Senior Compliance Engineer, AI Governance

Space is a warfighting domain. True Anomaly seeks those with the talent and ambition to build the technology that secures it.

OUR MISSION

True Anomaly delivers decisive capabilities for space superiority. We build autonomous spacecraft, advanced payloads, mission software, and space-based interceptors - enabling the U.S. and its Allies to secure the space environment and counter threats from the ultimate high ground.

OUR VALUES

• Be the offset. We create asymmetric advantages with creativity and ingenuity.
• What would it take? We challenge assumptions to deliver ambitious results.
• It's the people. Our team is our competitive advantage and we are better together.

Your Mission


We are seeking a rare combination of disciplines: an experienced Sr. Compliance Engineer with deep AI Subject Matter Expertise (SME) and export compliance background to join our Governance, Risk, and Compliance (GRC) team. This role is responsible for building, implementing, and sustaining the organizational compliance posture across key regulatory and security frameworks - with a primary emphasis on RMF (NIST 800-53 Rev. 5 + Classified Overlays), CMMC Level 3, NIST 800-171 Rev. 3, EAR/ITAR cyber regulations, and - critically - the governance, risk management, and compliance controls surrounding AI/ML systems and large language models (LLMs) deployed across the enterprise.


As AI becomes embedded in True Anomaly's operations, mission systems, and products, this role serves as the organizational authority on how AI capabilities are adopted, audited, and controlled responsibly. You will architect and operationalize compliance checkpoints and governance gates within LLM pipelines, evaluate AI vendors and platforms (including OpenAI, Anthropic Claude, and others) against classified and unclassified compliance requirements, and ensure AI-driven workflows satisfy both regulatory obligations and internal risk tolerance.


The ideal candidate brings deep GRC knowledge, hands-on AI/LLM engineering fluency, and the ability to engage credibly with compliance assessors, government partners, and internal AI/ML engineering teams alike.


Responsibilities

Compliance Program Execution

• Lead and support compliance assessment readiness across key organizational frameworks including NIST SP 800-171 Rev. 2 and 3, CMMC Level 3, NIST SP 800-53 Rev. 5, and the NIST Cybersecurity Framework (CSF).

• Provide direction on cybersecurity readiness to address EAR and ITAR-related controls and requirements.

• Drive CMMC readiness activities across the organization, including scoping, gap analysis, control implementation validation, evidence collection, and pre-assessment preparation.

• Review, maintain, and mature System Security Plans (SSPs) to accurately reflect organizational control implementations, system boundaries, and operational practices - including AI/ML system boundaries and data flows.

• Manage Plans of Actions and Milestones (POA&Ms), tracking open findings to resolution, communicating status to GRC leadership, and coordinating remediation efforts across responsible teams.

• Conduct internal compliance audits and control effectiveness reviews to ensure ongoing adherence to applicable frameworks and to surface emerging gaps before external assessments.

• Maintain audit-ready evidence repositories and documentation packages, ensuring traceability between controls, evidence, and framework requirements.

AI Governance, Risk & Compliance (AI-GRC)

• Serve as the organizational AI compliance SME - the primary authority on how AI/LLM systems (including OpenAI GPT models, Anthropic Claude, open-source models, and internally developed models) are evaluated, onboarded, and continuously governed within True Anomaly's compliance boundaries.

• Design, implement, and maintain compliance checkpoints and enforcement gates within LLM pipelines, including:

• Input/output filtering and content policy enforcement layers

• Prompt injection detection and mitigation controls

• Data classification guardrails to prevent CUI, ITAR-controlled, or classified data from flowing into non-authorized AI systems or endpoints

• Automated audit logging of AI interactions for traceability and incident investigation

• Model access control and role-based permissions within AI platforms

• Conduct AI-specific risk assessments, including evaluation of AI vendor data handling practices, model training data provenance, and third-party AI API security postures against NIST AI RMF, NIST SP 800-53 AI overlays, and internal standards.

• Develop and enforce an AI System Acceptable Use Policy and supporting standards that govern how employees and systems interact with LLMs, including permissible data inputs, output handling, human-in-the-loop requirements, and escalation procedures.

• Evaluate proposed AI/ML use cases for regulatory risk (EAR/ITAR, CMMC, data privacy) and provide compliance go/no-go determinations with documented rationale.

• Collaborate with AI/ML engineers and DevSecOps teams to integrate compliance gates into CI/CD pipelines and MLOps workflows, ensuring model changes and prompt changes undergo review before production deployment.

• Maintain an AI system inventory, tracking all deployed models, APIs, integrations, and associated risk and compliance status.

• Monitor emerging AI regulatory developments (e.g., EO 14110, NIST AI RMF, DoD AI Ethics Principles, EU AI Act implications for U.S. defense partners) and assess organizational impact.

Cross-Functional Compliance Enablement

• Serve as a primary GRC team resource for compliance questions, control guidance, and framework interpretation across engineering, IT, operations, legal, and security teams.

