Senior Lead Technology Risk Officer - Application Domain, SDLC, DevOps and AI

Are you looking for more? Find it here. At Wells Fargo, we're more than a financial services leader — we’re a global trailblazer committed to driving innovation, empowering communities, and helping our customers succeed. We believe that a meaningful career is much more than just a job — it’s about finding all of the elements to help you thrive, in one place. Living the Well Life means you’re supported in life, not just work. It means having robust benefits, competitive compensation, and programs designed to help you find work-life balance and well-being. You’ll be rewarded for investing in your community, celebrated for being your authentic self, and empowered to grow. And we’re recognized for it — Wells Fargo continues to rank on the LinkedIn Top Companies lists of best workplaces “to grow your career.” Join us! About this role: The Application Risk Domain Officer operates within Technology Risk Management (TRM), part of Corporate Risk, providing independent second‑line oversight across application domains. The role is part of the Information Security and Application Risk Domain Team, which performs domain‑level evaluation and produces evidence‑based views of how application conditions contribute to enterprise risk exposure. The role engages with Technology, including Tech Operations, CIO organizations, to provide challenge and inform risk‑based decisions. Outputs from this role support enterprise risk views provided to senior management, risk committees, and regulators. The Application Risk Domain Officer (P5) serves as the senior second line oversight lead across assigned domains and is a deeply technical individual contributor who provides expert second-line risk oversight across modern software engineering environments and has responsibility across the application risk domain. This role requires hands-on understanding of secure SDLC, CI/CD, infrastructure as code, cloud-native platforms, developer tooling, software supply chain controls, and AI-enabled engineering workflows. The role is responsible for setting direction for domain-level risk assessment and monitoring approaches, identifying and assessing plausible failure modes, and evaluating how those failures contribute to enterprise technology risk exposure. An individual in this role must be able to engage engineering teams with technical credibility, serve as a thought leader, and partner closely with first-line engineering and technology teams to de-construct complex delivery patterns into concrete risk and control considerations and translate technical observations into clear, decision-ready risk insight for senior stakeholders. In this role, you will: Provide expert second-line oversight of modern engineering practices, including application architecture patterns, secure SDLC, CI/CD, DevSecOps, platform engineering, infrastructure as code, containerized workloads, and production release controls. Own second-line technology risk coverage and provide thought leadership across the application risk domain, partnering closely with first-line engineering, controls and technology teams to drive consistent oversight of application architecture, development practices, deployment pipelines, and supporting engineering controls. Perform technically rigorous assessments of source control workflows, branching strategies, build systems, test automation, artifact repositories, package dependencies, deployment orchestration, and runtime platform configurations to identify control weaknesses and systemic risk. Evaluate the integrity of software delivery pipelines end to end, including code provenance, pipeline trust boundaries, secrets handling, approval models, environment segregation, artifact immutability, and rollback or recovery capabilities. Lead deep-dive technical risk reviews of complex delivery environments and modernization programs, converting architecture, pipeline, and operational observations into clear risk statements, root causes, and targeted remediation expectations. Analyze developer ecosystems and engineering tool chains at a practitioner level, including repositories, CI runners, build agents, package managers, IaC frameworks, containers, Kubernetes, cloud services, and observability stacks. Evaluate AI-enabled engineering capabilities, including code assistants, prompt-based development workflows, automated test generation, agentic tooling, and model-integrated developer platforms, with emphasis on data exposure, unsafe code generation, traceability, and human review requirements. Review design and implementation patterns for application and platform controls, such as policy-as-code, secrets management, service identity, environment hardening, logging, monitoring, drift detection, and release gating. Develop technically meaningful risk indicators and challenge metrics for SDLC, DevOps, and AI-enabled engineering, such as deployment control exceptions, pipeline bypasses, privileged access patterns, dependency exposure, control coverage gaps, and remediation aging. Serve as a trusted technical risk partner to engineering, security, architecture, and control teams by applying expert discipline knowledge to high-impact decisions and shaping resilient engineering practices across the enterprise. Required Qualifications: 7+ years of Technology Risk experience, or equivalent demonstrated through one or a combination of the following: work experience, training, military experience, education. Desired Qualifications: 7+ years of experience spanning software engineering, DevSecOps, platform engineering, cloud