Associate Director, AI & Application Security - HYBRID ROLE

About the role

Job Description This is a hybrid position that requires 3 days a week in our Boston office Vertex is seeking an Associate Director, AI & Application Security to lead security for AI-enabled applications, platforms, and services across the enterprise. This role is responsible for securing AI throughout the full lifecycle-from design and development to deployment and ongoing operations-including generative AI, agentic workflows, traditional machine learning, and AI embedded in enterprise applications. This leader will help define how Vertex securely adopts and scales AI across Azure, AWS, and GCP, as well as third-party and foundation model platforms such as Microsoft Copilot / Azure OpenAI, Anthropic, Google Gemini, and AWS Bedrock. The role will partner closely with technical and business stakeholders to establish pragmatic guardrails, strengthen secure development practices, and reduce risk without slowing innovation. The ideal candidate brings deep expertise in cloud security and application security, along with strong judgment, technical credibility, and the ability to influence decisions in fast-moving, evolving environments. This role also requires practical experience applying security and risk frameworks relevant to AI and modern application environments. Key Duties and Responsibilities Lead AI and application security across the full lifecycle of AI-enabled systems, from design and development through deployment and operations. Define and evolve security standards, guardrails, and control expectations for AI systems used across Vertex. Apply and operationalize industry-recognized security frameworks and control models, including: NIST AI Risk Management Framework (AI RMF) NIST Cybersecurity Framework (CSF) OWASP Top 10 OWASP Top 10 for LLM and Generative AI Applications Secure AI workloads and AI-enabled applications across cloud and SaaS environments, with emphasis on: policy enforcement data protection logging and telemetry monitoring and operational visibility Lead threat modeling and misuse-case analysis for AI systems, including risks such as: prompt injection and prompt abuse sensitive data leakage tool or action abuse unsafe outputs model misuse Define and mature AI guardrails, including monitoring, detection, logging, and misuse or negative testing practices. Establish secure development expectations for AI-enabled applications and services, including secure coding practices and appropriate separation of development and production environments. Build and lead application security testing practices for AI-enabled applications and supporting services, including SAST, DAST, automated scanning, and retesting processes. Partner with Cloud Security, Security Operations, Privacy, Legal, Data Science, and Engineering teams to align security controls with business, technical, and regulatory requirements. Influence architecture and platform decisions through practical, risk-based guidance that can scale with AI adoption. Communicate risks, tradeoffs, and recommendations clearly to both technical teams and senior leadership. Knowledge and Skills Cloud security architecture and controls across Azure and AWS Familiarity with GCP security concepts and services Secure software development lifecycle (SDLC) practices Secure coding standards and code review practices SAST, DAST, automated security scanning, and remediation workflows OWASP Top 10 and common application and API security risks Familiarity with OWASP guidance for LLM/GenAI applications API security, identity and access management, secrets management, and service-to-service trust Logging, telemetry, monitoring, and detection for cloud-native environments Threat modeling and misuse-case analysis Familiarity with AI security risks, including: prompt injection data leakage model misuse tool or action abuse unsafe outputs policy enforcement Familiarity with AI platforms and providers such as: Microsoft Copilot / Azure OpenAI Anthropic Google Gemini AWS Bedrock emerging AI platforms and services Education and Experience Bachelor's degree in Computer Science, Information Security, Engineering, or a related field or equivalent experience. Significant experience in application security, product security, cloud security, or a related cybersecurity discipline. Strong experience securing cloud environments, particularly Azure and AWS; familiarity with GCP is a plus. Deep knowledge of application security fundamentals and secure software development practices. Experience securing APIs, platforms, and complex distributed systems. Experience leading threat modeling, architecture reviews, and risk-based security assessments. Experience applying security and risk frameworks in engineering environments, including familiarity with NIST AI RMF, NIST CSF, and common application security standards. Demonstrated ability to partner effectively with engineering and platform teams to embed security into design and delivery processes. Experience securing generativ