Senior Associate - Senior AI Platform Security Engineer

Location Designation:
Hybrid - 3 days per week

We are looking for a Senior AI Platform Security Engineer who lives on GCP and can own the security architecture end-to-end, not just advise on it. You will design guardrails, write Terraform, integrate with Harness CI/CD pipelines, and partner with engineering teams to ensure every resource deployed is secure by default. This role is GCP-first. Familiarity with AWS and Azure is a plus, but your day-to-day will be deep in Google Cloud: securing GKE workloads, governing AI pipelines on Vertex AI, managing identities via ICAM, and using native GCP security services to detect and respond to threats.

• Own the deployment and configuration of GCP-native security services including Cloud Armor, Certificate Manager, Cloud KMS, Secret Manager, and Cloud DLP integrated with Elastic SIEM for centralized detection and response.
• Build and maintain detective controls, custom EQL/KQL threat detection rules, and alerting pipelines within Elastic SIEM using GCP log sources ingested through Beats or Elastic Agent.
• Define and enforce organization-wide Security Command Center (SCC) findings policies, remediation workflows, and SLA management processes.

• Develop scalable reference architectures and security blueprints for IAM, network segmentation, and data protection across GCP projects.
• Write and maintain production-grade Terraform modules implementing security controls as code.
• Integrate Terraform workflows into Harness CI/CD pipelines using ICAM-governed service accounts and workload identity controls.
• Partner with engineering teams to operationalize security architecture decisions into implemented controls and standards.

• Define and implement policy-as-code guardrails using OPA, Sentinel, Checkov, or equivalent tooling.
• Integrate security gates into CI/CD pipelines including secrets scanning, pre-deployment policy validation, and post-deployment drift detection.
• Enforce least-privilege service account policies and workload identity federation across all deployment stages.

• Establish GKE security standards including pod security admission, network policies, Workload Identity, Binary Authorization, and container image scanning.
• Define requirements for admission controllers, runtime protection tooling, and Kubernetes hardening standards.
• Own vulnerability management processes for containerized environments, including CVE tracking and remediation coordination.

• Use AI-enabled CSPM tooling to analyze security telemetry, identify systemic risks, and automate remediation guidance.
• Embed security controls into AI/ML workflows including audit logging, data governance, and model output monitoring.
• Automate detection and response playbooks using Elastic SIEM case management and SOAR tooling.

• Enable and secure Google AI services including Vertex AI pipelines, Gemini APIs, and Big Query ML workloads.
• Design scalable architectures for LLM-based applications including RAG pipelines, vector search, grounding strategies, and orchestration frameworks.
• Establish secure patterns for AI agents, memory and state management, session isolation, and data retention controls.
• Implement monitoring and guardrails for AI systems in production including prompt injection protection, output filtering, and anomaly detection.

• 5+ years of experience in cloud security, with the majority focused on GCP environments.
• Deep hands-on experience with GCP security services including IAM, VPC Service Controls, Cloud Armor, KMS, Secret Manager, DLP, and SCC.
• Strong Elastic SIEM experience including log ingestion, detection engineering, alert management, and threat correlation.
• Production-level Terraform experience including module development, infrastructure automation, and state management.
• Experience integrating security controls into CI/CD pipelines using Harness or equivalent platforms.
• Strong knowledge of Kubernetes and GKE security including pod security admission, network policies, Workload Identity, and Binary Authorization.
• Hands-on experience with ICAM or enterprise identity platforms governing non-human identities and workload access.
• Practical knowledge of AI/ML security including Vertex AI workload protection, LLM API governance, and training data security.

• Google Professional Cloud Security Engineer or Professional Cloud Architect certification.
• Experience with policy-as-code tooling such as OPA/Rego, Sentinel, or Checkov.
• Familiarity with AWS security services including IAM, Guard Duty, SCPs, and multi-cloud security architectures.
• Experience with Cribl Stream or similar log routing technologies integrated with Elasticsearch.
• Understanding of compliance-driven security requirements including NY DFS 23 NYCRR 500, NAIC, NIST CSF, CIS Benchmarks, and ISO 27001.
• Working knowledge of enterprise identity platforms…