Overview
You design and implement the security layer that makes sovereign deployments trustworthy — zero-trust networking, per-country PKI, Signed Action Protocol cryptography, and the air-gap certification process. Working with the VP of Technology, you are the hands-on implementation lead for security architecture that protects clinical data and government AI systems across 20 nations.
Duties
- Architect end-to-end sovereign security posture across all deployment environments — including zero-trust air-gapped network isolation with no external egress, HIPAA/FedRAMP/ITAR compliance readiness, and certified deployment across 20+ international jurisdictions and DoD environments
- Enforce cryptographically signed agentic access controls via the Signed Action Protocol (SAP), with RBAC/ABAC governing both human and agent principals across every sovereign stack deployment
- Maintain immutable JSONL audit trails with OpenTelemetry instrumentation across all agent actions, ensuring every deployment can be fully demonstrated, audited, and certified within a 30-minute live review
- Design and implement zero-trust network architecture: SPIFFE/SPIRE workload identity and mTLS on all inter-service paths
- Build per-country sovereign PKI: Ed25519 root CAs, TLS cert lifecycle management, and sovereign certificate issuance
- Implement the Signed Action Protocol: ECDSA P-256 signing on all agent actions and signature verification
- Deploy and maintain secrets management via OpenBao (sovereign Vault fork): rotation policies and audit logging
- Own the air-gap certification process: tcpdump verification, DNS egress blocking, and namespace isolation
- Enforce data residency via Kubernetes network policies, namespace boundaries, and per-country egress rules
- Integrate security scanning (SAST/DAST) into the CI/CD pipeline with automated credential exposure detection
Skills
- 5+ years security engineering with 2+ years at senior level
- Expert in zero-trust air-gapped architecture, sovereign security deployment (HIPAA/FedRAMP/ITAR), cryptographically signed agentic access controls (SAP/RBAC/ABAC), and immutable audit trail design (JSONL/OpenTelemetry) across DoD and international jurisdictions
- Zero-trust architecture: SPIFFE/SPIRE, mTLS, and PKI design at depth
- Cryptography implementation: Ed25519, ECDSA P-256, AES-256-GCM, TLS 1.3
- Kubernetes security: RBAC, pod security standards, network policies, and secrets management
- Secrets management: HashiCorp Vault or OpenBao — rotation, audit logging, and access policies
- Air-gapped or classified system security experience required
Pay: $140,000.00 - $180,000.00 per year
Benefits:
- 401(k)
- Dental insurance
- Health insurance
- Paid time off
- Parental leave
- Vision insurance
Work Location: Hybrid remote in San Francisco, CA 94177