• Partner with IT and security operations teams to verify that technical controls - including access management, logging, configuration baselines, and incident response procedures - meet CMMC and NIST requirements at an organizational level.

• Partner with AI/ML engineers, data scientists, and product teams to embed compliance thinking into AI system design, model selection, and deployment architecture.

• Collaborate with the Enterprise Risk Manager and broader GRC leadership to ensure compliance findings - including AI-specific risks - are reflected in the enterprise risk register and remediation priorities.

• Support the development of compliance training and awareness materials, including AI-specific training that builds organizational understanding of responsible AI use, LLM risk, and CMMC obligations.

• Coordinate with external assessors, third-party auditors, and government partners during assessment engagements, serving as a knowledgeable point of contact for evidence walkthroughs and control discussions.

Qualifications

• 7+ years of experience in IT security compliance, GRC, or a closely related discipline, with direct ownership of compliance program activities.

• Demonstrated expertise in NIST SP 800-171, CMMC (Level 2 or 3), and NIST SP 800-53, with hands-on experience conducting gap assessments, implementing controls, and preparing organizations for external audits.

• Extensive, hands-on experience with AI/LLM systems, including practical knowledge of platforms such as OpenAI (GPT-4/o-series), Anthropic Claude, Meta Llama, Microsoft Azure OpenAI Service, and/or comparable commercial and open-source LLM ecosystems.

• Demonstrated ability to design, implement, and operationalize compliance controls within LLM pipelines, including guardrail layers, content filtering, audit logging hooks, and data classification enforcement.

• Working knowledge of AI security risks, including prompt injection, jailbreaking, data exfiltration via LLM outputs, model inversion, and supply chain risks associated with third-party AI APIs.

• Familiarity with NIST AI Risk Management Framework (AI RMF) and its application to enterprise and defense AI deployments.

• Strong understanding of SSP development and maintenance, POA&M management, and audit evidence lifecycle practices in an organizational (non-product) compliance context.

• Proven experience developing and operationalizing information security policies, standards, and procedures across a multi-disciplinary organization.

• Strong communication skills with the ability to explain compliance requirements - including AI risk concepts - clearly to both technical practitioners and non-technical business stakeholders.

• Highly organized, with demonstrated ability to manage multiple concurrent compliance workstreams and deadlines in a fast-paced environment.

• Active or ability to obtain SECRET or TS/SCI security clearance .

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)).

Preferred Qualifications

• Strong EAR/ITAR background as it pertains to cybersecurity, AI-generated outputs, and policy development.

• J.D. focusing on technology law, export compliance (EAR and ITAR), AI regulation, or cyber law.

• Experience building MLOps or AI DevSecOps pipelines with integrated compliance gates, including automated policy enforcement, prompt review workflows, or model change management processes.

• Hands-on experience with AI safety and alignment tooling (e.g., LangChain guardrails, NeMo Guardrails, Azure Content Safety, OpenAI Moderation API, Anthropic Constitutional AI/policy layer configurations).

• Experience evaluating AI vendor agreements and data processing agreements against DoD/CMMC/ITAR data handling requirements.

• Familiarity with DoD AI Ethics Principles, Responsible AI (RAI) frameworks, and emerging federal AI governance requirements (e.g., EO 14110, OMB AI guidance).

• Industry certifications such as:

• Certified Information Systems Auditor (CISA)

• Certified in Risk and Information Systems Control (CRISC)

• Certified Information Systems Security Professional (CISSP)

• CMMC Registered Practitioner (RP) or Certified Professional (CP)

• CompTIA Security+ or equivalent

• AWS/Azure AI or Security certifications

• Background in startup, aerospace, defense technology, or SaaS environments operating under DoD compliance obligations.

• Familiarity with cloud environments - particularly Azure Government, AWS GovCloud, or Azure OpenAI Government deployments - as they relate to organizational control implementation and AI boundary scoping.

• Experience coordinating with C/3PAOs or supporting CMMC assessments.

• Working knowledge of DFARS View phone number on click.appcast.io, ITAR, and supply chain compliance obligations.

• Familiarity with Agile/Scrum environments and hybrid project delivery models.

Compensation

• Base Salary: Denver - $145,000 to $195,000, Long Beach - $150,000 to $205,000, Washington, DC - $150,000 to $205,000, SF Bay Area - $165,000 to $225,000

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience.


Additional Requirements

• Work Location: Successful candidates will be located near Denver, CO, Long Beach, CA, SF Bay Area, or Washington D.C. While we observe a hybrid work environment, some work must be done on site. #LI-Onsite

• Work Environment: Standard office setting, working at a desk or in a production factory environment.

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs.

This position will be open until it is successfully filled.


To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.


We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know.


To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

True Anomaly is committed to equal employment opportunity on any basis protected by applicable state and federal laws. If you have a disability or additional need that requires accommodation, please do not hesitate to let us.