AI Security Governance & Policy Specialist
Listed on 2026-07-07
-
IT/Tech
Cybersecurity, Information Security, Data Security, AI Evaluation
For a well-known Islamic Bank in Kuwait
, we are hiring an AI Security Governance & Policy Specialist to build and operate security governance for LLM/ML/AI systems across the full lifecycle (use-case intake → design → build → test → deploy → monitor → retire).
This position focuses on delivering tangible governance outputs: writing and maintaining enforceable policies and standards, translating frameworks into practical control requirements, performing AI security risk assessments, reviewing solution designs and technical evidence, and ensuring required testing and monitoring are implemented and evidenced.
The role aligns AI governance and controls to recognized frameworks such as NIST AI RMF and ISO/IEC 42001, while ensuring consistency with existing enterprise security baselines (e.g., ISO/IEC 27001-style controls). The specialist partners with VMPT to ensure AI solutions undergo appropriate testing (including adversarial testing/red teaming), secure code practices, vulnerability management, and evidence-based exception handling where required.
Key Responsibilities AI Policies, Standards, and Control Requirements- Draft, maintain, and publish AI security policies, standards, and minimum baselines for LLM/ML/AI solutions.
- Produce clear, testable requirements and guidance covering:
- Model onboarding and approval (internal and third-party models, versioning, provenance, licensing/usage constraints)
- Secure AI SDLC requirements (threat modeling, secure design, testing, change control, release gates)
- AI data governance requirements (data classification, retention, data minimization, leakage prevention, approved sources for RAG)
- Logging/telemetry requirements for AI apps and model endpoints (audit trails, redaction guidance, monitoring and alerting expectations)
- Maintain reusable governance artifacts and templates: intake forms, control checklists, evidence packs, exception/waiver forms, and sign-off criteria.
- Perform hands-on AI security risk assessments for new and changed use cases, documenting:
- threat scenarios specific to AI and LLM integrations
- required controls and compensating controls
- residual risk and recommended risk treatment
- Apply NIST AI RMF concepts to structure AI risks in a practical way that engineering teams can implement and test.
- Maintain an AI security risk register with clear remediation actions, owners, dates, and closure evidence.
- Validate control implementation by reviewing technical evidence (architecture diagrams, IAM role assignments, secrets handling approach, logging configuration, test results, monitoring dashboards), and track remediation through closure.
- Define and enforce minimum assurance requirements for AI solutions, including:
- adversarial testing / AI red teaming minimum expectations (in coordination with VMPT)
- secure code review expectations for AI application layers (prompt handling, retrieval logic, output handling, tool invocation)
- pre-production and post-release monitoring requirements (abuse detection signals, data leakage indicators, model/API usage anomalies)
- Review and validate the evidence that testing and monitoring were performed and met required outcomes (reports, findings, retest results, operational telemetry).
- Ensure guidance remains aligned with industry references such as OWASP LLM Top 10, and translate that guidance into actionable requirements and developer-friendly mitigation checklists.
- Maintain “secure-by-default” patterns for Azure-based GenAI deployments, including:
- identity and access controls (least privilege, service identities, key rotation expectations)
- network isolation and endpoint exposure controls
- secrets management and encryption requirements
- logging/telemetry baselines and retention requirements
- environment separation and deployment guardrails
- Define governance requirements for enterprise GenAI data handling (what data is permitted, what must be masked/redacted, what requires additional approvals, what must be logged).
- Support onboarding of third-party AI services and vendors by defining security questionnaires, minimum…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).