engineering, application security, with direct experience in technology risk, technology controls, or second-line risk oversight in complex technological environments. Deep hands-on knowledge of modern SDLC and DevOps practices, including source control, code review, branching and release strategies, CI/CD design, automated testing, deployment automation, and production change controls. Experience performing technical risk assessments, control evaluations, and credible challenge across SDLC, DevOps, software supply chain, cloud, and AI-enabled engineering environments to translate findings into concise risk narratives, control gaps, remediation expectations, and executive reporting. Ability to read and interpret architecture patterns, deployment designs, control implementations, technical standards, and engineering evidence with sufficient depth to challenge first-line technical decisions. Experience with AI governance and controls, or model risk concepts as applied to engineering productivity tools, agentic workflows, or AI-assisted software delivery, and the risks associated with them. Strong judgment, analytical rigor, and communication skills with the ability to influence senior stakeholders while maintaining credibility with technical teams. Knowledge of industry frameworks and guidance relevant to technology and security risk, such as NIST, SSDF, COBIT, FFIEC guidance, ISO 27001, or similar frameworks. Strong technical understanding of developer platforms and engineering toolchains, including technologies such as GitHub or GitLab, Jenkins or Azure DevOps, artifact repositories, package managers, Terraform, containers, Kubernetes, and major cloud platforms. Hands-on familiarity with engineering and security tooling used in modern delivery environments, including static and dynamic analysis, software composition analysis, container security, CSPM, CI/CD security controls, and observability platforms. Prior experience in financial services, highly regulated environments, or large-scale enterprise engineering organizations with complex control and resilience expectations. Relevant certifications such as CISSP, CISM, CRISC, CISA, CCSP, cloud provider certifications, Kubernetes certifications, or secure software lifecycle credentials. Experience evaluating or implementing controls for secure build systems, software supply chain security, policy-as-code, secrets management, release orchestration, and cloud-native delivery pipelines. Demonstrated expertise assessing build and release integrity, secrets management, privileged automation, infrastructure as code, and runtime control effectiveness in complex engineering environments. Job Expectations: Willingness to work on-site at stated location on the job opening. This position offers a hybrid work schedule. This position is not eligible for Visa sponsorship. Posting Locations: 401 S Tryon St, Charlotte, NC North Carolina – Charlotte Pay Range: $159,000.00 - 254,000.00 USD Annually Posting End Date: 12 Jun 2026 *Job posting may come down early due to volume of applicants. We Value Equal Opportunity Wells Fargo is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other legally protected characteristic. Employees support our focus on building strong customer relationships balanced with a strong risk mitigating and compliance-driven culture which firmly establishes those disciplines as critical to the success of our customers and company. They are accountable for execution of all applicable risk programs (Credit, Market, Financial Crimes, Operational, Regulatory Compliance), which includes effectively following and adhering to applicable Wells Fargo policies and procedures, appropriately fulfilling risk and compliance obligations, timely and effective escalation and remediation of issues, and making sound risk decisions. There is emphasis on proactive monitoring, governance, risk identification and escalation, as well as making sound risk decisions commensurate with the business unit’s risk appetite and all risk and compliance program requirements. Candidates applying to job openings posted in Canada: Applications for employment are encouraged from all qualified candidates, including women, persons with disabilities, aboriginal peoples and visible minorities. Accommodation for applicants with disabilities is available upon request in connection with the recruitment process. Applicants with Disabilities To request a medical accommodation during the application or interview process, visit Disability Inclusion at Wells Fargo. Drug and Alcohol Policy Wells Fargo maintains a drug free workplace. Please see our Drug and Alcohol Policy to learn more. Wells Fargo Recruitment and Hiring Requirements: a. Third-Party recordings are prohibited unless authorized by Wells Fargo. b. Wells Fargo requires you to directly represent your own experiences during the recruiting and hiring process. #DNP-IND Wells Fargo & Company (NYSE: WFC) is a leading financial services company that has approximately $2.1 trillion in assets. We provide a diversified set of banking, investment and mortgage products and services, as well as consumer and commercial finance, through our four reportable operating segments: Consumer Banking and Lending, Commercial Banking, Corporate and Investment Banking, and Wealth & Investment Management. Wells Fargo ranked No. 33 on Fortune’s 2025 rankings of America’s largest corporations. News, insights, and perspectives from Wells Fargo are also available at Wells Fargo Stories. Additional information may be found at: wellsfargo.com wellsfargojobs.com For questions on how to search and apply, visit frequently asked questions.