Security Controls Assurance Lead

About Anthropic Anthropic’s mission is to create reliable, interpretable, and steerable AI systems. We want AI to be safe and beneficial for our users and for society as a whole. Our team is a quickly growing group of committed researchers, engineers, policy experts, and business leaders working together to build beneficial AI systems. About the role Anthropic's Security Governance, Risk, and Compliance (GRC) team is the connective tissue that holds the company accountable to its security commitments. We translate regulatory, customer, and voluntary obligations into controls that teams act on, and give leadership a bird's-eye view of how well we're meeting them. We're building toward a fundamentally different kind of GRC: one that directs Claude, with the right humans in the loop, to challenge and evidence the performance of controls continuously rather than through periodic audits. We are designing an integrated compliance and risk ecosystem that serves as a trust engine and an independent risk advisor as Anthropic governs itself at a level beyond frameworks. As part of Security GRC's technical controls assurance function, you will be the voice on what the control environment must achieve. You will define control requirements and acceptance criteria for our global compliance obligations (e.g. SOC 2, ISO 27001/42001, HIPAA, public sector) across the software development lifecycle, pair with engineering as they design and implement against those requirements, and validate that what ships actually meets the bar. Key responsibilities Define the control framework and requirements for autonomous AI operators in collaboration with Security, Internal Audit, and Engineering, including change review and approvals, human-in-the-loop, and evidence collection. Assess implementations against those requirements. Pressure-test major infrastructure, system, and agent framework changes for control impact during design, before decisions become expensive rework. Set the compliance bar for home-built systems. Collaborate with teams to define what the internal system must provide from day one, such as auditability, segregation of duties, and change control over the tool itself. Define the criteria for where and when AI can operate, supplement, or replace a manual process or control, including the human-in-the-loop thresholds and evidence documentation. Establish the validation, evidence, and governance standards that allow AI-performed and AI-assisted processes and controls to withstand external audit and regulatory scrutiny. Assess the introduction of new compliance frameworks and changes in scope (new regulations, certifications, products, or entities), providing a sufficient technical and compliance lens on their impact to control design, evidence requirements, and engineering effort before commitments are made. Stand up or advise on audit workflows for the assurance team, including Claude-driven control testing, automated evidence collection, walkthrough preparation, and framework mapping against our common controls framework, materially raising automated evidence coverage and cutting audit prep time. Minimum qualifications Thrive at the pace of a hypergrowth company. You’re comfortable making calls with incomplete information and reprioritizing as scope shifts. Have supported technology control programs through SOX readiness or as a public company or with equivalent rigor (FedRAMP, large multi-framework SOC 2/ISO portfolios). Have genuine engineering fluency, possibly from an earlier engineering career: you can read code and Terraform, follow a CI/CD pipeline end to end, and challenge a design on its technical merits. Have programming skills in Python or at least one systems language such as Go, Rust, or C/C++. Have deep familiarity with developer platform, release engineering, or infrastructure control domains. Are a strong collaborator and communicator. Use Claude and other LLMs as daily working tools, and have grounded, specific views on which audit and assurance workflows AI can run today and which it can't yet. Translate framework and regulatory language into acceptance criteria engineers can build against, and translate engineering reality back into assurance language auditors and leadership can rely on. Default to getting the requirement designed into the system rather than papering over the gap with procedure. Preferred qualifications Have a combination of audit or advisory experience (Big 4 or equivalent) with in-house experience at an AI-forward tech company — in either order Have defined or assessed controls for AI/ML systems or agents acting in production environments Have stood up continuous controls monitoring or automated evidence programs Candidates need not have Done everything on this list. This role does not require writing production code day to day. We encourage and expect you to ship, but the bar is fluency sufficient to review, challenge, and specify. Nor does it require depth in every framework we hold; Security GRC has specialists. The scarce combination this role exists for is requirement experience plus engineering credibility. The annual compensation range for this role is listed below. For sales roles, the range provided is the role’s On Target Earnings ("OTE") range, meaning that the range includes both the sales commissions/sales bonuses target and annual base salary for the role. Annual Salary:

$345,000—$345,000 USD

Logistics Minimum education: Bachelor’s degree or an equivalent combination of education, training, and/or experience Required field of study: A field relevant to the role as demonstrated through coursework, training, or professional experience Minimum years of experience: Years of experience required will correlate with the internal job level requirements for the position Location-based hybrid policy: Currently, we expect all staff to be in one of our offices at least 25% of the time. However, some roles may require more time in our offices. Visa sponsorship: We do sponsor visas! However, we aren't able to successfully sponsor visas for every role and every candidate. But if we make you an offer, we will make every reasonable effort to get you a visa, and we retain an immigration lawyer to help with this. We encourage you to apply even if you do not believe you meet every single qualification. Not all strong candidates will meet every single qualification as listed. Research shows that people who identify as being from underrepresented groups are more prone to experiencing imposter syndrome and doubting the strength of their candidacy, so we urge you not to exclude yourself prematurely and to submit an application if you're interested in this work. We think AI systems like the ones we're building have enormous social and ethical implications. We think this makes representation even more important, and we strive to include a range of diverse perspectives on our team. Your safety matters to us. To protect yourself from potential scams, remember that Anthropic recruiters only contact you from @anthropic.com email addresses. In some cases, we may partner with vetted recruiting agencies who will identify themselves as working on behalf of Anthropic. Be cautious of emails from other domains. Legitimate Anthropic recruiters will never ask for money, fees, or banking information before your first day. If you're ever unsure about a communication, don't click any links—visit anthropic.com/careers directly for confirmed position openings. How we're different We believe that the highest-impact AI research will be big science. At Anthropic we work as a single cohesive team on just a few large-scale research efforts. And we value impact — advancing our long-term goals of steerable, trustworthy AI — rather than work on smaller and more specific puzzles. We view AI research as an empirical science, which has as much in common with physics and biology as with traditional efforts in computer science. We're an extremely collaborative group, and we host frequent research discussions to ensure that we are pursuing the highest-impact work at any given time. As such, we greatly value communication skills. The easiest way to understand our research directions is to read our recent research. This research continues many of the directions our team worked on prior to Anthropic, including: GPT-3, Circuit-Based Interpretability, Multimodal Neurons, Scaling Laws, AI & Compute, Concrete Problems in AI Safety, and Learning from Human Preferences. Come work with us! Anthropic is a public benefit corporation headquartered in San Francisco. We offer competitive compensation and benefits, optional equity donation matching, generous vacation and parental leave, flexible working hours, and a lovely office space in which to collaborate with colleagues. Guidance on Candidates' AI Usage: Learn about our policy for using AI in our application process.