FinOps Security & Compliance Architect

Job Description The FinOps – Security & Compliance Architect is accountable for the end-to-end security architecture, threat modeling, and compliance posture of the Collector Agent Layer, including agent-based telemetry and internal cloud usage metering implementations. This role serves as a mandatory Phase 0 security gate, with formal security sign-off required before any agent or collector is permitted to interact with production environments. The architect establishes and governs cryptographic trust models, secure identity and authentication mechanisms, tamper detection controls, and enterprise secrets management integrations to ensure all agent-based data collection is secure, auditable, and compliant with enterprise and regulatory standards. Key Responsibilities Threat Modeling & Phase 0 Governance Own the Collector Agent Layer Threat Model and serve as a signed Phase 0 blocker for production deployment Define trust boundaries, attack surfaces, and threat vectors for agent-based architectures Ensure threat models are reviewed, approved, version-controlled, and retained prior to any production access Establish and enforce security acceptance criteria required before agents are authorized to operate Secure Identity, Authentication & Trust Design and govern mTLS PKI architecture, including: Certificate issuance Rotation and revocation Trust chain management Define and enforce Kafka authentication and authorization controls using SASL/SCRAM or enterprise-approved equivalents Ensure least-privilege identity binding between agents, brokers, and downstream systems Data Integrity & Tamper Protection Architect HMAC-based integrity and tamper detection controls to ensure message authenticity and non-repudiation across the agent pipeline Define validation, replay protection, and integrity verification patterns for collected telemetry and events Partner with platform teams to embed integrity enforcement into agent runtime and transport layers Secrets Management & Vault Integration Design secure integration patterns with Bank-approved Vault services for secrets, certificates, and cryptographic keys Enforce strict separation between build-time, deploy-time, and runtime secrets Define access controls, rotation policies, and audit requirements for all sensitive agent materials Compliance, Risk & Audit Readiness Ensure collector and agent designs meet internal security standards, regulatory expectations, and audit requirements Produce security artifacts including: Threat models Architecture diagrams Control mappings Act as the security authority for agent-based exceptions, risk acceptances, and remediation plans Architecture Collaboration & Enablement Partner with platform, data, infrastructure, and FinOps architects to embed security-by-design principles Provide authoritative guidance during architecture reviews, design forums, and security assessments Mentor engineering teams on secure agent design patterns and control implementation Architecture & Leadership Capabilities Demonstrated ability to operate as a Phase 0 gatekeeper with authority to block unsafe or non-compliant designs Strong communication skills to influence senior engineers, architects, and risk partners Ability to balance security rigor with platform scalability and delivery velocity Preferred Certification FinOps Certified Practitioner or FinOps Certified Professional We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to View email address on click.appcast.io learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: Skills and Requirements 7+ years of experience in security architecture and threat modeling for distributed and agent-based systems Deep expertise in PKI, X.509 certificates, mutual TLS (mTLS), and cryptographic trust models Hands‑on experience securing Kafka, including SASL/SCRAM authentication and authorization Proven experience designing HMAC-based message integrity and tamper detection mechanisms Enterprise-scale experience integrating with Vault or centralized secrets management platforms Strong understanding of least privilege access, Zero Trust principles, and defense-in-depth Demonstrated ability to operate as a formal security control owner and signatory Experience producing security artifacts for risk, compliance, and audit stakeholders FinOps Certified Practitioner or FinOps Certified Professional (preferred) #J-18808-Ljbffr Insight Global