AppSec & AI Security Manager

JP ID	DLTJP00057521
Skill Name	AppSec & AI Security Manager
Positions	2
Level	Sr. Consultant
Location	USI Locations
Experience	8-12 Years with 1 years exp in AI
Shift Time	11am to 8pm ITS
Work Mode	Hybrid
Conversion	TBD
Primary Skills	Core Devops skills, SAST DAST, AI
Secondary Skills	AI Security and AI OBT devlp agent
Key words to look in resume	Devops, LLM

AI/ML Security RAG Pipelines, AI Governance, Secure MLOps, Adversarial ML Mitigation, LLM Guardrails
Position Summary
We are seeking an AppSec & AI Security Architect to lead and deliver security architecture reviews and secure-by-design outcomes across modern applications, cloud-native platforms, APIs, third-party integrations, and AI-enabled systems. This role combines deep technical expertise with delivery leadership—overseeing teams and engaging senior client stakeholders. For LLM, RAG, copilot, bot, and agentic systems, you will evaluate and mitigate risks such as prompt injection, sensitive data disclosure, insecure tool/function calling, excessive agency/permissions, insecure output handling, model and dependency supply-chain risks, training/fine-tuning data leakage, and vector database/embedding store weaknesses, and drive adoption of practical guardrails and governance.
As an AppSec & AI Security Manager, you will:

• Architect and oversee the build of AI agents and agentic workflows for security automation (e.g., AppSec triage agents, security copilots, autonomous remediation workflows, AI red-team automation).

• Lead end-to-end delivery of AppSec, DevSecOps, and AI Security (AISecOps) engagements—managing onshore/offshore engineers and architects across the lifecycle (assess, design, implement, operate).
• Define and drive adoption of secure-by-design architectures for modern applications, cloud-native platforms, and AI/agentic systems; establish reference architectures and reusable patterns.
• Review and approve security architecture for systems spanning microservices, APIs, distributed platforms, and AI/RAG/agentic solutions, including data flows, trust boundaries, secrets, encryption, and third-party dependencies.
• Establish reusable patterns for CI/CD pipeline security, policy-as-code, IaC scanning, and software/artifact integrity (e.g., SBOM and ML-BOM workflows), aligned to secure SDLC goals.
• Establish and assess container/Kubernetes security patterns (admission control, multi-tenant isolation, runtime protection) and supply-chain controls (e.g., SLSA, sigstore).
• Define and assess LLM/agent guardrails (prompt/output handling controls, grounding strategies, tool allow-listing, sandboxing, rate limits/quotas, and human-in-the-loop patterns) and verify effectiveness through testing.
• Drive LLM/agent security testing (abuse/misuse cases, prompt injection/jailbreak testing, tool-use abuse validation, adversarial evaluation) and ensure findings are translated into actionable mitigations and risk decisions.
• Define runtime monitoring and incident response requirements for AI systems (secure telemetry, privacy-aware prompt/output logging patterns, abuse detection, drift signals, containment/rollback playbooks).
• Shape clients' enterprise AppSec and AISecOps programs—build roadmaps aligning security investment with business outcomes and regulatory requirements; define governance, metrics, and operating model.
• Serve as the primary day-to-day client interface—build rapport and trust with senior stakeholders (e.g., CISOs, CTOs, Heads of AI/Engineering) and guide prioritization and decision-making.
• Oversee the quality of project deliverables—assessment reports, architectures, threat models, runbooks, and risk/security recommendations.
• Support business development: define scope, build estimates and pricing, package proposals, and support proposal presentations.
• Contribute to eminence—whitepapers, points-of-view, conference content—on the convergence of AppSec, DevSecOps, and AISecOps.
• Lead talent processes—recruiting, coaching, performance management, and capability building for AppSec and AI Security professionals.

