Job
Director, AI Security
- Organization: International Rescue Committee
- Location: Kenya, United Kingdom of Great Britain and Northern Ireland, United States of America
- Deadline: Mon Aug 31 2026
- Category: Information and Communications Technology
About this opportunity
**Job Role Overview**
The Director, AI Security is a newly created senior leadership role responsible for building, leading, and continuously maturing the IRC’s AI security function. As AI agents and AI-powered tools proliferate across the business, this role sets the organizational direction for securing AI systems — from initial design through production deployment, ongoing governance, and team development.
This is a high-visibility, cross-functional leadership role that sits at the intersection of security engineering, risk management, and emerging technology. The Director, AI Security will advise the CISO, build and develop a dedicated AI security team, own the function’s budget, and partner with Security Operations, Identity & Access Management, Governance Risk & Compliance, and business unit technology teams to ensure AI adoption is secure by design.
**Key Responsibilities**
**AI Security Strategy & Governance**
- Define, own, and continuously mature the IRC's AI security strategy and program roadmap
- Establish and maintain the organization-wide AI agent registry — a governed inventory of all AI agents in production, including their purpose, permissions, data access, and accountable owners
- Develop and publish secure-by-default standards, frameworks, and reference architectures for internal AI agent development
- Create and enforce AI security policies covering agent development, deployment, monitoring, and decommissioning
- Report AI security risk posture, program progress, and emerging threats to the CISO and senior leadership on a regular cadence; serve as a key member of the security leadership team
**Security Risk Assessment & Review**
- Coordinate and perform GIS security reviews within the organization's AI governance framework, ensuring AI platforms, agents, and use cases receive appropriate security assessment and approval prior to production deployment.
- Partner with AI Governance, Privacy, Legal, and Technology stakeholders to support the AI intake, assessment, and stage-gating process, providing security expertise, control requirements, and risk-based recommendations throughout the solution lifecycle.
- Perform security risk assessments and classify AI platforms, agents, and use cases according to the approved risk-tiering model, applying review, control, and approval requirements proportionate to risk.
- Conduct a structured controls assessment for every use case, validating that mandatory security baseline requirements are met — including least-privilege access, credential management, audit logging, data minimization, human-in-the-loop checkpoints, and kill switch capability
- Issue formal, documented approval decisions for every reviewed use case — Approved, Approved with Conditions, or Not Approved — with a full written rationale recorded in the AI agent registry to maintain an auditable approval history
- Manage defined SLA timelines for all reviews (Tier 1: 5 business days, Tier 2: 10 business days, Tier 3: 15 business days) to ensure security review does not become a blocker to business unit velocity
- Conduct periodic reassessments of all active agents on a risk-appropriate cycle — annually for Tier 1, semi-annually for Tier 2, and quarterly for Tier 3 — and trigger immediate out-of-cycle reviews whenever a material change is made to an agent's capabilities, data access, or toolset
- Monitor the evolving AI threat landscape on an ongoing basis and proactively assess whether newly discovered attack techniques — including new prompt injection methods, jailbreaks, or model-specific vulnerabilities — expose any currently approved use cases, initiating remediation where required
- Lead post-incident reassessments for any active agent involved in a security incident, updating the agent's approval status and controls requirements based on findings
- Evaluate third-party AI tools, models, and platforms for security risk prior to organizational adoption
- Maintain a risk register specific to AI systems, tracking identified vulnerabilities, mitigations, and residual risk
- Report aggregate review metrics to the CISO on a regular cadence — including number of use cases reviewed, approval rates by tier, common findings, and AI risk distribution across business units — providing organizational visibility into the AI risk posture
**Technical Oversight & Controls**
- Define technical security requirements for AI agents including least-privilege access, prompt injection defenses, output filtering, audit logging, and human-in-the-loop controls
- Build, lead, and develop a team of AI security engineers responsible for implementing and validating controls across the AI agent development lifecycle
- Own and resource red team and adversarial testing programs targeting AI systems, ensuring adequate coverage through the AI Red Team Engineer and contracted specialists
- Drive adoption of secure coding practices and security tooling within AI development workflows
