• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.

• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.

• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.

• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.