VP, AI Security Engineer, Technology Group(17139)

GIC is one of the world's largest sovereign wealth funds. With over 2,000 employees across 11 locations around the world, we invest in more than 40 countries globally across asset classes and businesses. Working at GIC gives you exposure to an extraordinary network of the world's industry leaders. As a leading global long-term investor, we work at the Point of Impact for Singapore's financial future, and the communities we invest in worldwide.Technology GroupWe experiment, design, and lead a 24×7 global business where we support core capabilities in asset management, trading, investment operations, and risk management. We deliver secure, reliable, and integrated solutions, and provide insights on new and emerging technologies.Strategy, Architecture, and Transformation GroupThe Strategy, Architecture & Transformation (SAT) group shapes and drives GIC’s technology strategy, ensuring alignment with business priorities and enterprise goals. Bringing together expertise in strategy, architecture, engineering, and transformation, the team strengthens governance, promotes consistency, and accelerates delivery across the Technology Group. Through modern practices and close collaboration, SAT leads the development of an architectural strategy that reinforces oversight and accountability while enabling reliable, scalable solutions and informed decision making across the Technology Group and, more broadly, across GIC.AI EngineeringThe AI Engineering team within SAT is driving GIC's transformation from AI-enabled to AI-native. We build and operate the foundational AI platform — gateway, agent runtime, agentic IAM, memory, observability, and more — so that every team across GIC can develop and deploy AI agents that are secure, observable, and production-grade.What impact can you make in this role?Autonomous agents introduce a fundamentally different threat model: software that dynamically decides what to access, composes actions unpredictably, processes untrusted inputs, and operates at machine speed. Traditional security patterns assume human actors — you will design the security architecture for a world where they don’t.As the AI Security Engineer, you will be the team’s subject-matter expert on both AI-specific and traditional security, responsible for the security posture of every service the AI Engineering team builds. You will design and drive the implementation of the agentic IAM layer — agent identity, composite identity (user + agent + tool), policy-driven authorisation, secret management, and blast-radius control — and embed security into every platform capability: the gateway, agent runtime, memory, and observability.You will work closely with enterprise security teams — Cybersecurity Engineering, Cybersecurity Assurance & Defence, and IAM Engineering — to co-design the identity model, policy framework, and secret management patterns that make autonomous agents governable. Where enterprise solutions exist, you translate them into detailed design and implementation for the AI platform. Where they are still being built, you bridge the gap with interim frameworks and tooling so the team is never left unprotected.You will partner with the AI Site Reliability Engineer to ensure the platform is both resilient and secure — inseparable concerns — and work with the core AI platform squad to make every service, SDK, and tool secure by design: threat models before architecture reviews, policy-as-code before deployment, and automated compliance checks before release.You are not a security auditor reviewing after the fact. You are a hands-on security engineer who writes policy, builds identity frameworks, implements controls, and raises the security bar for the entire engineering squad — mentoring and equipping the team to do the same.This is a platform security engineering role embedded within the AI Engineering team — not an enterprise cybersecurity function. Enterprise Cybersecurity Engineering owns the organisation-wide strategy, threat intelligence, and assurance standards; you engineer those standards into the AI platform.Your Impact:Enable agentic IAM with enterprise IAM Engineering — architect the agent identity model (composite identity: user + agent + tool), session scoping, delegation chains, and identity propagation across the full call chainImplement policy-as-code — stand up the policy engine (Cedar / Amazon Verified Permissions preferred; OPA / Rego for cross-platform needs) enforcing zero-trust authorisation, action risk tiers, toxic combination detection, and blast-radius controlsOwn the AI threat model — identify, document, and mitigate AI-specific attack surfaces: prompt injection, tool poisoning, agent hijacking, privilege escalation, data exfiltration, and model manipulationSecure the gateway — embed controls for content-safety filtering, jailbreak mitigation, credential injection prevention, and per-request policy evaluationBridge enterprise and platform security — translate enterprise baselines (network segmentation, SIEM integration, vulnerability management, incident response) into AI-platform-specific implementationsPartner on resilience — design scoped sessions, kill switches, and deployment safety