Principal / Staff Security Engineer - AI Platform & DevSecOps Palo Alto, California, United States The Role AiDASH protects the critical infrastructure that delivers power to tens of millions of people. We are SOC 2 Type II certified today, and we're working toward ISO 27001 and ISO 42001 certifications in 2027. As we embed GenAI more deeply into our SaaS products (RAG pipelines, agentic / MCP services) and roll out AI-assisted development internally, the threat landscape is shifting fast. Autonomous adversaries, Mythos-class threat actors, prompt injection, model exfiltration, and vibe-coded internal apps spun up by non-engineers are now part of the daily attack surface. We're hiring a Principal or Staff Security Engineer to be our deepest technical voice on security — covering DevSecOps, AI/LLM security, cloud and endpoint defense, IT-Security, and the governance work that will land us ISO 27001 and 42001 certifications in 2027. You'll architect the strategy, pick the right tools where gaps exist, run the audits, and grow the function. You will report to senior leadership and partner with platform, ML, DevOps, and IT leadership across the company. If you've been waiting for a chance to lead the security program at a Series C AI company that ships production AI to critical infrastructure operators, this is that role. The Team You'll partner with our existing security and compliance team based in India — a security engineer plus two compliance specialists, currently within the DevOps organization — and serve as the most senior security IC at AiDASH and the company's authority on AI/LLM security. This role represents the next phase of our security investment: bringing senior-IC depth, AI-native security leadership, and modern detection engineering to a program that has so far been operated alongside DevOps. How you'll make an impact: - DevSecOps & AppSec - Operate and mature our AppSec toolchain across CI/CD — SAST, DAST, SCA, secrets scanning, and IaC policy-as-code. Deepen coverage and evaluate additional tooling where gaps are real - Run threat modeling and secure-design reviews; champion shift-left so security is part of every PR, not a gate at the end - Operate the AIBOM / SBOM toolchain; enforce risk-tiered dependency controls and extend SLSA practices to model artifacts - AI & LLM Security - Harden production GenAI deployments on AWS (managed model APIs, agentic / MCP services) — IAM, VPC routing, prompt-layer guardrails, output filtering, rate/cost controls - Codify OWASP LLM Top 10 and MITRE ATLAS controls into the SDLC; introduce LLM eval-as-gate in CI - Govern internal AI-assisted developer tooling — DLP for what egresses to external model providers, sensitive-data discovery in prompts, and acceptable-use telemetry - Stand up controls for vibe-coded apps and shadow AI: discover, classify, gate with sane defaults, and bring under the SDLC - ISO 27001 / 42001 & Security Governance - Lead the company's path to ISO 27001 and ISO 42001 (AI Management System) certifications in 2027 — scope the management systems, run gap assessments, build the control sets, and steer the audit cycles - Maintain our SOC 2 Type II posture; manage the evidence pipeline, control mappings, and external auditor relationships - Maintain alignment with the NIST AI RMF and translate emerging AI regulation (EU AI Act, US state AI laws, utility-sector mandates) into concrete engineering requirements - Cloud, Endpoint & IT-Security - Operate our endpoint, cloud, identity, and SIEM platforms end-to-end. Own detection engineering, tuning, and integration with the rest of the stack - Harden AWS posture across accounts (Organizations, SCPs, Control Tower); mature Kubernetes security (admission controllers, runtime visibility, pragmatic hardening) - Stand up zero-trust privileged access — short-lived, audited sessions for production infra, databases, and Kubernetes - Lead IT-Security: device posture, identity (SSO, MFA, SCIM), network segmentation, SaaS posture, and offboarding hygiene - Detection, Response & Resilience - Build and tune detections in our SIEM; own the on-call rotation, runbooks, and IR retainer relationships - Run tabletop exercises across Eng, Legal, and Exec; lead post-incident reviews with blameless write-ups - Translate AI threat research — prompt injection, data poisoning, model inversion, agent hijacking — into detections and controls that ship with every release What we're looking for: Minimum qualifications - 10+ years in security engineering, with 3+ years owning a DevSecOps or platform-security program in a cloud-native environment (AWS strongly preferred) - AppSec depth: shipped and operated SAST/DAST/SCA (e.g., Codacy, Semgrep, CodeQL, Snyk, Veracode, or equivalents) at production scale - AI security: hands-on