Education

• Bachelor's degree in Computer Science, Information Security, Cybersecurity, or a related technical field
  
• Advanced degree (Master's or equivalent) preferred but not required where experience is demonstrably strong
  

Experience

• 10+ years of experience in information security, with at least 4-5 years in a people management or senior security leadership role
  
• Demonstrated hands-on experience securing AI/ML systems, LLM-based applications, or agentic AI workflows
  
• Proven experience conducting threat modeling, security architecture reviews, and risk assessments for complex, distributed systems
  
• Experience building and leading security teams, including hiring, developing, and retaining talent in a fast-moving technical domain
  
• Track record of working cross-functionally with engineering, product, legal, and compliance teams; experience owning and managing a security budget including tooling, vendor, and headcount decisions
  
• Prior experience with incident response and managing security incidents involving automated or AI-driven systems is strongly preferred
  
• Demonstrated experience managing and developing a team of security professionals, including hiring, performance management, and career development
  

AI Security Strategy & Governance

• Define, own, and continuously mature the IRC's AI security strategy and program roadmap
  
• Establish and maintain the organization-wide AI agent registry — a governed inventory of all AI agents in production, including their purpose, permissions, data access, and accountable owners
  
• Develop and publish secure-by-default standards, frameworks, and reference architectures for internal AI agent development
  
• Create and enforce AI security policies covering agent development, deployment, monitoring, and decommissioning
  
• Report AI security risk posture, program progress, and emerging threats to the CISO and senior leadership on a regular cadence; serve as a key member of the security leadership team
  

Security Risk Assessment & Review

• Coordinate and perform GIS security reviews within the organization's AI governance framework, ensuring AI platforms, agents, and use cases receive appropriate security assessment and approval prior to production deployment.
  
• Partner with AI Governance, Privacy, Legal, and Technology stakeholders to support the AI intake, assessment, and stage-gating process, providing security expertise, control requirements, and risk-based recommendations throughout the solution lifecycle.
  
• Perform security risk assessments and classify AI platforms, agents, and use cases according to the approved risk-tiering model, applying review, control, and approval requirements proportionate to risk.
  
• Conduct a structured controls assessment for every use case, validating that mandatory security baseline requirements are met — including least-privilege access, credential management, audit logging, data minimization, human-in-the-loop checkpoints, and kill switch capability
  
• Issue formal, documented approval decisions for every reviewed use case — Approved, Approved with Conditions, or Not Approved — with a full written rationale recorded in the AI agent registry to maintain an auditable approval history
  
• Manage defined SLA timelines for all reviews (Tier 1: 5 business days, Tier 2: 10 business days, Tier 3: 15 business days) to ensure security review does not become a blocker to business unit velocity
  
• Conduct periodic reassessments of all active agents on a risk-appropriate cycle — annually for Tier 1, semi-annually for Tier 2, and quarterly for Tier 3 — and trigger immediate out-of-cycle reviews whenever a material change is made to an agent's capabilities, data access, or toolset
  
• Monitor the evolving AI threat landscape on an ongoing basis and proactively assess whether newly discovered attack techniques — including new prompt injection methods, jailbreaks, or model-specific vulnerabilities — expose any currently approved use cases, initiating remediation where required
  
• Lead post-incident reassessments for any active agent involved in a security incident, updating the agent's approval status and controls requirements based on findings
  
• Evaluate third-party AI tools, models, and platforms for security risk prior to organizational adoption
  
• Maintain a risk register specific to AI systems, tracking identified vulnerabilities, mitigations, and residual risk
  
• Report aggregate review metrics to the CISO on a regular cadence — including number of use cases reviewed, approval rates by tier, common findings, and AI risk distribution across business units — providing organizational visibility into the AI risk posture
  

Technical Oversight & Controls

• Define technical security requirements for AI agents including least-privilege access, prompt injection defenses, output filtering, audit logging, and human-in-the-loop controls
  
• Build, lead, and develop a team of AI security engineers responsible for implementing and validating controls across the AI agent development lifecycle
  
• Own and resource red team and adversarial testing programs targeting AI systems, ensuring adequate coverage through the AI Red Team Engineer and contracted specialists
  
• Drive adoption of secure coding practices and security tooling within AI development workflows
  

Identity & Data Security Coordination

• Establish governance frameworks with the IAM team to ensure AI agent identities, service accounts, and credentials are provisioned and governed under least-privilege principles across the organization
  
• Set data security standards with the ML/Data Security Analyst to ensure sensitive data — including PII, PHI, and proprietary information — is handled correctly throughout AI agent workflows, and hold teams accountable to those standards
  
• Define data classification requirements for information flowing through AI systems, including what data may and may not be included in model context
  

Incident Response

• Develop and maintain AI-specific incident response runbooks covering scenarios such as prompt injection attacks, rogue agent behavior, credential compromise, and data leakage via AI systems
  
• Serve as executive sponsor and escalation point for significant AI-related security incidents, ensuring the organization maintains a tested, capable incident response function
  
• Conduct post-incident reviews and drive lessons learned back into the AI security program
  

Regulatory & Compliance Alignment

• Serve as the organization's primary subject matter expert on AI-specific regulatory requirements including the EU AI Act, NIST AI Risk Management Framework (AI RMF), GDPR as applied to AI systems, and emerging regional AI legislation
  
• Partner with the GRC team to map AI security controls to compliance obligations and maintain evidence for audits
  
• Monitor the evolving AI regulatory landscape and proactively advise leadership on upcoming obligations
  

People Leadership & Team Development

• Recruit, hire, onboard, and develop a high-performing AI security team, including AI security engineers, a red team engineer, and a data/ML security analyst
  
• Set clear team goals, conduct regular performance reviews, and create development plans that grow individual skills and advance careers
  
• Foster a team culture of continuous learning, given the rapidly evolving AI threat landscape, and ensure team members maintain current expertise in AI security techniques and tooling
  

Vendor Management

• Lead vendor evaluation and selection for AI security tooling, negotiating contracts and managing ongoing relationships with key security vendors and managed service providers
  
• Develop a multi-year AI security roadmap aligned to IRC risk appetite, and evolving regulatory obligations