Principal AI Security Engineer

Job Description:

Summary:

The Principal Artificial Intelligence (AI) Security Engineer serves as the technical lead for securing machine learning (ML) generative artificial intelligence (GenAI) and agentic systems in production with emphasis on healthcare and other regulated environments. This role creates security architecture threat modeling control design and detection strategy across the AI lifecycle including data ingestion feature engineering training and fine-tuning evaluation model serving retrieval-augmented generation (RAG) pipelines agent frameworks application programming interface (API) mediation and post-deployment monitoring. The Principal AI Security Engineer leads and partners throughout the organization to build enforceable guardrails for protected health information and electronic protected health information handling identity and access control secrets isolation model and dataset provenance output safety and evidence collection for audits and investigations.

Essential Accountabilities

• Creates reference architectures defines security requirements and patterns for model training inference retrieval-augmented generation (RAG) agent orchestration tool calling and multi-model pipelines across cloud and hybrid environments.
• Performs deep threat modeling for artificial intelligence (AI) systems including prompt injection indirect prompt injection insecure output handling excessive agency system prompt leakage vector and embedding weaknesses data poisoning model theft model inversion supply chain compromise and denial-of-service.
• Defines guardrails for protected health information and electronic protected health information processing including data minimization de-identification context scoping encryption in transit and at rest retention boundaries and access paths into model context windows vector stores caches and logs.
• Designs and implement secure machine learning operations (MLOps) controls for datasets features models prompts and policies: provenance tracking artifact signing environment separation approval workflows reproducible builds rollback paths and tamper-evident audit trails.
• Defines and sets standards for identity service-to-service authentication secrets management token scoping least privilege just-in-time access and network segmentation for AI services model gateways and external tool integrations.
• Leads offensive security activities for AI systems including adversarial testing AI red teaming prompt and tool abuse simulation fuzzing jailbreak testing attack path validation and control verification against production-like workflows and third-party model providers.
• Leads defensive security and blue team capabilities for AI platforms including telemetry design prompt and response event logging model gateway instrumentation security information and event management/security orchestration automation and response (SIEM/SOAR) integration detection engineering exfiltration and jailbreak detections anomalous agent action monitoring incident triage playbooks and continuous tuning based on observed attack patterns.
• Leads security reviews of RAG and agentic systems including chunking and retrieval policies vector store isolation embedding pipeline validation retrieval authorization tool allow-listing action confirmation and human-in-the-loop controls for high-risk operations.
• Defines security requirements for model evaluation pipelines benchmark data handling canary tests policy enforcement and release gates so unsafe or noncompliant behavior is identified before promotion.
• Collaborates to ensure secure compliant handling of sensitive and regulated data across AI systems and enterprise data platforms including enforcement of data classification retention access controls auditability and secure data readiness for approved AI use cases.
• Collaborates on the design and implementation of AI and data governance frameworks translating legal regulatory and compliance requirements into enforceable technical controls security standards and operational processes.
• Coordinates the development of secure data pipelines and control implementations ensuring proper data sourcing minimization de-identification and consistent application of enterprise data protection controls (e.g. DLP encryption retention) within AI architectures and workflows.
• Partner with application security platform engineering and data science teams to enable secure adoption of AI technologies.
• Jointly support investigations incident response and regulatory inquiries involving AI systems and enterprise data including forensic analysis evidence preservation defensible documentation and production of audit-ready artifacts for legal and compliance purposes.
• Develop and maintain integrated monitoring detection and response capabilities aligning tools and processes (e.g. DSPM eDiscovery SIEM/SOAR AI observability) to proactively identify and mitigate data leakage insider risk AI misuse and anomalous system or user behavior.
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies mission and values adhering to the Corporate Code of Conduct and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.

Minimum Qualifications

• Ten (10) years of hands-on security engineering experience spanning application security cloud security security architecture detection and response platform security or infrastructure security.
• Bachelors degree in computer science information technology or relevant lieu of degree six (6) cumulative years of related experience required.
• Demonstrated experience securing production AI/ML systems including large language model (LLM) applications model serving stacks retrieval-augmented generation architecture or agent frameworks.
• CISA CISM CCSP HCISPP GIAC and or CISSP certifications preferred.
• Demonstrated advanced expertise in AI threat modeling and adversarial testing including prompt injections jailbreaks insecure tool use data and model poisoning vector store abuse model extraction and sensitive data disclosure.
• Strong implementation knowledge of secure software development lifecycle (SDLC) continuous integration/continuous delivery (CI/CD) security infrastructure as code (IaC) container and Kubernetes security application programming interface (API) security identity and access management (IAM) secrets management key management service/hardware security module (KMS/HSM) integration and cloud-native telemetry pipelines.
• Experience designing or reviewing controls for secure machine learning operations (MLOps): artifact provenance signed builds feature and dataset integrity model registry controls environment promotion reproducibility and rollback.
• Experience instrumenting detections and response workflows using logs traces metrics security information and event management/security orchestration automation and response (SIEM/SOAR) pipelines alert tuning and incident handling for distributed systems or AI services.
• Advanced working knowledge of RAG security embedding pipelines retrieval authorization policy engines content filtering and evaluation harnesses for safety security and regulated-data compliance.
• Prior experience in healthcare payer provider or similarly regulated environments with PHI/ePHI safeguards preferred.
• Advanced ability to write engineering standards design docs threat models and control requirements that can be implemented and tested by platform and product teams.
• Hands-on familiarity with model gateways policy enforcement layers prompt filtering content moderation retrieval authorization vector databases and AI observability tooling.
• Working knowledge of static/dynamic application security testing infrastructure as code (IaC) scanning container image scanning software bill of materials generation artifact signing secret scanning and dependency-risk management as applied to AI delivery pipelines.
• Experience with AI red teaming platforms safety and abuse evaluation harnesses benchmark design and automated release gates for model or prompt changes.
• Familiarity with Sarbanes Oxley HIPAA OCR AI RFM HCFA PCI/DSS NIST and other regulations impacting security (with ISO17799 and NIST security standards) is preferred as well as COBIT and COSO familiarity.

Physical Requirements:

• Ability to work prolonged periods sitting and/or standing at a workstation and working on a computer.
• Ability to travel across the Health Plan service region for meetings and/or trainings as needed.
• Ability to work in a home office for continuous periods of time for business continuity.

***********

In support of the Americans with Disabilities Act this job description lists only those responsibilities and qualifications deemed essential to the position.

Equal Opportunity Employer

Compensation Range(s):

Minimum: $123304 - Maximum: $221948

The salary range indicated in this posting represents the minimum and maximum of the salary range for this position. Actual salary will vary depending on factors including but not limited to budget available prior experience knowledge skill and education as they relate to the positions minimum qualifications in addition to internal equity. The posted salary range reflects just one component of our total rewards package. Other components of the total rewards package may include participation in group health and/or dental insurance retirement plan wellness program paid time away from work and paid holidays.

Please note: There may be opportunity for remote work within all jobs posted by the Excellus Talent Acquisition team. This decision is made on a case-by-case basis.

All qualified applicants will receive consideration for employment without regard to race color religion sex sexual orientation gender identity national origin disability or status as a protected veteran.