**Identity & Data Security Coordination**
- Establish governance frameworks with the IAM team to ensure AI agent identities, service accounts, and credentials are provisioned and governed under least-privilege principles across the organization
- Set data security standards with the ML/Data Security Analyst to ensure sensitive data — including PII, PHI, and proprietary information — is handled correctly throughout AI agent workflows, and hold teams accountable to those standards
- Define data classification requirements for information flowing through AI systems, including what data may and may not be included in model context
**Incident Response**
- Develop and maintain AI-specific incident response runbooks covering scenarios such as prompt injection attacks, rogue agent behavior, credential compromise, and data leakage via AI systems
- Serve as executive sponsor and escalation point for significant AI-related security incidents, ensuring the organization maintains a tested, capable incident response function
- Conduct post-incident reviews and drive lessons learned back into the AI security program
**Regulatory & Compliance Alignment**
- Serve as the organization's primary subject matter expert on AI-specific regulatory requirements including the EU AI Act, NIST AI Risk Management Framework (AI RMF), GDPR as applied to AI systems, and emerging regional AI legislation
- Partner with the GRC team to map AI security controls to compliance obligations and maintain evidence for audits
- Monitor the evolving AI regulatory landscape and proactively advise leadership on upcoming obligations
**People Leadership & Team Development**
- Recruit, hire, onboard, and develop a high-performing AI security team, including AI security engineers, a red team engineer, and a data/ML security analyst
- Set clear team goals, conduct regular performance reviews, and create development plans that grow individual skills and advance careers
- Foster a team culture of continuous learning, given the rapidly evolving AI threat landscape, and ensure team members maintain current expertise in AI security techniques and tooling
**Vendor Management**
- Lead vendor evaluation and selection for AI security tooling, negotiating contracts and managing ongoing relationships with key security vendors and managed service providers
- Develop a multi-year AI security roadmap aligned to IRC risk appetite, and evolving regulatory obligations
**Working Relationships**
Internal:
- CISO, ITLT, Security Operations & Engineering lead and team, Identity & Access Management (IAM) lead and team, Governance, Risk & Compliance (GRC) lead, AI Review Panel lead and team, Office of General Council team, AI & Program tech engineering and team, Data Architecture lead and engineering Team
External:
- AI and Security Vendors — ongoing for product evaluation, contracts, and threat intel
- Industry Peers & Research Communities — active participation in ISACs, working groups, and conferences
**Required Qualifications**
The Director, AI Security is a newly created senior leadership role responsible for building, leading, and continuously maturing the IRC’s AI security function. As AI agents and AI-powered tools proliferate across the business, this role sets the organizational direction for securing AI systems — from initial design through production deployment, ongoing governance, and team development.
This is a high-visibility, cross-functional leadership role that sits at the intersection of security engineering, risk management, and emerging technology. The Director, AI Security will advise the CISO, build and develop a dedicated AI security team, own the function’s budget, and partner with Security Operations, Identity & Access Management, Governance Risk & Compliance, and business unit technology teams to ensure AI adoption is secure by design.
**Key Responsibilities**
**AI Security Strategy & Governance**
- Define, own, and continuously mature the IRC's AI security strategy and program roadmap
- Establish and maintain the organization-wide AI agent registry — a governed inventory of all AI agents in production, including their purpose, permissions, data access, and accountable owners
- Develop and publish secure-by-default standards, frameworks, and reference architectures for internal AI agent development
- Create and enforce AI security policies covering agent development, deployment, monitoring, and decommissioning
- Report AI security risk posture, program progress, and emerging threats to the CISO and senior leadership on a regular cadence; serve as a key member of the security leadership team
**Security Risk Assessment & Review**
- Coordinate and perform GIS security reviews within the organization's AI governance framework, ensuring AI platforms, agents, and use cases receive appropriate security assessment and approval prior to production deployment.
- Partner with AI Governance, Privacy, Legal, and Technology stakeholders to support the AI intake, assessment, and stage-gating process, providing security expertise, control requirements, and risk-based recommendations throughout the solution lifecycle.
- Perform security risk assessments and classify AI platforms, agents, and use cases according to the approved risk-tiering model, applying review, control, and approval requirements proportionate to risk.
