Location Designation: Hybrid - 3 days per week 

Role Overview

We are looking for a Senior AI Platform Security Engineer who lives on GCP and can own the security architecture end-to-end, not just advise on it. You will design guardrails, write Terraform, integrate with Harness CI/CD pipelines, and partner with engineering teams to ensure every resource deployed is secure by default. This role is GCP-first. Familiarity with AWS and Azure is a plus, but your day-to-day will be deep in Google Cloud: securing GKE workloads, governing AI pipelines on Vertex AI, managing identities via ICAM, and using native GCP security services to detect and respond to threats.

What You'll Bring:

Native GCP Security Controls

• Own the deployment and configuration of GCP-native security services including Cloud Armor, Certificate Manager, Cloud KMS, Secret Manager, and Cloud DLP integrated with Elastic SIEM for centralized detection and response.
• Build and maintain detective controls, custom EQL/KQL threat detection rules, and alerting pipelines within Elastic SIEM using GCP log sources ingested through Beats or Elastic Agent.
• Define and enforce organization-wide Security Command Center (SCC) findings policies, remediation workflows, and SLA management processes.

Infrastructure & IAM Architecture

• Develop scalable reference architectures and security blueprints for IAM, network segmentation, and data protection across GCP projects.
• Write and maintain production-grade Terraform modules implementing security controls as code.
• Integrate Terraform workflows into Harness CI/CD pipelines using ICAM-governed service accounts and workload identity controls.
• Partner with engineering teams to operationalize security architecture decisions into implemented controls and standards.

Pipeline Guardrails (CI/CD)

• Define and implement policy-as-code guardrails using OPA, Sentinel, Checkov, or equivalent tooling.
• Integrate security gates into CI/CD pipelines including secrets scanning, pre-deployment policy validation, and post-deployment drift detection.
• Enforce least-privilege service account policies and workload identity federation across all deployment stages.

Container & Kubernetes Security (GKE)

• Establish GKE security standards including pod security admission, network policies, Workload Identity, Binary Authorization, and container image scanning.
• Define requirements for admission controllers, runtime protection tooling, and Kubernetes hardening standards.
• Own vulnerability management processes for containerized environments, including CVE tracking and remediation coordination.

AI Security & Automation

• Use AI-enabled CSPM tooling to analyze security telemetry, identify systemic risks, and automate remediation guidance.
• Embed security controls into AI/ML workflows including audit logging, data governance, and model output monitoring.
• Automate detection and response playbooks using Elastic SIEM case management and SOAR tooling.

AI/ML & Agentic Systems Enablement

• Enable and secure Google AI services including Vertex AI pipelines, Gemini APIs, and BigQuery ML workloads.
• Design scalable architectures for LLM-based applications including RAG pipelines, vector search, grounding strategies, and orchestration frameworks.
• Establish secure patterns for AI agents, memory and state management, session isolation, and data retention controls.
• Implement monitoring and guardrails for AI systems in production including prompt injection protection, output filtering, and anomaly detection.

What You'll Bring:

• 5+ years of experience in cloud security, with the majority focused on GCP environments.
• Deep hands-on experience with GCP security services including IAM, VPC Service Controls, Cloud Armor, KMS, Secret Manager, DLP, and SCC.
• Strong Elastic SIEM experience including log ingestion, detection engineering, alert management, and threat correlation.
• Production-level Terraform experience including module development, infrastructure automation, and state management.
• Experience integrating security controls into CI/CD pipelines using Harness or equivalent platforms.
• Strong knowledge of Kubernetes and GKE security including pod security admission, network policies, Workload Identity, and Binary Authorization.
• Hands-on experience with ICAM or enterprise identity platforms governing non-human identities and workload access.
• Practical knowledge of AI/ML security including Vertex AI workload protection, LLM API governance, and training data security.

Preferred Qualifications

• Google Professional Cloud Security Engineer or Professional Cloud Architect certification.
• Experience with policy-as-code tooling such as OPA/Rego, Sentinel, or Checkov.
• Familiarity with AWS security services including IAM, GuardDuty, SCPs, and multi-cloud security architectures.
• Experience with Cribl Stream or similar log routing technologies integrated with Elasticsearch.
• Understanding of compliance-driven security requirements including NY DFS 23 NYCRR 500, NAIC, NIST CSF, CIS Benchmarks, and ISO 27001.
• Working knowledge of enterprise identity platforms including SailPoint, CyberArk, Ping Identity, Active Directory, and LDAP.
• Experience securing AI agent frameworks such as LangChain or Vertex AI Agent Builder.

Primary Technology Stack:

• GCP: Vertex AI, GKE, Cloud Armor, KMS, SCC, DLP, Secret Manager, Certificate Manager, BigQuery, Cloud Run
• Infrastructure as Code: Terraform (required), Harness CI/CD, ICAM
• Identity: GCP Workload Identity Federation, service account governance, ICAM, SailPoint, CyberArk, Ping Identity, Active Directory, LDAP
• AI/ML: Vertex AI Agent Builder, Gemini APIs, BigQuery ML, RAG pipelines
• Secondary: AWS (IAM, GuardDuty, Bedrock), Azure (familiarity acceptable)
• Observability: Elastic SIEM (primary), SCC, Cribl Stream, Elasticsearch

Pay Transparency

Salary Range: $124,000-$177,000 

Overtime eligible: Exempt 

Discretionary bonus eligible: Yes 

Sales bonus eligible: No 

Actual base salary will be determined based on several factors but not limited to individual’s experience, skills, qualifications, and job location. Additionally, employees are eligible for an annual discretionary bonus. In addition to base salary, employees may also be eligible to participate in an incentive program.

Our Benefits

We provide a full package of benefits for employees – and have unique offerings for a modern workforce, including leave programs, adoption assistance, and student loan repayment programs. Based on feedback from our employees, we continue to refine and add benefits to our offering, so that you can flourish both inside and outside of work. Click here to discover more about our comprehensive benefit options or visit our NYL Benefits Site.

Our Commitment to Inclusion
At New York Life, fostering an inclusive workplace is fundamental to who we are and how we serve our communities. We have a longstanding commitment to creating an environment where individuals can contribute their best and succeed together. This foundation is rooted in our core values of humanity and integrity, ensuring that every employee feels valued and supported. By embracing a broad range of perspectives and experiences, we achieve greater success and fulfill our promise of providing financial security and peace of mind to families across all communities. Click here to learn more about New York Life’s leadership in this space.​

Recognized as one of Fortune’s World’s Most Admired Companies, New York Life is committed to improving local communities through a culture of employee giving and volunteerism, supported by the Foundation. We're proud that due to our mutuality, we operate in the best interests of our policy owners. To learn more about career opportunities at New York Life, please visit the Careers page of www.NewYorkLife.com.

​Visit our LinkedIn to see how our employees and agents are leading the industry and impacting communities.

Visit our Newsroom to learn more about how our company is constantly evolving to meet our clients' and employees’ needs.

Job Requisition ID: 94053