hardening of a production LLM deployment (AWS Bedrock, Azure OpenAI, Vertex AI, or equivalent) — IAM, VPC routing, guardrails, eval gating. RAG-demo experience alone does not meet the bar - EDR/XDR + cloud security platform operator: production experience administering CrowdStrike Falcon (Insight/XDR, Cloud Security CNAPP/CSPM, Identity Protection, or Next-Gen SIEM), SentinelOne, Microsoft Defender XDR, or equivalent, including custom detection authoring - Zero-trust access: experience standing up or operating a privileged-access broker (e.g., Teleport, StrongDM, BeyondTrust, CyberArk, HashiCorp Boundary) - SBOM/AIBOM tooling: operated Interlynk, Anchore, Dependency-Track, or equivalent at production scale - Vulnerability management: production experience with Trivy, Aqua, Wiz, Orca, Lacework, or equivalent across containers, IaC, and SCA - IaC & policy-as-code: Terraform plus production policy-as-code (OPA/Rego, Checkov, Kyverno, tfsec, or equivalent) in a live pipeline - Container & Kubernetes security: production experience with admission controllers (Kyverno, Gatekeeper), runtime visibility (Falco or equivalent), and pragmatic Kubernetes hardening (gVisor, Kata where it earns its keep) - DLP experience: real-world sensitive-data discovery across SaaS or developer tooling, including AI-assisted environments - Compliance fluency: has personally driven SOC 2 Type II or ISO 27001 controls to audit, and can read a control map without flinching. - Bay Area based; able to work hybrid (3 days/week in office) Preferred qualifications - Hands-on MCP work — design, hardening, or auth — even early-stage - ISO 42001 implementation experience; ISO/IEC 42001 Lead Implementer or Lead Auditor certification, or comparable AI-governance leadership - Familiarity with NIST AI RMF and the EU AI Act's high-risk system requirements - Prompt-layer DLP and AI runtime guardrails (e.g., Nightfall, Lakera Guard, Cyberhaven, Harmonic Security, Protect AI, NVIDIA NeMo Guardrails) - LLM eval-as-gate in CI (e.g., Promptfoo, Garak, DeepEval, Giskard) and AI red-teaming experience - Modern PAM / zero-trust rollouts (Teleport, StrongDM) and SaaS posture management (e.g., AppOmni, Obsidian) - Experience securing SaaS products sold into regulated sectors (utilities, energy, financial services, healthcare) - Public signals: conference talks (fwd:cloudsec, DEF CON AI Village, BSides) or open-source contributions in CI/CD, MCP, or LLM-deployment security - Leadership of incident response for a material security event - Comfort working with remote, distributed engineering teams across US/India time zones What you'll love: - Comprehensive Medical, Dental, and Vision Coverage: 100% coverage for employees and 80% for their spouses and children - Health Reimbursement Account (HRA): 100% funded by AiDASH to cover medical deductibles - 401(k) Plan: Begin contributing after three months of employment to prepare for your future. Currently, no company match is offered - Parental Leave: Supportive parental leave with 16 weeks for primary caregivers and 4 weeks for secondary caregivers - Generous Vacation Policy: Accrue 20 vacation days per year, plus enjoy an additional flex holiday to celebrate whatever feels most important to you! - Winter Break: From December 25th through January 1st, we give everyone time off to recharge and enjoy time with family and friends! We offer a competitive base pay range for this full-time position, which is between $210,000 and $270,000 per year. This range reflects the anticipated base salary for new hires. In addition, this role is also eligible for an annual performance bonus and equity. We strive to ensure our compensation packages are equitable and aligned with industry standards. Your recruiter can share more about compensation during the hiring process.

• Architect, implement, and maintain cloud security controls across AWS and GCP to protect our infrastructure, applications, and data. • Take full ownership of security projects, driving them from initial concept through development, testing, and deployment. • Review, write and deploy infrastructure-as-code (IaC) security solutions using Terraform. • Continuously assess cloud environments using Cloud Security Posture Management (CSPM) platforms like Wiz. • Support monitoring, detection, and response for cloud threats by integrating with tools such as AWS GuardDuty, Security Hub, and GCP Security Command Center. • Participate actively in incident response and forensic analysis for cloud-related security events. • Collaborate with cross-functional teams to perform threat modeling and secure architecture reviews for new services and infrastructure changes. • Help reinforce a security-first culture by sharing best practices and participating in awareness initiatives.

