Lead and scale the compliance function for a highly regulated identity verification platform, owning FedRAMP, SOC 2, ISO 27001, and NIST programs while driving automation and building a high-performing team.
230k – 320k/yr
On-site8+ YOELegal
About the role
What You'll Own
Full compliance portfolio: FedRAMP (Moderate), SOC 2 Type II, ISO 27001, IRS Pub 4812, NIST 800-63 Rev 3/Rev 4 (Kantara), and emerging frameworks as they apply.
People leadership: Build, grow, and lead a compliance team. You are accountable for your team's development, career growth, and well-being — not just their output.
Automation strategy: Drive aggressive control consolidation and evidence automation. Reduce the total number of operated controls. Make evidence collection a byproduct of the work people already do — not a separate exercise.
Cross-functional partnership: Serve as the compliance interface to Engineering, Product, Legal, and Privacy. Build trust through partnership, not gatekeeping. Your success is measured by how easily teams work WITH compliance, not how thoroughly you block them.
Audit readiness: Maintain continuous audit readiness across all programs. Manage 3PAO relationships, agency engagements, and external assessors.
Risk integration: Partner with the Risk team to feed compliance findings into a unified cyber risk register. One evaluation loop — not fragmented reviews from five different teams.
What We're Looking For
Must Have
People-first leadership. You have built and grown compliance teams. You hold regular 1:1s, create career development plans, and invest in making your people better — not just getting work done. You delegate effectively and build systems where knowledge survives individual absence.
Communication clarity. You give crisp, direct answers to strategic questions. You write clearly. You adjust your communication to your audience — board members, engineers, auditors, PMs — without losing precision.
Partnership over gatekeeping. Engineering and Product are your customers, not your adversaries. You default to "how do we make this work safely?" not "this is not allowed." When you say no, you explain why in terms the other person values and offer an alternative path.
Automation conviction. You believe compliance should be engineered, not administered. You champion tooling that automates evidence collection, continuous monitoring, and control validation. You actively resist the instinct to throw manual labor at deadline pressure.
Self-directing execution. You operate with minimal management. You identify what needs to happen, build a plan, execute it, and communicate upward proactively.
Strong Preference
Experience with FedRAMP (Moderate or High), NIST 800-53, or equivalent federal compliance frameworks
Experience building or significantly improving compliance automation (evidence pipelines, GRC platform integrations, continuous monitoring)
Familiarity with GRC platforms (LogicGate, Drata, Vanta, or similar) — as a power user who pushes the platform, not just a form-filler
Comfort with AI/ML tools for compliance workflows (we use Claude, Gemini, and custom MCP integrations extensively)
Experience operating in a growth-stage or mid-stage tech company where you had to build, not just maintain
Nice to Have
CISA, CISSP, CRISC, CISM, or similar certifications
Experience with Kantara / NIST 800-63 identity assurance frameworks
SOC 2 Type II, ISO 27001 audit management experience
Prior experience managing 3PAO and external assessor relationships
What Success Looks Like
First 90 days:
You know every active compliance program, its current state, and its next milestone.
You've had 1:1s with every team member and have a written development plan for each.
You've met your key cross-functional partners (ProdSec, SecOps, IT, Legal, Privacy, Engineering VPs) and they describe you as easy to work with.
You've identified the top 3 manual processes that should be automated and have a plan to address them.
First 6 months:
At least one major evidence collection workflow is automated end-to-end.
Total operated controls are reduced (consolidated, not just documented differently).
Your team can cover for each other on PTO without disruption — no single points of failure.
External audit partners describe working with id.me as improved.
Engineering teams proactively engage compliance early in project planning — not as a last-minute gate.
First year:
Compliance is a byproduct of operational work, not a parallel bureaucracy.
Continuous monitoring runs without manual intervention for the majority of controls.
You've built strategic relationships with key regulatory bodies and industry peers.
Your team's velocity is measurably higher than when you started — with evidence to show it.
About the Environment
AI-first culture. The CISO's 2026 goal: "It is SAFE for EVERYONE to use every feature of any company-provisioned AI tool for any task." We practice what we preach — our compliance stack uses Claude, custom MCP servers, and automation pipelines extensively. You will be expected to embrace this.
High risk appetite, low risk tolerance. We move fast and accept risk deliberately. "Because FedRAMP" is not accepted as a justification for blocking the business. If something must be restricted, we enforce it technically — not with policy documents nobody reads.
Leads enterprise compliance and privacy programs at a tech-enabled oncology care company, advising executives, scaling programs for clinical operations and telehealth, and ensuring regulatory adherence in HIPAA, Medicare, and multi-state models. Requires 10+ years healthcare compliance leadership and C-suite influence.
234k – 275k/yr
On-site10+ YOELegal
Director, Legal Counsel, Corporate & Securities
CrusoeNew York, NY
Provide legal counsel on capital markets transactions, corporate governance, and securities compliance for a high-growth AI infrastructure company. Requires 4-7 years of top-tier law firm experience and a JD.
235k – 275k/yr
On-site4+ YOELegal
Director, Corporate Counsel
OktaBellevue, WA +3
Lead and develop a global privacy legal team at Okta, providing expert guidance on data protection compliance, incident response, policy development, and contract negotiations for a high-growth SaaS company. Requires 10+ years legal experience including 5+ in privacy, JD, and team leadership.
240k – 330k/yr
Hybrid10+ YOELegal
Director of Compliance
CommureMountain View, CA
The Director of Compliance designs, oversees, and monitors Commure’s corporate compliance program for its AI healthcare platform. Responsibilities include risk assessments, policy development, training, auditing, and advising on healthcare laws such as HIPAA, Anti-Kickback, Stark, FDA SaMD, and information blocking. Requires 6-10 years healthcare compliance leadership experience.
220k – 250k/yr
On-site6+ YOELegal
Head of FCRA Operations and Compliance
SocureCarson City, NV +5
Lead all operational and compliance aspects of a Consumer Reporting Agency (CRA) under FCRA. Build processes, drive regulatory adherence, and chair governance committees for consumer data products.