Senior GRC Engineer

About The Position

Requirements

• 5+ years in GRC, information security, or compliance engineering, with at least 3 years in healthcare or health-tech
• Demonstrated ability to write code that extracts evidence directly from systems (Azure, IAM, endpoints, APIs), not just configure workflow tools
• Has built something using an LLM or AI framework: a working tool, even a prototype.
• Thinks like an engineer first: sees a manual compliance process and asks how to eliminate it, not how to document it better
• Experience with continuous control monitoring, integrating compliance checks into CI/CD or cloud infrastructure
• Working knowledge of Python, SQL, or equivalent for data extraction, risk scoring, and compliance automation
• Experience with cloud security controls in Azure

Nice To Haves

• CISA, CRISC, CISM, or CISSP
• HITRUST CCSFP a strong plus
• Build systems, not checklists. Manual processes are temporary; automation is the goal
• Move with urgency and precision, flagging risk before it becomes an issue
• Balance rigor with pragmatism, enabling the organization to move fast while staying protected
• Communicate clearly to both technical and non-technical audiences without losing nuance
• Bring genuine curiosity about AI. Follow the space and have formed opinions
• Embody Lantern’s LIGHT pillars (Logic, Inclusion, Grit, Humanity, Truth) in every interaction

Responsibilities

• Write scripts (Python, SQL, APIs) to pull evidence directly from source systems (AWS, Azure, IAM platforms, endpoint agents, CI/CD pipelines), eliminating manual evidence collection
• Build and maintain continuous control monitoring workflows integrated into engineering pipelines, not just GRC platforms
• Design compliance-as-code and policy-as-code approaches; own the technical architecture of how controls are tested automatically
• Operate and extend the GRC platform (ServiceNow GRC, Drata, OneTrust, or equivalent) as an engineer, not just a user, including building integrations and automating evidence routing
• Build and maintain Lantern’s AI risk register and AI systems inventory, including pre-deployment risk assessments for new AI use cases across our benefits platform in partnership with Engineering and Product
• Implement AI governance controls aligned to the NIST AI RMF, covering model risk, bias, transparency, and accountability, with a bias toward automated monitoring over manual review
• Monitor HHS AI policy, EU AI Act, and state-level regulation; translate emerging requirements into actionable, automatable controls
• Govern AI systems used within the GRC function itself, including any LLM-powered evidence analysis or control monitoring tools
• Own the HIPAA Privacy and Security compliance program: risk assessments, remediation tracking, workforce training coordination, and ongoing monitoring
• Support HITRUST CSF certification and SOC 2 Type II audit cycles as a technical contributor, building automated evidence pipelines rather than collecting evidence manually
• Map the control environment against NIST CSF; identify gaps and build a prioritized, automatable remediation roadmap
• Build and maintain the enterprise risk register with automated KRI tracking and outcome-based reporting for leadership
• Run the third-party risk management (TPRM) program with a continuous monitoring posture: automated vendor monitoring rather than point-in-time assessments
• Conduct vendor risk assessments with emphasis on cloud vendors handling PHI and AI/ML vendors embedding models into products we purchase

Benefits

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Short & Long Term Disability
• Life Insurance
• 401k with company match
• Flexible Time Off
• Paid Parental Leave