Director, AI Security at International Rescue Committee

Job Role Overview

• The Director, AI Security is a newly created senior leadership role responsible for building, leading, and continuously maturing the IRC’s AI security function. As AI agents and AI-powered tools proliferate across the business, this role sets the organizational direction for securing AI systems — from initial design through production deployment, ongoing governance, and team development.
• This is a high-visibility, cross-functional leadership role that sits at the intersection of security engineering, risk management, and emerging technology. The Director, AI Security will advise the CISO, build and develop a dedicated AI security team, own the function’s budget, and partner with Security Operations, Identity & Access Management, Governance Risk & Compliance, and business unit technology teams to ensure AI adoption is secure by design.

Key Responsibilities

AI Security Strategy & Governance

• Define, own, and continuously mature the IRC's AI security strategy and program roadmap
• Establish and maintain the organization-wide AI agent registry — a governed inventory of all AI agents in production, including their purpose, permissions, data access, and accountable owners
• Develop and publish secure-by-default standards, frameworks, and reference architectures for internal AI agent development
• Create and enforce AI security policies covering agent development, deployment, monitoring, and decommissioning
• Report AI security risk posture, program progress, and emerging threats to the CISO and senior leadership on a regular cadence; serve as a key member of the security leadership team

Security Risk Assessment & Review

• Coordinate and perform GIS security reviews within the organization's AI governance framework, ensuring AI platforms, agents, and use cases receive appropriate security assessment and approval prior to production deployment.
• Partner with AI Governance, Privacy, Legal, and Technology stakeholders to support the AI intake, assessment, and stage-gating process, providing security expertise, control requirements, and risk-based recommendations throughout the solution lifecycle.
• Perform security risk assessments and classify AI platforms, agents, and use cases according to the approved risk-tiering model, applying review, control, and approval requirements proportionate to risk.
• Conduct a structured controls assessment for every use case, validating that mandatory security baseline requirements are met — including least-privilege access, credential management, audit logging, data minimization, human-in-the-loop checkpoints, and kill switch capability
• Issue formal, documented approval decisions for every reviewed use case — Approved, Approved with Conditions, or Not Approved — with a full written rationale recorded in the AI agent registry to maintain an auditable approval history
• Manage defined SLA timelines for all reviews (Tier 1: 5 business days, Tier 2: 10 business days, Tier 3: 15 business days) to ensure security review does not become a blocker to business unit velocity
• Conduct periodic reassessments of all active agents on a risk-appropriate cycle — annually for Tier 1, semi-annually for Tier 2, and quarterly for Tier 3 — and trigger immediate out-of-cycle reviews whenever a material change is made to an agent's capabilities, data access, or toolset
• Monitor the evolving AI threat landscape on an ongoing basis and proactively assess whether newly discovered attack techniques — including new prompt injection methods, jailbreaks, or model-specific vulnerabilities — expose any currently approved use cases, initiating remediation where required
• Lead post-incident reassessments for any active agent involved in a security incident, updating the agent's approval status and controls requirements based on findings
• Evaluate third-party AI tools, models, and platforms for security risk prior to organizational adoption
• Maintain a risk register specific to AI systems, tracking identified vulnerabilities, mitigations, and residual risk
• Report aggregate review metrics to the CISO on a regular cadence — including number of use cases reviewed, approval rates by tier, common findings, and AI risk distribution across business units — providing organizational visibility into the AI risk posture

Technical Oversight & Controls

• Define technical security requirements for AI agents including least-privilege access, prompt injection defenses, output filtering, audit logging, and human-in-the-loop controls
• Build, lead, and develop a team of AI security engineers responsible for implementing and validating controls across the AI agent development lifecycle
• Own and resource red team and adversarial testing programs targeting AI systems, ensuring adequate coverage through the AI Red Team Engineer and contracted specialists
• Drive adoption of secure coding practices and security tooling within AI development workflows

Identity & Data Security Coordination

• Establish governance frameworks with the IAM team to ensure AI agent identities, service accounts, and credentials are provisioned and governed under least-privilege principles across the organization
• Set data security standards with the ML/Data Security Analyst to ensure sensitive data — including PII, PHI, and proprietary information — is handled correctly throughout AI agent workflows, and hold teams accountable to those standards
• Define data classification requirements for information flowing through AI systems, including what data may and may not be included in model context

Incident Response

• Develop and maintain AI-specific incident response runbooks covering scenarios such as prompt injection attacks, rogue agent behavior, credential compromise, and data leakage via AI systems
• Serve as executive sponsor and escalation point for significant AI-related security incidents, ensuring the organization maintains a tested, capable incident response function
• Conduct post-incident reviews and drive lessons learned back into the AI security program

Regulatory & Compliance Alignment

• Serve as the organization's primary subject matter expert on AI-specific regulatory requirements including the EU AI Act, NIST AI Risk Management Framework (AI RMF), GDPR as applied to AI systems, and emerging regional AI legislation
• Partner with the GRC team to map AI security controls to compliance obligations and maintain evidence for audits
• Monitor the evolving AI regulatory landscape and proactively advise leadership on upcoming obligations

People Leadership & Team Development

• Recruit, hire, onboard, and develop a high-performing AI security team, including AI security engineers, a red team engineer, and a data/ML security analyst
• Set clear team goals, conduct regular performance reviews, and create development plans that grow individual skills and advance careers
• Foster a team culture of continuous learning, given the rapidly evolving AI threat landscape, and ensure team members maintain current expertise in AI security techniques and tooling

Vendor Management

• Lead vendor evaluation and selection for AI security tooling, negotiating contracts and managing ongoing relationships with key security vendors and managed service providers
• Develop a multi-year AI security roadmap aligned to IRC risk appetite, and evolving regulatory obligations

Working Relationships

Internal:

• CISO, ITLT, Security Operations & Engineering lead and team, Identity & Access Management (IAM) lead and team, Governance, Risk & Compliance (GRC) lead, AI Review Panel lead and team, Office of General Council team, AI & Program tech engineering and team, Data Architecture lead and engineering Team

External:

• AI and Security Vendors — ongoing for product evaluation, contracts, and threat intel
• Industry Peers & Research Communities — active participation in ISACs, working groups, and conferences

Required Qualifications

Education

• Bachelor's degree in Computer Science, Information Security, Cybersecurity, or a related technical field
• Advanced degree (Master's or equivalent) preferred but not required where experience is demonstrably strong

Experience

• 10+ years of experience in information security, with at least 4-5 years in a people management or senior security leadership role
• Demonstrated hands-on experience securing AI/ML systems, LLM-based applications, or agentic AI workflows
• Proven experience conducting threat modeling, security architecture reviews, and risk assessments for complex, distributed systems
• Experience building and leading security teams, including hiring, developing, and retaining talent in a fast-moving technical domain
• Track record of working cross-functionally with engineering, product, legal, and compliance teams; experience owning and managing a security budget including tooling, vendor, and headcount decisions
• Prior experience with incident response and managing security incidents involving automated or AI-driven systems is strongly preferred
• Demonstrated experience managing and developing a team of security professionals, including hiring, performance management, and career development