Skip to content
OpenAI

Model Policy, Frontier Cyber Risk

Develops and maintains AI model policies for high-risk cybersecurity domains, translating threat models into behavioral specifications, evaluations, and mitigations. Collaborates with research, engineering, and safety teams to ensure technically grounded, enforceable safeguards against dual-use risks.

207k – 295kSan Francisco, CASecurity EngineeringHybrid
Apply

About the role

Responsibilities

  • Design and maintain model policies for cybersecurity and frontier-risk domains, especially dual-use and high-risk cyber capabilities.
  • Translate cybersecurity threat models into clear behavioral specifications, evaluation criteria, grading guidance, and system-level mitigations.
  • Define practical boundaries between legitimate security research, defensive workflows, and assistance that could materially enable harmful activity.
  • Build policy artifacts that support implementation across training, evaluation, deployment, monitoring, and escalation systems.
  • Partner with safety researchers, engineers, and evaluation teams to operationalize policies into scalable model behavior and measurable safeguards.
  • Analyze red-teaming results, deployment data, model failures, over-refusals, and ambiguous edge cases to improve policy and evaluation quality over time.
  • Identify emerging cyber capability areas where advanced AI systems could lower barriers to misuse or increase operational capability for malicious actors.
  • Contribute to system cards, safety reports, policy documentation, and external communications on OpenAI's approach to cyber risk mitigation.

Requirements

  • Strong technical expertise in cybersecurity, such as offensive security, defensive security, vulnerability research, malware analysis, incident response, threat intelligence, application security, exploit development, infrastructure security, or cloud security.
  • Strong judgment about how AI systems may affect the cyber threat landscape, including dual-use, autonomous, or agentic system risks.
  • Ability to distinguish between legitimate security use cases and assistance that could materially enable harmful cyber activity.
  • Experience building or applying threat models to complex technical systems, especially in adversarial or high-risk environments.
  • Ability to translate technical security expertise into structured policy frameworks, evaluation criteria, operational guidance, and enforcement mechanisms.
  • Comfort using empirical evidence, including evaluations, red-teaming results, deployment observations, and model failure modes, to inform policy decisions.
  • Strong systems thinking across policy, evaluations, classifiers, training, deployment safeguards, measurement, and monitoring.
  • Ability to work cross-functionally with researchers, engineers, product teams, policy experts, and operational stakeholders.
  • Strong written communication skills, especially the ability to explain complex technical and security concepts clearly.
  • A pragmatic approach to safety: focused on reducing real-world risk while preserving legitimate, beneficial, and defensive uses of AI.

Skills

Offensive SecurityDefensive SecurityVulnerability ResearchMalware AnalysisIncident ResponseThreat IntelligenceApplication SecurityExploit DevelopmentInfrastructure SecurityCloud SecurityThreat ModelingRed-Teaming

Similar roles

Security Engineering jobs
OpenAI

Model Policy Manager

Defines and maintains policies for AI model behavior in high-risk domains like agentic systems and user safety. Collaborates with research, engineering, and product teams to operationalize policies into measurable safeguards using empirical data and red-teaming.

207k – 295kSan Francisco, CASecurity EngineeringHybridAi SafetyRed-Teaming
Scale AI

Security Engineer, Product Security

Security Engineer conducts code reviews, implements secure CI/CD pipelines, performs SAST/DAST testing, and secures AWS infrastructure using Terraform. Requires expertise in TypeScript, Python, NodeJS, and product security best practices to mitigate vulnerabilities in AI/ML products.

206k – 297kNew York, NY +2Security EngineeringOn-siteAWSSAST
AKASA

Application Security Engineer

Application Security Engineer conducts secure code reviews, threat modeling, and automates security tooling with AI in CI/CD pipelines to protect patient data systems. Requires 5+ years app sec experience, coding proficiency in modern languages, and cloud/container security knowledge.

205k – 275kSouth San Francisco, CASecurity EngineeringHybrid5+ YOEGoSca
Replit

Security Engineer - Vuln Management (Infra)

Mid-level Infrastructure Vulnerability Management Engineer responsible for cloud security posture, IaC scanning, container vulnerability management, and compliance tracking across multi-cloud environments. Requires 5+ years in cloud security/DevSecOps with deep GCP expertise.

210k – 270kFoster City, CASecurity EngineeringHybrid5+ YOEGCPAWS
Replit

Security Engineer - Vuln Management (Code)

Mid-level AppSec Vulnerability Management Engineer who identifies application vulnerabilities, manages SBOM and supply chain security, and drives compliance tracking for SOC 2, ISO 27001, and PCI-DSS. Requires 5+ years in AppSec/DevSecOps with strong coding skills in JS/TS, Python, and Go.

210k – 270kFoster City, CASecurity EngineeringHybrid5+ YOEGoSca