- Conduct a structured controls assessment for every use case, validating that mandatory security baseline requirements are met — including least-privilege access, credential management, audit logging, data minimization, human-in-the-loop checkpoints, and kill switch capability
- Issue formal, documented approval decisions for every reviewed use case — Approved, Approved with Conditions, or Not Approved — with a full written rationale recorded in the AI agent registry to maintain an auditable approval history
- Manage defined SLA timelines for all reviews (Tier 1: 5 business days, Tier 2: 10 business days, Tier 3: 15 business days) to ensure security review does not become a blocker to business unit velocity
- Conduct periodic reassessments of all active agents on a risk-appropriate cycle — annually for Tier 1, semi-annually for Tier 2, and quarterly for Tier 3 — and trigger immediate out-of-cycle reviews whenever a material change is made to an agent's capabilities, data access, or toolset
- Monitor the evolving AI threat landscape on an ongoing basis and proactively assess whether newly discovered attack techniques — including new prompt injection methods, jailbreaks, or model-specific vulnerabilities — expose any currently approved use cases, initiating remediation where required
- Lead post-incident reassessments for any active agent involved in a security incident, updating the agent's approval status and controls requirements based on findings
- Evaluate third-party AI tools, models, and platforms for security risk prior to organizational adoption
- Maintain a risk register specific to AI systems, tracking identified vulnerabilities, mitigations, and residual risk
- Report aggregate review metrics to the CISO on a regular cadence — including number of use cases reviewed, approval rates by tier, common findings, and AI risk distribution across business units — providing organizational visibility into the AI risk posture
**Technical Oversight & Controls**
- Define technical security requirements for AI agents including least-privilege access, prompt injection defenses, output filtering, audit logging, and human-in-the-loop controls
- Build, lead, and develop a team of AI security engineers responsible for implementing and validating controls across the AI agent development lifecycle
- Own and resource red team and adversarial testing programs targeting AI systems, ensuring adequate coverage through the AI Red Team Engineer and contracted specialists
- Drive adoption of secure coding practices and security tooling within AI development workflows
**Identity & Data Security Coordination**
- Establish governance frameworks with the IAM team to ensure AI agent identities, service accounts, and credentials are provisioned and governed under least-privilege principles across the organization
- Set data security standards with the ML/Data Security Analyst to ensure sensitive data — including PII, PHI, and proprietary information — is handled correctly throughout AI agent workflows, and hold teams accountable to those standards
- Define data classification requirements for information flowing through AI systems, including what data may and may not be included in model context
**Incident Response**
- Develop and maintain AI-specific incident response runbooks covering scenarios such as prompt injection attacks, rogue agent behavior, credential compromise, and data leakage via AI systems
- Serve as executive sponsor and escalation point for significant AI-related security incidents, ensuring the organization maintains a tested, capable incident response function
- Conduct post-incident reviews and drive lessons learned back into the AI security program
**Regulatory & Compliance Alignment**
- Serve as the organization's primary subject matter expert on AI-specific regulatory requirements including the EU AI Act, NIST AI Risk Management Framework (AI RMF), GDPR as applied to AI systems, and emerging regional AI legislation
- Partner with the GRC team to map AI security controls to compliance obligations and maintain evidence for audits
- Monitor the evolving AI regulatory landscape and proactively advise leadership on upcoming obligations
**People Leadership & Team Development**
- Recruit, hire, onboard, and develop a high-performing AI security team, including AI security engineers, a red team engineer, and a data/ML security analyst
- Set clear team goals, conduct regular performance reviews, and create development plans that grow individual skills and advance careers
- Foster a team culture of continuous learning, given the rapidly evolving AI threat landscape, and ensure team members maintain current expertise in AI security techniques and tooling
**Vendor Management**
- Lead vendor evaluation and selection for AI security tooling, negotiating contracts and managing ongoing relationships with key security vendors and managed service providers
- Develop a multi-year AI security roadmap aligned to IRC risk appetite, and evolving regulatory obligations
**Working Relationships**
Internal:
- CISO, ITLT, Security Operations & Engineering lead and team, Identity & Access Management (IAM) lead and team, Governance, Risk & Compliance (GRC) lead, AI Review Panel lead and team, Office of General Council team, AI & Program tech engineering and team, Data Architecture lead and engineering Team
External:
- AI and Security Vendors — ongoing for product evaluation, contracts, and threat intel
- Industry Peers & Research Communities — active participation in ISACs, working groups, and conferences
**Required Qualifications**
Information and Communications Technology
Loading interactive page…