the engineering backbone for Security Assurance & Trust Enablement, Third-Party Ecosystem Risk, and Risk Management.
  • Make risk visible and data-driven — turning control and risk data into real-time signals for the team and leadership.
  • Pioneer where compliance is heading — compliance-agents-as-code in the SDLC, AI- and agent-driven workflows, and machine-readable continuous compliance (FedRAMP 20x).
  • Architect GRC's Engineering Foundation: Build the pipelines and codified source of truth the function runs on — controls, policies, and framework mappings captured as structured, version-controlled data and fed by live control and system state — so one control maps evidence across SOC 2, ISO, NIST, and beyond instead of being re-collected for every audit.
  • Build Continuous Controls Monitoring: Automate evidence collection, control testing, and monitoring across cloud and internal systems, and write and tune the detection that flags drift and misconfiguration against baseline — so audit readiness is continuous and gaps surface the moment they appear, not at audit time.
  • Turn Data into Risk Signal: Build dashboards and SQL-driven reporting that turn raw control and risk data into KPIs, giving the team and leadership real-time visibility into risk posture.
  • Drive Data-Informed Risk Assessments: Conduct security and technology risk assessments and recommend mitigations using data — keeping the risk management program running while cutting its manual overhead.
  • Automate Operational Toil: Eliminate the recurring manual work the team carries — evidence pulls, access and vendor reviews, questionnaires, risk-register upkeep, status reporting — with durable automation that gives time back across every workstream.
  • Shift Compliance Left with Code and AI: Embed compliance checks into the CI/CD flow as policy-as-code so controls are validated as code ships, prototype self-healing policies reconciled against live infrastructure, and scale agentic / AI-assisted workflows across the function.
  • Future-proof for Continuous Compliance: Build toward machine-readable, continuously validated evidence (FedRAMP 20x-style Key Security Indicators), positioning Plaid to meet continuous-compliance expectations as we enter new markets and pursue new authorizations.

Benefits

  • medical
  • dental
  • vision
  • 401(k)
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service