Director, AI Security

The International Rescue Committee (IRC) responds to the world's worst humanitarian crises, helping to restore health, safety, education, economic wellbeing, and power to people devastated by conflict and disaster. Founded in 1933 at the call of Albert Einstein, the IRC is one of the world's largest international humanitarian non-governmental organizations (INGO), at work in more than 40 countries and 29 U.S. cities helping people to survive, reclaim control of their future and strengthen their communities. A force for humanity, IRC employees deliver lasting impact by restoring safety, dignity and hope to millions. If you're a solutions-driven, passionate change-maker, come join us in positively impacting the lives of millions of people world-wide for a better future.

Job Role Overview

The Director, AI Security is a newly created senior leadership role responsible for building, leading, and continuously maturing the IRC’s AI security function. As AI agents and AI-powered tools proliferate across the business, this role sets the organizational direction for securing AI systems — from initial design through production deployment, ongoing governance, and team development.

This is a high-visibility, cross-functional leadership role that sits at the intersection of security engineering, risk management, and emerging technology. The Director, AI Security will advise the CISO, build and develop a dedicated AI security team, own the function’s budget, and partner with Security Operations, Identity & Access Management, Governance Risk & Compliance, and business unit technology teams to ensure AI adoption is secure by design.

Key Responsibilities

AI Security Strategy & Governance

• Define, own, and continuously mature the IRC's AI security strategy and program roadmap

• Establish and maintain the organization-wide AI agent registry — a governed inventory of all AI agents in production, including their purpose, permissions, data access, and accountable owners

• Develop and publish secure-by-default standards, frameworks, and reference architectures for internal AI agent development

• Create and enforce AI security policies covering agent development, deployment, monitoring, and decommissioning

• Report AI security risk posture, program progress, and emerging threats to the CISO and senior leadership on a regular cadence; serve as a key member of the security leadership team

Security Risk Assessment & Review

• Coordinate and perform GIS security reviews within the organization's AI governance framework, ensuring AI platforms, agents, and use cases receive appropriate security assessment and approval prior to production deployment.

• Partner with AI Governance, Privacy, Legal, and Technology stakeholders to support the AI intake, assessment, and stage-gating process, providing security expertise, control requirements, and risk-based recommendations throughout the solution lifecycle.

• Perform security risk assessments and classify AI platforms, agents, and use cases according to the approved risk-tiering model, applying review, control, and approval requirements proportionate to risk.

• Conduct a structured controls assessment for every use case, validating that mandatory security baseline requirements are met — including least-privilege access, credential management, audit logging, data minimization, human-in-the-loop checkpoints, and kill switch capability

• Issue formal, documented approval decisions for every reviewed use case — Approved, Approved with Conditions, or Not Approved — with a full written rationale recorded in the AI agent registry to maintain an auditable approval history

• Manage defined SLA timelines for all reviews (Tier 1: 5 business days, Tier 2: 10 business days, Tier 3: 15 business days) to ensure security review does not become a blocker to business unit velocity

• Conduct periodic reassessments of all active agents on a risk-appropriate cycle — annually for Tier 1, semi-annually for Tier 2, and quarterly for Tier 3 — and trigger immediate out-of-cycle reviews whenever a material change is made to an agent's capabilities, data access, or toolset

• Monitor the evolving AI threat landscape on an ongoing basis and proactively assess whether newly discovered attack techniques — including new prompt injection methods, jailbreaks, or model-specific vulnerabilities — expose any currently approved use cases, initiating remediation where required

• Lead post-incident reassessments for any active agent involved in a security incident, updating the agent's approval status and controls requirements based on findings

• Evaluate third-party AI tools, models, and platforms for security risk prior to organizational adoption

• Maintain a risk register specific to AI systems, tracking identified vulnerabilities, mitigations, and residual risk

• Report aggregate review metrics to the CISO on a regular cadence — including number of use cases reviewed, approval rates by tier, common findings, and AI risk distribution across business units — providing organizational visibility into the AI risk posture

Technical Oversight & Controls

• Define technical security requirements for AI agents including least-privilege access, prompt injection defenses, output filtering, audit logging, and human-in-the-loop controls

• Build, lead, and develop a team of AI security engineers responsible for implementing and validating controls across the AI agent development lifecycle

• Own and resource red team and adversarial testing programs targeting AI systems, ensuring adequate coverage through the AI Red Team Engineer and contracted specialists

• Drive adoption of secure coding practices and security tooling within AI development workflows

Identity & Data Security Coordination

• Establish governance frameworks with the IAM team to ensure AI agent identities, service accounts, and credentials are provisioned and governed under least-privilege principles across the organization

• Set data security standards with the ML/Data Security Analyst to ensure sensitive data — including PII, PHI, and proprietary information — is handled correctly throughout AI agent workflows, and hold teams accountable to those standards

• Define data classification requirements for information flowing through AI systems, including what data may and may not be included in model context

