Senior Enterprise Secruity Engineer

Thumbtack•Toronto, ON

2d•CA$180,200 - CA$233,200

About The Position

Thumbtack helps millions of people confidently care for their homes. Thumbtack is the one app you need to take care of and improve your home — from personalized guidance to AI tools and a best-in-class hiring experience. Every day in every county of the U.S., people turn to Thumbtack to complete urgent repairs, seasonal maintenance and bigger improvements. We help homeowners know which projects to do, when to do them and who to hire from our growing community of 300,000 local service businesses. If making an impact inspires you, join us. Imagine what we’ll build together. About the Cyber Security Team The Security Engineering team at Thumbtack is focused on enabling innovation at scale by making the secure path the easiest path. We believe strong security is not a blocker to velocity, but a force multiplier when it is designed into systems, platforms, and developer workflows from the start. We partner closely with teams across the organization to shape system design, guide architectural decisions, and evolve Thumbtack’s security posture as the company scales. Through collaboration, automation, and thoughtful tradeoffs, we help ensure Thumbtack can ship fast, innovate boldly, and maintain customer trust. The challenge AI is reshaping how work gets done at Thumbtack. Employees leverage AI assistants in their daily work and teams are building autonomous agents that act on their behalf - reading data, calling APIs, and making changes across enterprise systems. This introduces changes in the risk landscape. Identities now belong to agents and services as often as to people. Protocols like MCP are opening new pathways between AI and enterprise data. And the pipelines feeding AI systems cross more services, vendors, and trust boundaries than they have previously. The challenge is to evolve security controls to address these shifts in the technology and risk landscape driven by AI-adoption: hardening IAM for non-human and delegated identities, defining safe defaults for MCP servers and autonomous agents, and securing the data pipelines that feed AI systems. We package these controls as secure defaults, paved paths, and reusable patterns so teams can adopt them with confidence. The goal is straightforward — keep Thumbtack moving fast on AI while keeping customer and employee data protected. What you’ll do This role focuses on improving AI-adjacent security at Thumbtack, including the agents, identities, integrations, and data pipelines that modern AI systems depend on. It also covers broader security engineering work across the enterprise platforms and services that support them. Deliver high-quality security assessments and threat models for first-party and third-party AI tools, agents, and AI-integrated systems, ensuring they adhere to enterprise security principles and approved patterns, with sound authentication, authorization, data access, and observability by design. Design and validate technical guardrails and reusable patterns that keep AI usage safe at Thumbtack. This spans AI behavior (safe defaults for agent actions, tool and permission scoping, human-in-the-loop boundaries for sensitive access, input and output controls, audit and observability) and AI connectivity (MCP servers, integrations, trust boundaries, and the data pipelines that feed first- and third-party AI systems). Contribute to the frameworks and tooling that support secure AI development and use across Thumbtack. Harden IAM across the enterprise, with particular focus on the non-human and delegated identities behind AI systems (service accounts, agent credentials, SaaS-to-SaaS OAuth, and SCIM federation). Bring least-privilege and lifecycle hygiene to identities that increasingly act at machine speed. Provide broader security engineering support across Thumbtack's enterprise platforms and services, including SaaS security and posture management, third-party and integration security, data governance, endpoint security, and identity-centric controls. Build paved paths, shared tooling, and automation that scale these controls. Lead cross-functional security initiatives end-to-end. Partner with IT, Engineering, Legal, Privacy, Procurement, and business stakeholders to surface risk early, set clear requirements, and support scalable adoption of secure patterns. Conduct security design and architecture reviews for enterprise applications, SaaS platforms, and internally developed systems. Mentor engineers and partner-team members, raising the overall security bar through guidance and example. Support security incident response and drive learning through post-incident analysis.

Requirements

6+ years of experience in security engineering, enterprise security, application security, cloud security, or a related field.
Experience developing threat models and proposing technical guardrails for AI tooling and agentic systems, including non-human identities, tool/permission scoping, and safe defaults for agent behavior.
Deep expertise in modern enterprise security disciplines: authentication and authorization (SSO, OAuth/OIDC, SAML, federation, SCIM), API security and token handling, secrets management, least-privilege design, SaaS security and posture management.
Strong experience evaluating risk and conducting security design and architecture reviews across enterprise applications, SaaS platforms, integrations, and internally developed systems, including evaluating data flows, third-party integrations, trust boundaries, automation platforms, AI-connected workflows, and emerging integration patterns such as MCP.
Strong experience securing modern, cloud-native systems (AWS and/or GCP) and familiarity with core control domains such as audit logging, encryption, access control, data retention, and incident response.
Strong sense of ownership and accountability, balancing hands-on technical execution with the ability to mentor others, raise standards, and drive measurable improvements in enterprise security.
Excellent written and verbal communication skills, with the ability to influence without authority and translate technical risk into clear requirements and actionable guidance for both technical and non-technical audiences.

Responsibilities

Deliver high-quality security assessments and threat models for first-party and third-party AI tools, agents, and AI-integrated systems, ensuring they adhere to enterprise security principles and approved patterns, with sound authentication, authorization, data access, and observability by design.
Design and validate technical guardrails and reusable patterns that keep AI usage safe at Thumbtack. This spans AI behavior (safe defaults for agent actions, tool and permission scoping, human-in-the-loop boundaries for sensitive access, input and output controls, audit and observability) and AI connectivity (MCP servers, integrations, trust boundaries, and the data pipelines that feed first- and third-party AI systems). Contribute to the frameworks and tooling that support secure AI development and use across Thumbtack.
Harden IAM across the enterprise, with particular focus on the non-human and delegated identities behind AI systems (service accounts, agent credentials, SaaS-to-SaaS OAuth, and SCIM federation). Bring least-privilege and lifecycle hygiene to identities that increasingly act at machine speed.
Provide broader security engineering support across Thumbtack's enterprise platforms and services, including SaaS security and posture management, third-party and integration security, data governance, endpoint security, and identity-centric controls. Build paved paths, shared tooling, and automation that scale these controls.
Lead cross-functional security initiatives end-to-end. Partner with IT, Engineering, Legal, Privacy, Procurement, and business stakeholders to surface risk early, set clear requirements, and support scalable adoption of secure patterns. Conduct security design and architecture reviews for enterprise applications, SaaS platforms, and internally developed systems.
Mentor engineers and partner-team members, raising the overall security bar through guidance and example.
Support security incident response and drive learning through post-incident analysis.