controls with the AI Site Reliability EngineerEnsure the platform is secure by design — embed threat modelling, scanning, policy validation, and compliance checks into CI/CD and deployment pipelinesBuild the security framework for the squad — define standards, review checklists, secure coding guidelines, and incident response playbooksManage agent secrets — design the agent secret broker for just-in-time credential issuance, scoped access, and automatic revocationWhat will you do as an AI Security Engineer?You will design and implement the security architecture for the AI platform, embedding zero-trust principles and agentic identity management into every layer of the stack. You will:Architect and implement the agentic IAM layer and policy-as-code engineDevelop and maintain the AI-specific threat model and mitigation strategiesCollaborate with enterprise cybersecurity and IAM teams to align standards and toolingEmbed security controls into the AI gateway, runtime, and memory systemsIntegrate security scanning, validation, and compliance automation into CI/CD pipelinesPartner with the AI Site Reliability Engineer to ensure resilience and security reinforce each otherMentor engineers on secure development practices and lead by example through hands-on implementationBuild interim security frameworks and tooling where enterprise solutions are still evolving.What makes you a successful candidate?Must Have:8+ years in security engineering, application security, or platform security, with at least 2 years in a lead role responsible for platform or product security architectureDeep security engineering expertise — hands-on in threat modelling, secure architecture review, penetration testing, and incident responseZero-trust architecture experience — designing per-request verification, least-privilege access, micro-segmentation, and ABAC-based systemsCloud-native workload identity — hands-on with AWS workload identity (EKS Pod Identity / IRSA, IAM Identity Center, SCIM, IAM Roles Anywhere)Policy-as-code — production experience with Cedar / Amazon Verified Permissions or OPA / RegoCloud security (AWS preferred) — IAM, EKS, KMS, Secrets Manager, GuardDuty, Security Hub, WAF, and VPC securityCI/CD security — embedding SAST, DAST, dependency and container scanning, secrets detection, and policy gatesHands-on coding proficiency in Python — building security tooling, policy integrations, and prototypesProven experience partnering with enterprise security teams and translating standards into platform implementationsNice to Have:Experience with AI/ML security — prompt injection defence, content-safety filtering, model poisoning detection, and adversarial robustnessFamiliarity with agentic systems and their unique security challengesExperience with SPIFFE / SPIRE and platform-agnostic workload identityBackground in trusted identity propagation and data access control frameworksExpertise in secret management architectures (Vault, AWS Secrets Manager)Experience designing data classification and access control frameworksFamiliarity with MCP and its security considerationsExposure to compliance frameworks (MAS TRM, ISO 27001, SOC 2, NIST AI RMF)Contributions to open-source security tooling or published researchMindset & Working Style:Secure by design, not by audit — security is architected in, not bolted onHands-on leader — you lead by building and mentoringBridge builder — you collaborate seamlessly across enterprise and platform teamsPragmatic risk thinker — you calibrate controls to risk and make trade-offs explicitStrong communicator — you can explain threat models, write clear documentation, and mentor effectivelyBuilder at heart — you thrive in early-stage environments defining foundational security architectureWork at the Point of ImpactWe need to be forward-looking to attract the right people to help us become the Leading Global Long-term Investor. Join our ambitious, agile, and diverse teams - be empowered to push boundaries and pursue innovative ideas, share your views, and be heard. Be anchored on our PRIME Values: Prudence, Respect, Integrity, Merit and Excellence, which guides us in how we make our day-to-day decisions. We strive to inspire. To make an impact.     Flexibility at GICAt GIC, our offices are vibrant hubs for ideation, professional growth, and interpersonal connection.  At the same time, we believe that flexibility allows us to do our best work and be our best selves.  Thus, our teams come into the office four days per week to harness the benefits of in-person collaboration, but have the flexibility to choose which days they work from home and adjust this arrangement as situational needs arise.GIC is an equal opportunity employer GIC is an equal opportunity employer, and we value diversity. We do not discriminate based on race, religion, color, national origin, sex, gender, gender expression, sexual orientation, age, marital status, veteran status, or disability status. We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment.Learn more about our Technology Group here: https://gic.careers/group/technology-group/To be considered for the role, please submit a formal application through the GIC Careers site athttps://careers.gic.com.sg/job-invite/17139/