Security Controls Assurance Lead

About Anthropic

Anthropic’s mission is to create reliable, interpretable, and steerable AI systems. We want AI to be safe and beneficial for our users and for society as a whole. Our team is a quickly growing group of committed researchers, engineers, policy experts, and business leaders working together to build beneficial AI systems.

About the role

Anthropic's Security Governance, Risk, and Compliance (GRC) team is the connective tissue that holds the company accountable to its security commitments. We translate regulatory, customer, and voluntary obligations into controls that teams act on, and give leadership a bird's-eye view of how well we're meeting them. We're building toward a fundamentally different kind of GRC: one that directs Claude, with the right humans in the loop, to challenge and evidence the performance of controls continuously rather than through periodic audits. We are designing an integrated compliance and risk ecosystem that serves as a trust engine and an independent risk advisor as Anthropic governs itself at a level beyond frameworks.

As part of Security GRC's technical controls assurance function, you will be the voice on what the control environment must achieve. You will define control requirements and acceptance criteria for our global compliance obligations (e.g. SOC 2, ISO 27001/42001, HIPAA, public sector) across the software development lifecycle, pair with engineering as they design and implement against those requirements, and validate that what ships actually meets the bar.

Key responsibilities

• Define the control framework and requirements for autonomous AI operators in collaboration with Security, Internal Audit, and Engineering, including change review and approvals, human-in-the-loop, and evidence collection. Assess implementations against those requirements.
• Pressure-test major infrastructure, system, and agent framework changes for control impact during design, before decisions become expensive rework.
• Set the compliance bar for home-built systems. Collaborate with teams to define what the internal system must provide from day one, such as auditability, segregation of duties, and change control over the tool itself.
• Define the criteria for where and when AI can operate, supplement, or replace a manual process or control, including the human-in-the-loop thresholds and evidence documentation.
• Establish the validation, evidence, and governance standards that allow AI-performed and AI-assisted processes and controls to withstand external audit and regulatory scrutiny.
• Assess the introduction of new compliance frameworks and changes in scope (new regulations, certifications, products, or entities), providing a sufficient technical and compliance lens on their impact to control design, evidence requirements, and engineering effort before commitments are made.
• Stand up or