Senior Security Engineer - GRC Controls and Audit

What we're looking for:

• 5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor — public accounting, Big 4, boutique audit firm, or a rigorous internal audit function.
• Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701).
• Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions — not just coordinating evidence collection.
• The ability to define what "good evidence" looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny.
• Proven ability to design and execute control testing — writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure.
• Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source.
• Strong written and verbal communication skills — you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes.
• Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard.
• A builder's instinct — you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations.

Bonus points for:

• CPA, CIA, CISA, or CISSP certification.
• Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling.
• Experience building or improving continuous control monitoring capabilities.
• Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks — increasingly relevant as 1Password governs access for AI agents alongside human users.
• Experience with vendor risk assessments — reviewing SOC 2 reports, evaluating third-party compliance documentation, and advising on vendor risk posture.

At 1Password, we build with AI:

• Active and thoughtful AI user: You've used AI tools — not just ChatGPT for writing — to meaningfully speed up audit prep: control narrative drafting, framework cross-mapping, evidence gap identification. You can walk through what you applied, what it produced, and how you validated the output before relying on it.
• Automation spotter: You identify manual, repetitive GRC processes that can be AI-assisted or automated and bring specific proposals to the team. You don't need to build everything yourself — but you need to see the opportunity and articulate it clearly.
• AI literacy in a compliance context: You understand the accuracy tradeoffs — when AI-generated control narratives need careful human validation, where framework mapping output requires scrutiny, and why non-determinism is a meaningful risk in audit-facing work.
• Curiosity and self-direction: You actively track what's happening in AI-assisted compliance tooling, have experimented with more than one approach, and can compare tools with informed opinions rather than general awareness.

What you can expect:

• Own and lead technical audit walkthroughs across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701 programs — preparing control owners, surfacing the right evidence, and serving as the primary technical liaison with external auditors.
• Define and maintain the evidence library — what good evidence looks like for each control domain, where it lives in source systems, and how it maps to trust service criteria.
• Execute deep-dive control testing and gap analysis across the Unified Control Framework (UCF), identifying design and operating effectiveness gaps before external testing and driving remediation with clear ownership.
• Drive continuous evidence library maturity — shifting GRC from reactive, point-in-time evidence collection toward proactive, continuously-maintained audit-ready artifacts.
• Partner cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence workflows at the source.
• Contribute to policy, standards, and baseline development with an eye toward auditability and testability — requirements that control owners can implement and auditors can test.
• Apply AI tools to accelerate control narrative drafting, framework cross-mapping, and audit prep — with clear discipline around validation and when human judgment is required.
• Mentor A–B level GRC team members on audit methodology, control design, and evidence quality standards.

Compensation:

• USA-based roles only: The annual base salary for this role is between $153,000 USD and $214,000 USD, plus immediate participation...