Principal AI Security Engineer

Job Description:

Summary:

The Principal Artificial Intelligence (AI) Security Engineer serves as the technical lead for securing machine learning (ML), generative artificial intelligence (GenAI), and agentic systems in production, with emphasis on healthcare and other regulated environments. This role creates security architecture, threat modeling, control design, and detection strategy across the AI lifecycle, including data ingestion, feature engineering, training and fine-tuning, evaluation, model serving, retrieval-augmented generation (RAG) pipelines, agent frameworks, application programming interface (API) mediation, and post-deployment monitoring. The Principal AI Security Engineer leads and partners throughout the organization to build enforceable guardrails for protected health information and electronic protected health information handling, identity and access control, secrets isolation, model and dataset provenance, output safety, and evidence collection for audits and investigations.

Essential Accountabilities

• Creates reference architectures, defines security requirements and patterns for model training, inference, retrieval-augmented generation (RAG), agent orchestration, tool calling, and multi-model pipelines across cloud and hybrid environments.
• Performs deep threat modeling for artificial intelligence (AI) systems, including prompt injection, indirect prompt injection, insecure output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, data poisoning, model theft, model inversion, supply chain compromise, and denial-of-service.
• Defines guardrails for protected health information and electronic protected health information processing, including data minimization, de-identification, context scoping, encryption in transit and at rest, retention boundaries, and access paths into model context windows, vector stores, caches, and logs.
• Designs and implement secure machine learning operations (MLOps) controls for datasets, features, models, prompts, and policies: provenance tracking, artifact signing, environment separation, approval workflows, reproducible builds, rollback paths, and tamper-evident audit trails.
• Defines and sets standards for identity, service-to-service authentication, secrets management, token scoping, least privilege, just-in-time access, and network segmentation for AI services, model gateways, and external tool integrations.
• Leads offensive security activities for AI systems, including adversarial testing, AI red teaming, prompt and tool abuse simulation, fuzzing, jailbreak testing, attack path validation, and control verification against production-like workflows and third-party model providers.
• Leads defensive security and blue team capabilities for AI platforms, including telemetry design, prompt and response event logging, model gateway instrumentation, security information and event management/security orchestration, automation, and response (SIEM/SOAR) integration, detection engineering, exfiltration and jailbreak detections, anomalous agent action monitoring, incident triage playbooks, and continuous tuning based on observed attack patterns.
• Leads security reviews of RAG and agentic systems, including chunking and retrieval policies, vector store isolation, embedding pipeline validation, retrieval authorization, tool allow-listing, action confirmation, and human-in-the-loop controls for high-risk operations.
• Defines security requirements for model evaluation pipelines, benchmark data handling, canary tests, policy enforcement, and release gates so unsafe or noncompliant behavior is identified before promotion.
• Collaborates to ensure secure, compliant handling of sensitive and regulated data across AI systems and enterprise data platforms, including enforcement of data classification, retention, access controls, auditability, and secure data readiness for approved AI use cases.
• Collaborates on the design and implementation of AI and data governance frameworks, translating legal, regulatory, and compliance requirements into enforceable technical controls, security standards, and operational processes.
• Coordinates the development of secure data pipelines and control implementations, ensuring proper data sourcing, minimization, de-identification, and consistent application of enterprise data protection controls (e.g., DLP, encryption, retention) within AI architectures and workflows.
• Partner with application security, platform engineering, and data science teams to enable secure adoption of AI technologies.
• Jointly support investigations, incident response, and regulatory inquiries involving AI systems and enterprise data, including forensic analysis, evidence preservation, defensible documentation, and production of audit-ready artifacts for legal and compliance purposes.
• Develop and maintain integrated monitoring, detection, and response capabilities, aligning tools and processes (e.g., DSPM, eDiscovery, SIEM/SOAR, AI observability) to proactively identify and mitigate data leakage, insider risk, AI misuse, and anomalous system or user behavior.
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies’ mission and values, adhering to the Corporate Code of Conduct, and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.

Minimum Qualifications

• Ten (10) years of hands-on security engineering experience spanning application security, cloud security, security architecture, detection and response, platform security, or infrastructure security.
• Bachelor's degree in computer science, information technology, or relevant field. In lieu of degree, six (6) cumulative years of related experience required.
• Demonstrated experience securing production AI/ML systems, including large language model (LLM) applications, model serving stacks, retrieval-augmented generation architecture, or agent frameworks.
• CISA, CISM, CCSP, HCISPP, GIAC and or CISSP certifications preferred.
• Demonstrated advanced expertise in AI threat modeling and adversarial testing, including prompt injections, jailbreaks, insecure tool use, data and model poisoning, vector store abuse, model extraction, and sensitive data disclosure.
• Strong implementation knowledge of secure software development lifecycle (SDLC), continuous integration/continuous delivery (CI/CD) security, infrastructure as code (IaC), container and Kubernetes security, application programming interface (API) security, identity and access management (IAM), secrets management, key management service/hardware security module (KMS/HSM) integration, and cloud-native telemetry pipelines.
• Experience designing or reviewing controls for secure machine learning operations (MLOps): artifact provenance, signed builds, feature and dataset integrity, model registry controls, environment promotion, reproducibility, and rollback.
• Experience instrumenting detections and response workflows using logs, traces, metrics, security information and event management/security orchestration, automation, and response (SIEM/SOAR) pipelines, alert tuning, and incident handling for distributed systems or AI services.
• Advanced working knowledge of RAG security, embedding pipelines, retrieval authorization, policy engines, content filtering, and evaluation harnesses for safety, security, and regulated-data compliance.
• Prior experience in healthcare, payer, provider or similarly regulated environments with PHI/ePHI safeguards preferred.
• Advanced ability to write engineering standards, design docs, threat models, and control requirements that can be implemented and tested by platform and product teams.
• Hands-on familiarity with model gateways, policy enforcement layers, prompt filtering, content moderation, retrieval authorization, vector databases, and AI observability tooling.
• Working knowledge of static/dynamic application security testing, infrastructure as code (IaC) scanning, container image scanning, software bill of materials generation, artifact signing, secret scanning, and dependency-risk management as applied to AI delivery pipelines.
• Experience with AI red teaming platforms, safety and abuse evaluation harnesses, benchmark design, and automated release gates for model or prompt changes.
• Familiarity with Sarbanes Oxley, HIPAA, OCR, AI RFM, HCFA, PCI/DSS, NIST and other regulations impacting security (with ISO17799 and NIST security standards) is preferred, as well as COBIT and COSO familiarity.

Physical Requirements:

• Ability to work prolonged periods sitting and/or standing at a workstation and working on a computer.
• Ability to travel across the Health Plan service region for meetings and/or trainings as needed.
• Ability to work in a home office for continuous periods of time for business continuity.

***********

In support of the Americans with Disabilities Act, this job description lists only those responsibilities and qualifications deemed essential to the position.

Equal Opportunity Employer

Compensation Range(s):

Minimum: $123,304 - Maximum: $221,948

The salary range indicated in this posting represents the minimum and maximum of the salary range for this position. Actual salary will vary depending on factors including, but not limited to, budget available, prior experience, knowledge, skill and education as they relate to the position’s minimum qualifications, in addition to internal equity. The posted salary range reflects just one component of our total rewards package. Other components of the total rewards package may include participation in group health and/or dental insurance, retirement plan, wellness program, paid time away from work, and paid holidays. 

Please note: There may be opportunity for remote work within all jobs posted by the Excellus Talent Acquisition team. This decision is made on a case-by-case basis.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.