Qualifications
Must-have skills / project experience / certifications (AI Security Focus)

• 6+ years of progressively responsible experience in application security, DevSecOps, product security, and/or security architecture, with increasing scope and ownership; including 2+ years in consulting, project leadership, or client-facing delivery.
• Strong knowledge of application, API, IAM, data, and cloud security architecture (authn/authz, encryption, key management, secrets, network trust boundaries, logging/monitoring, resiliency, and third-party dependencies).
• Hands-on experience designing or building AI agents/agentic workflows and securing LLM-enabled applications (chatbots/copilots), RAG pipelines, and tool/function calling patterns.
• Hands-on familiarity with agent frameworks and the AI agent stack (e.g., LangGraph, LangChain, CrewAI, AutoGen or equivalent), vector stores, evaluation/observability tooling, guardrails, and sandboxing patterns—able to review engineers' implementations.
• Familiarity with MCP (Model Context Protocol) or equivalent agent-to-system integration patterns, and ability to guide secure design choices when connecting agents to enterprise systems.
• Strong understanding of security frameworks/standards such as NIST 800-53, ISO 27001, CIS Controls, PCI DSS, plus AI-focused guidance such as NIST AI RMF and OWASP Top 10 for LLM Applications.
• Experience conducting LLM threat modeling and security testing (abuse/misuse cases, prompt injection/jailbreak testing, adversarial evaluation, and documenting mitigations and residual risk).
• Experience with AWS, Azure, and/or GCP security architectures, including identity, segmentation, encryption, logging, and workload protection for cloud-native and AI workloads (e.g., managed AI services, model endpoints, and data pipelines).
• Strong understanding of secure SDLC and AI secure-by-design practices, including design-time guardrails, privacy-by-design, and enforcing controls via automation (e.g., CI/CD policy gates, configuration baselines, and policy-as-code).
• Proficiency in risk assessment and threat modeling methodologies, and ability to translate findings into actionable architecture requirements and engineering backlogs.
• Exposure to zero trust architecture principles, including least privilege and continuous authorization patterns relevant to AI agents and tool access.
• Executive-level communication and stakeholder management—comfortable presenting to CISOs/CTOs and driving decisions; strong documentation and quality-review skills for client deliverables.

Good-to-have skills / project experience / certifications (Advanced AI Security)

• Experience implementing LLM security controls such as prompt/output filtering, LLM gateways / "LLM firewall” patterns, DLP for prompts and outputs, and safe content transformation/escaping.
• Experience with LLM evaluation and assurance: building evaluation criteria, maintaining test sets, running continuous evals for regression/drift, and supporting LLM red teaming operations.
• Model and data governance experience: dataset lineage/provenance, licensing/usage constraints, model provenance, dependency governance (model artifacts, packages), and documentation practices (e.g., model cards, risk registers).
• Experience translating architecture review findings into enterprise AppSec/DevSecOps program controls, including SAST, DAST, SCA, IaC scanning, container security, CI/CD policy gates, and vulnerability SLAs/prioritization.
• Experience reviewing third-party model providers, model hosting patterns, vector databases/embedding stores, and plugin/tool boundaries, including data residency, abuse controls, and shared responsibility.
• Familiarity with major AI platforms and deployment patterns (e.g., Azure OpenAI, AWS Bedrock, Google Vertex AI) and securing model endpoints, private networking, and keys/secrets.
• Experience with cloud security tooling such as CSPM/CNAPP, CIEM, container security, and policy enforcement tooling used to operationalize architecture standards.
• Familiarity with architecture and threat modeling tools such as:
  • Microsoft Threat Modeling Tool
  • IriusRisk
  • OWASP Threat Dragon
  • Microsoft Visio, Lucidchart, draw.io, or equivalent diagramming tools
• Experience integrating threat modeling or architecture review outputs into CI/CD or design governance workflow.
• Preferred certifications: SABSA, TOGAF, CCSP, AWS/Azure/GCP Security Architect certifications, CISSP, CSSLP, or equivalent.