Incident Response

• Develop and maintain AI-specific incident response runbooks covering scenarios such as prompt injection attacks, rogue agent behavior, credential compromise, and data leakage via AI systems

• Serve as executive sponsor and escalation point for significant AI-related security incidents, ensuring the organization maintains a tested, capable incident response function

• Conduct post-incident reviews and drive lessons learned back into the AI security program

Regulatory & Compliance Alignment

• Serve as the organization's primary subject matter expert on AI-specific regulatory requirements including the EU AI Act, NIST AI Risk Management Framework (AI RMF), GDPR as applied to AI systems, and emerging regional AI legislation

• Partner with the GRC team to map AI security controls to compliance obligations and maintain evidence for audits

• Monitor the evolving AI regulatory landscape and proactively advise leadership on upcoming obligations

People Leadership & Team Development

• Recruit, hire, onboard, and develop a high-performing AI security team, including AI security engineers, a red team engineer, and a data/ML security analyst

• Set clear team goals, conduct regular performance reviews, and create development plans that grow individual skills and advance careers

• Foster a team culture of continuous learning, given the rapidly evolving AI threat landscape, and ensure team members maintain current expertise in AI security techniques and tooling

Vendor Management

• Lead vendor evaluation and selection for AI security tooling, negotiating contracts and managing ongoing relationships with key security vendors and managed service providers

• Develop a multi-year AI security roadmap aligned to IRC risk appetite, and evolving regulatory obligations

Working Relationships

Internal:

• CISO, ITLT, Security Operations & Engineering lead and team, Identity & Access Management (IAM) lead and team, Governance, Risk & Compliance (GRC) lead, AI Review Panel lead and team, Office of General Council team, AI & Program tech engineering and team, Data Architecture lead and engineering Team

External:

• AI and Security Vendors — ongoing for product evaluation, contracts, and threat intel

• Industry Peers & Research Communities — active participation in ISACs, working groups, and conferences

Required Qualifications

Education

• Bachelor's degree in Computer Science, Information Security, Cybersecurity, or a related technical field

• Advanced degree (Master's or equivalent) preferred but not required where experience is demonstrably strong

Experience

• 10+ years of experience in information security, with at least 4-5 years in a people management or senior security leadership role

• Demonstrated hands-on experience securing AI/ML systems, LLM-based applications, or agentic AI workflows

• Proven experience conducting threat modeling, security architecture reviews, and risk assessments for complex, distributed systems

• Experience building and leading security teams, including hiring, developing, and retaining talent in a fast-moving technical domain

• Track record of working cross-functionally with engineering, product, legal, and compliance teams; experience owning and managing a security budget including tooling, vendor, and headcount decisions

• Prior experience with incident response and managing security incidents involving automated or AI-driven systems is strongly preferred

• Demonstrated experience managing and developing a team of security professionals, including hiring, performance management, and career development

This is a remote position open to internal candidates based in countries where IRC operates who have the right to work in their location. Successful candidates will be hired on a local employment contract and according to local salary scale.

Compensation: (US Pay Range: $158,492-$184,536/yr; UK Pay Range: £77,499-£93,814/yr) Posted pay ranges apply to US-based candidates. Ranges are based on various factors including the labor market, job type, internal equity, and budget. Exact offers are calibrated by work location, individual candidate experience and skills relative to the defined job requirements. 

PROFESSIONAL STANDARDS

All International Rescue Committee workers must adhere to the core values and principles outlined in IRC Way - Standards for Professional Conduct. Our Standards are Integrity, Service, Equality and Accountability. In accordance with these values, the IRC operates and enforces policies on Safeguarding, Conflicts of Interest, Fiscal Integrity, and Reporting Wrongdoing and Protection from Retaliation. IRC is committed to take all necessary preventive measures and create an environment where people feel safe, and to take all necessary actions and corrective measures when harm occurs. IRC builds teams of professionals who promote critical reflection, power sharing, debate, and objectivity to deliver the best possible services to our clients.

Cookies: https://careers.rescue.org/us/en/cookiesettings

Compensation: Posted pay ranges apply to US-based candidates. Ranges are based on various factors including the labor market, job type, internal equity, and budget.  Exact offers are calibrated by work location, individual candidate experience and skills relative to the defined job requirements.

US Benefits: We offer a comprehensive and highly competitive set of benefits. In the US, these include: 10 sick days, 10 US holidays, 20-25 paid time off days depending on role and tenure, medical insurance starting at $163 per month, dental starting at $6.50 per month, and vision starting at $5 per month, FSA for healthcare and commuter costs, a 403b retirement savings plans with immediately vested matching, disability & life insurance, and an Employee Assistance Program which is available to our staff and their families to support counseling and care in times of crisis and mental health struggles.

Equal Opportunity Employer: IRC is an Equal Opportunity Employer. IRC considers all applicants on the basis of merit without regard to race, sex, color, national origin, religion, sexual orientation, age, marital status, veteran status, disability or any other characteristic protected by applicable law.

#li-1