• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.

• Reviewing the current information risk program, including improvements to processes that identify, measure, track, and remediate risks with business owners. • Working collaboratively with other information security risk personnel across Instructure to help identify enterprise-level risks for the CISO and work on finding enterprise-level solutions. • Assisting in annual audits for industry-specific reports, such as ISO27001, PCI, SOC 1 and SOC 2 Type I and Type II reports where risk controls are affected. • Developing and executing information security for internal control testing across the enterprise. • Work with product Engineering teams to secure solutions and ensure that Instructure procedures comply with regulatory framework requirements. • Partner with engineering teams to design and implement technical solutions to mitigate security risks • Collaborate with internal teams to establish metrics and dashboards that effectively measure the success of security programs. • Coordinate between external auditors and internal controls owners, ensuring smooth communication and efficient evidence gathering. • Documenting findings and assessing risk where deviations exist resulting from internal and external testing. • Evaluating third-party vendors to ensure compliance with established standards and risk tolerance levels. • Presenting results and findings of audits to peers and leadership when necessary. • Writing and editing policies and reports to maintain an industry-leading risk program. • Communicating the value of GRC and information risk management at Instructure. • Acting as an information security risk leader for Instructure, ensuring a world-class security posture. • Reviewing new tools for security risks during the procurement process.

• Design, implement, and maintain DLP controls across email, endpoint, cloud, web, and collaboration platforms • Engineer and tune custom DLP detections using regex, Exact Data Matching (EDM), Indexed Document Matching (IDM), classifiers, and contextual telemetry • Own the full DLP policy lifecycle, including policy creation, normalization, testing, deployment, tuning, version control, and change management • Analyze and triage DLP and insider risk alerts, conduct root cause analysis, and recommend mitigation strategies to improve control effectiveness • Partner with Security Operations, Incident Response, Risk, Legal, Compliance, and Information Protection teams to investigate potential data exfiltration and insider risk events • Build and enhance automation workflows, dashboards, and reporting to improve visibility into data movement, user behavior, and program performance • Serve as a technical subject matter expert for DLP platforms and data protection capabilities across the enterprise • Translate regulatory requirements, business needs, and risk scenarios into practical, enforceable technical controls • Continuously improve detection quality, operational processes, and reporting to advance program maturity and business alignment • Contribute to the evaluation and responsible use of AI-enabled security capabilities that improve detection, analysis, and operational efficiency within data protection workflows

• Design and conduct offensive security operations / engagements for product and internal tools across Instacart. • Deploy and operationalize a variety of open-source and commercially available security tools that can scale out and be maintained long term. • Collaborate with cross-functional teams, including engineering and product, to integrate security testing into their SDLC cycle. • Share knowledge and mentor other team members, promoting a culture of continuous learning and growth.