• Drive security by design and build trust across the organization • Turn complex frameworks into clear, workable standards • Make sure they live in daily operations, not just on paper • Translate group security frameworks into practical policies, controls, and procedures • Build and strengthen a Security-by-Design culture across projects, platforms, and teams • Guide affiliates with clear tools, training, and hands-on support so they move forward with confidence • Set up and drive a structured risk management cycle across the group • Support teams in identifying risks, defining actions, and tracking real progress • Monitor execution, detect gaps, and report clear insights to senior leadership • Drive corrective actions and continuous improvement across affiliates • Support audit readiness and ensure evidence and documentation stay complete and accurate • Align with IT, PMO, and business teams so governance supports real business needs • Act as a trusted advisor for leadership on risk, compliance, and security priorities • Learn from incidents and translate insights into stronger policies and controls

Title: Enterprise Information Security Engineer - Architect Location: New York, New York Department: Information Technology Job Description: Description Department: Information Technology Job Type: Regular Full Time Education Level: BA/BS or combination of education and experience Required Years Experience: 4 Church Pension Group (CPG) is a financial services organization that serves the Episcopal Church, located in Midtown Manhattan. CPG was founded in 1917 to provide pension benefits to eligible clergy of the Episcopal Church. Since then, its mission has expanded to include life and disability insurance, health benefits, property & casualty insurance, and publishing. The Enterprise Information Security Engineer / Architect reports to the Enterprise Information Security Officer (EISO) and is responsible for designing secure enterprise solutions and implementing robust security measures to protect Church Pension Group’s (CPG) information assets and employees. The position ensures that security is embedded across all technologies- on-premises, cloud-hosted, software-as-a-service, and other vendor services- while managing operational security tasks, including monitoring, incident response, compliance, and vendor management. To be effective, the Enterprise Information Security Engineer requires strong communication skills and the ability to lead collaboration efforts with other ITS teams and business units. ESSENTIAL DUTIES AND RESPONSIBILITIES include the following. Other duties may be assigned. - Architect Systems and Solutions - Plan and design security solutions that enable identification, protection, detection, response, and recovery from cyber threats. - Define and develop security requirements from threat assessments, risk modeling, system analysis, and regulations, leveraging standard security frameworks. - Create security integration plans for existing infrastructure and future solutions. - Security Operations - Implement and manage security technologies (e.g., firewalls, encryption, SIEM, DLP, IPS) directly, collaborate with other teams, and use MSSPs. - Monitor networks and systems for security breaches, escalations, and anomalies to ensure optimal security and accurate metrics. - Perform vulnerability assessments, penetration testing, and manage these services. - Own several of the security tool vendor relationships. - Governance and Compliance - Develop and maintain security policies, standards, and procedures to ensure a secure environment and compliance with regulatory requirements. - Present and manage compliance issues, remediation, and organizational conversations. - Prepare action plans to harden systems, respond to security and DR events. - Risk Management - Identify, evaluate, and report on information security risks. - Perform regular risk assessments and recommend mitigation strategies. - Education and Awareness - Educate staff on cybersecurity best practices and the security program. - Acquire or develop training to address identified gaps and remediations. - Manage IT compliance and collaborate on corporate compliance measures. - Advise business units on secure configurations, vendors, and architectures. - Support Leadership - Support the EISO in security event management, group collaboration, and planning and budgeting. - Maintain and develop both technical and management skills. - Effective performance of the essential functions of this position requires regular in-person, on-site interaction with colleagues, both for purposes of relationship building and meaningful collaboration. - Other duties may be assigned. QUALIFICATIONS: To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. - Strong knowledge of cybersecurity principles, frameworks, and tools. - Experience with a wide range of tools, including IDS, IPS, firewalls, and SEIMs. - Deep understanding of Cloud Security and SaaS Vendor Security. - Proficiency in risk assessment, incident response, and threat modeling. - Excellent communication skills for cross-functional collaboration. EDUCATION and/or EXPERIENCE - 4+ yrs of relevant Information Security experience - BA/BS in Computer Science, Engineering, or related field preferred. Combination of work and education considered - Preferred Certifications: CISSP, CISM, CCSP, CISA, multiple topical GIACs. - Experience with AWS, Azure M365, Entra ID, Splunk, CrowdStrike, Darktrace, and Tripwire, is a plus. PHYSICAL DEMANDS: - Extensive use of a computer keyboard is a demand of the position to perform the essential functions of this job successfully. WORK ENVIRONMENT: Currently, hybrid work environment, which requires working in CPG’s office Tuesdays through Thursdays and flexibility to work remotely on Mondays and Fridays. Church Pension Group employees must always maintain a professional, compassionate, and trustworthy work environment. Reasonable accommodations may be made to enable someone with a disability to perform the essential functions of the job within this environment. Salary Range: $110,000 - $140,000 Join us and Create A Better Future For Yourself! Flexible Benefits available to eligible employees: - Medical (including Vision) - Dental Core Benefits automatically provided to eligible employees: - Employer funded defined benefit pension plan (five year vesting) - Employee Life Insurance - Spouse and Dependent Life Insurance - Accidental Death and Dismemberment (AD&D) Insurance - Short-Term Disability (STD) coverage - Long-Term Disability (LTD) coverage (elected as either pre-tax or after-tax) - Business Travel Accident Insurance - Worker’s Compensation - Employee Assistance Program - Retiree health insurance (eligible after 10 years) - Retiree life insurance Elective Benefits available to eligible employees: - 401(k) with matching contributions (immediate vesting) - Flexible Spending Accounts (FSAs) - Commuter Benefits - New York’s 529 College Savings Program (NY State residents) Educational Assistance Program available to eligible employees Parental Leave available to eligible employees Time Off available to eligible employees: Vacation, Sick, Personal and Holidays You may also be eligible to participate in a discretionary annual incentive program, subject to the rules governing the program, whereby an award, if any, depends on various factors, including, without limitation, individual and organizational performance. In compliance with federal law, all persons hired will be required to verify identity and eligibility to work in the United States and to complete the required employment eligibility verification document form upon hire. Please understand that, as a general policy, CPG does not sponsor visas.