Job Description

We are seeking a Senior Security Engineer with experience in cloud and AI security to help design, build, and scale security controls that protect our firm’s systems, applications, cloud environments, and data—while enabling developer velocity or end‑user productivity. This role is responsible for strengthening the firm’s security posture through automation, secure platform design, and proactive risk mitigation. A significant focus will be on securing AI/ML platforms and AI‑enabled applications across their full lifecycle, from development through deployment and runtime operations.

Responsibilities

• Design and build Identity and Access Management solutions to support AI agent identities, including secure agent authentication, authorization, delegation, credential management , workload identity, tool/API access control, least-privilege enforcement, auditability, and lifecycle management across Windows, Linux, on‑prem infrastructure, cloud, Kubernetes, application, and enterprise environments.

• Define and operationalize a Non‑Human Identity (NHI) strategy for agentic workflows (agents, tools, service principals, service accounts, bots), including identity issuance and binding to code/runtime, credential rotation and revocation, secrets isolation, step‑up and delegated authorization, just‑in‑time access, and continuous verification to prevent identity sprawl and privilege drift.

• Implement end‑to‑end identity context propagation for agent runs (who/what/why), ensuring every tool call and downstream action is attributable via signed requests, scoped tokens, tamper‑evident audit logs, and correlation IDs across orchestration layers, APIs, and cloud services.

• Partner with Platform and Cloud Engineering teams to secure AI/ML systems end‑to‑end.

• Develop secure execution environments for open‑source software, third‑party tools, and AI agents by leveraging OS‑level, network, IAM, and containerized controls.

• Build monitoring, logging, and detection capabilities to identify malicious or unintended use of systems, including AI‑enabled applications and agentic workflows.

• Stay current on emerging AI features and integrations introduced in third‑party tools and platforms, and proactively assess and mitigate associated security risks.

• Assess and continuously improve security posture across applications, infrastructure, and SDLC processes, including CI/CD pipelines.

Required Qualifications

• Deep hands-on expertise in Identity and Access Management architecture and implementation across human, workload, service, and AI agent identities, including strong knowledge of IdPs, federation, SSO, OAuth 2.0, OpenID Connect, SAML, SCIM, SPIFFE/SPIRE, workload identity, service accounts, API authentication/authorization, secrets management, least privilege, and policy-based access control. Must be able to design secure IAM architectures and implement them directly across cloud, Kubernetes, on-prem, application, API, and AI-enabled environments.

• Demonstrated experience governing and scaling NHI lifecycle controls (inventory, ownership, naming standards, issuance, attestation, rotation, break‑glass, decommissioning) and policy enforcement for agentic workloads, including guardrails that limit tool access, data access, and delegation scope per task and environment.

• Extensive hands-on experience across security engineering, cloud security, application security, and network security

• Proven ability to secure AI/ML and LLM‑based platforms, including data‑intensive and production systems

• Strong understanding of AI‑specific threat models (e.g., prompt injection, model misuse, data leakage, insecure outputs)

• Deep technical foundation in cloud‑native security across AWS and/or Azure, including IAM, network segmentation, secure connectivity, and threat detection

• Ability to build security controls through code and automation, leveraging scripting, IaC, and CI/CD security practices

• Strong written and verbal communication skills, with the ability to clearly articulate security risks, tradeoffs, and recommendations to both technical and non‑technical stakeholders

• Proven ability to collaborate effectively across teams, influencing cloud, platform, and application engineers to embed security seamlessly into delivery workflows

Nice To Have

• Experience designing and implementing automated guardrails, monitoring, logging, and detection for AI‑enabled and data‑driven applications

• Lead identification, assessment, and mitigation of AI‑specific risks, including prompt injection, data leakage, model abuse, insecure output handling, model evasion, and poisoning attacks.

The base salary range for this position is $200,000 - $325,000 per year.

Arrowstreet Capital operates a robust talent acquisition program, and we also seek to compensate and reward our employees competitively within our industry and in line with our merit-based culture. Our approach to total compensation includes base salaries and annual discretionary bonuses, as well as a robust benefits package. The determination of a successful candidate’s base salary placement within the listed range will vary based on the candidate’s relevant experience and qualifications (which may also include relevant certifications, credentials and other education), the job responsibilities and scope, the commensurate resulting level of the position and other relevant factors. The listed range is also an estimate, and additional information regarding base salary and other elements of total compensation offered by Arrowstreet Capital to successful applicants will be communicated during the recruitment process.

Arrowstreet Capital is a Boston-based systematic investment firm that manages global equity portfolios for institutional investors around the world.

All qualified applicants will receive consideration for employment without regard to sex, race, color, religion, national origin, ancestry, genetic information, age, pregnancy, medical condition, disability, veteran or military status, marital status or any other characteristic protected by federal, state, or local law.

Arrowstreet Capital is committed to working with and providing reasonable accommodations for qualified individuals with disabilities and disabled veterans. If you need a reasonable accommodation for any part of the employment process due to a disability, contact us to discuss the nature of your request and contact information.