Senior Compliance Engineer, AI Governance

Senior Compliance Engineer, AI Governance

True Anomaly seeks those with the talent and ambition to build the technology that secures space. True Anomaly delivers decisive capabilities for space superiority. We build autonomous spacecraft, advanced payloads, mission software, and space-based interceptors — enabling the U.S. and its Allies to secure the space environment and counter threats from the ultimate high ground.

Your Mission

We are seeking a rare combination of disciplines: an experienced Sr. Compliance Engineer with deep AI Subject Matter Expertise (SME) and export compliance background to join our Governance, Risk, and Compliance (GRC) team. This role is responsible for building, implementing, and sustaining the organizational compliance posture across key regulatory and security frameworks — with a primary emphasis on RMF (NIST 800-53 Rev. 5 + Classified Overlays), CMMC Level 3, NIST 800-171 Rev. 3, EAR/ITAR cyber regulations, and — critically - the governance, risk management, and compliance controls surrounding AI/ML systems and large language models (LLMs) deployed across the enterprise.

As AI becomes embedded in True Anomaly's operations, mission systems, and products, this role serves as the organizational authority on how AI capabilities are adopted, audited, and controlled responsibly. You will architect and operationalize compliance checkpoints and governance gates within LLM pipelines, evaluate AI vendors and platforms (including OpenAI, Anthropic Claude, and others) against classified and unclassified compliance requirements, and ensure AI-driven workflows satisfy both regulatory obligations and internal risk tolerance.

The ideal candidate brings deep GRC knowledge, hands-on AI/LLM engineering fluency, and the ability to engage credibly with compliance assessors, government partners, and internal AI/ML engineering teams alike.

Responsibilities

• Lead and support compliance assessment readiness across key organizational frameworks including NIST SP 800-171 Rev. 2 and 3, CMMC Level 3, NIST SP 800-53 Rev. 5, and the NIST Cybersecurity Framework (CSF).
• Provide direction on cybersecurity readiness to address EAR and ITAR-related controls and requirements.
• Drive CMMC readiness activities across the organization, including scoping, gap analysis, control implementation validation, evidence collection, and pre-assessment preparation.
• Review, maintain, and mature System Security Plans (SSPs) to accurately reflect organizational control implementations, system boundaries, and operational practices — including AI/ML system boundaries and data flows.
• Manage Plans of Actions and Milestones (POA&Ms), tracking open findings to resolution, communicating status to GRC leadership, and coordinating remediation efforts across responsible teams.
• Conduct internal compliance audits and control effectiveness reviews to ensure ongoing adherence to applicable frameworks and to surface emerging gaps before external assessments.
• Maintain audit-ready evidence repositories and documentation packages, ensuring traceability between controls, evidence, and framework requirements.

AI Governance, Risk & Compliance (AI-GRC)

• Serve as the organizational AI compliance SME — the primary authority on how AI/LLM systems (including OpenAI GPT models, Anthropic Claude, open-source models, and internally developed models) are evaluated, onboarded, and continuously governed within True Anomaly's compliance boundaries.
• Design, implement, and maintain compliance checkpoints and enforcement gates within LLM pipelines, including:
• Input/output filtering and content policy enforcement layers
• Prompt injection detection and mitigation controls
• Data classification guardrails to prevent CUI, ITAR-controlled, or classified data from flowing into non-authorized AI systems or endpoints
• Automated audit logging of AI interactions for traceability and incident investigation
• Model access control and role-based permissions within AI platforms
• Conduct AI-specific risk assessments, including evaluation of AI vendor data handling practices, model training data provenance, and third-party AI API security postures against NIST AI RMF, NIST SP 800-53 AI overlays, and internal standards.
• Develop and enforce an AI System Acceptable Use Policy and supporting standards that govern how employees and systems interact with LLMs, including permissible data inputs, output handling, human-in-the-loop requirements, and escalation procedures.
• Evaluate proposed AI/ML use cases for regulatory risk (EAR/ITAR, CMMC, data privacy) and provide compliance go/no-go determinations with documented rationale.
• Collaborate with AI/ML engineers and DevSecOps teams to integrate compliance gates into CI/CD pipelines and MLOps workflows, ensuring model changes and prompt changes undergo review before production deployment.
• Maintain an AI system inventory, tracking all deployed models, APIs, integrations, and associated risk and compliance status.
• Monitor emerging AI regulatory developments (e.g., EO 14110, NIST AI RMF, DoD AI Ethics Principles, EU AI Act implications for U.S. defense partners) and assess organizational impact.

Cross-Functional Compliance Enablement

• Serve as a primary GRC team resource for compliance questions, control guidance, and framework interpretation across engineering, IT, operations, legal, and security teams.
• Partner with IT and security operations teams to verify that technical controls — including access management, logging, configuration baselines, and incident response procedures — meet CMMC and NIST requirements at an organizational level.
• Partner with AI/ML engineers, data scientists, and product teams to embed compliance thinking into AI system design, model selection, and deployment architecture.
• Collaborate with the Enterprise Risk Manager and broader GRC leadership to ensure compliance findings — including AI-specific risks — are reflected in the enterprise risk register and remediation priorities.
• Support the development of compliance training and awareness materials, including AI-specific training that builds organizational understanding of responsible AI use, LLM risk, and CMMC obligations.
• Coordinate with external assessors, third-party auditors, and government partners during assessment engagements, serving as a knowledgeable point of contact for evidence walkthroughs and control discussions.

Qualifications

• 7+ years of experience in IT security compliance, GRC, or a closely related discipline, with direct ownership of compliance program activities.
• Demonstrated expertise in NIST SP 800-171, CMMC (Level 2 or 3), and NIST SP 800-53, with hands-on experience conducting gap assessments, implementing controls, and preparing organizations for external audits.
• Extensive, hands-on experience with AI/LLM systems, including practical knowledge of platforms such as OpenAI (GPT-4/o-series), Anthropic Claude, Meta Llama, Microsoft Azure OpenAI Service, and/or comparable commercial and open-source LLM ecosystems.
• Demonstrated ability to design, implement, and operationalize compliance controls within LLM pipelines, including guardrail layers, content filtering, audit logging hooks, and data classification enforcement.
• Working knowledge of AI security risks, including prompt injection, jailbreaking, data exfiltration via LLM outputs, model inversion, and supply chain risks associated with third-party AI APIs.
• Familiarity with NIST AI Risk Management Framework (AI RMF) and its application to enterprise and defense AI deployments.
• Strong understanding of SSP development and maintenance, POA&M management, and audit evidence lifecycle practices in an organizational (non-product) compliance context.
• Proven experience developing and operationalizing information security policies, standards, and procedures across a multi-disciplinary organization.
• Strong communication skills with the ability to explain compliance requirements — including AI risk concepts — clearly to both technical practitioners and non-technical business stakeholders.
• Highly organized, with demonstrated ability to manage multiple concurrent compliance workstreams and deadlines in a fast-paced environment.
• Active or ability to obtain SECRET or TS/SCI security clearance.
• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)).

Preferred Qualifications

• Strong EAR/ITAR background as it pertains to cybersecurity, AI-generated outputs, and policy development.
• J.D. focusing on technology law, export compliance (EAR and ITAR), AI regulation, or cyber law.
• Experience building MLOps or AI DevSecOps