We're looking for a AIPlatform Security Engineer to drive the security of the Azure infrastructure that powers the Kai AI-native cybersecurity product. This role centers on the security of the cloud foundation, data platform, AI/ML infrastructure, and internal developer platform that the product depends on. This is a deeply technical, infrastructure-focused role. You'll work closely with Platform Engineering, DevOps, Data Engineering, and AI/MLOps teams to ensure that the systems, pipelines, and environments underpinning our product are designed, built, and operated securely. What You'll Do... Cloud Infrastructure Security - Own the end-to-end security infrastructure architecture of our Azure environment, including landing zone design, management group and subscription structure, network topology, and resource governance. - Enforce and continuously improve guardrails using Azure Policy, Cloud security posture management (CSPM), and infrastructure-as-code (IaC) security scanning (Checkov, tfsec, or equivalent). - Manage and mature the Azure network security model: hub-and-spoke topology, NSG and Azure Firewall rule governance, Private Endpoints, and DDoS protection controls. - Lead cloud infrastructure security posture reviews, drive down misconfigurations, and own the organization's Secure Score improvement roadmap. - Maintain and harden Azure landing zones, ensuring new workloads are provisioned into a secure-by-default environment. Identity, Access, and Secrets Management - Drive the organization's cloud identity and access management strategy, including Entra ID tenant configuration, Privileged Identity Management (PIM), Conditional Access policies, and workload identity (managed identities, federated credentials, service principals). - Enforce least-privilege IAM across all Azure subscriptions and resources; conduct regular access reviews and entitlement hygiene campaigns. - Architect and operate the enterprise secrets management program using Azure Key Vault with HSM-backed keys, including key rotation automation, certificate lifecycle management, and developer-facing secrets injection patterns. - Define and enforce policies for human and non-human identities across CI/CD systems, internal tooling, and AI/ML workloads. Kubernetes and Container Platform Security - Secure the Azure Kubernetes Service (AKS) platform: cluster hardening, node pool configuration, admission control (OPA/Gatekeeper, Kyverno), runtime security, and network policy enforcement. - Own container security standards: base image governance, image signing and provenance (Notary, Cosign), container registry security (Azure Container Registry), and vulnerability scanning integration in the build pipeline. - Maintain and improve Pod Security Standards, workload identity binding (Azure Workload Identity), and namespace-level security isolation. - Collaborate with Platform Engineering on the internal developer platform (IDP) to ensure that developer self-service pathways are built with security guardrails as first-class controls. AI and Data Platform Security - Secure the data and AI/ML infrastructure layer. - Define and enforce data security controls including storage encryption (CMK), data classification enforcement, network isolation for data services, and access boundary policies between training, staging, and production AI environments. - Establish security controls for AI/ML pipelines: training data provenance and integrity, model artifact signing, inference endpoint hardening, and isolation of multi-tenant AI workloads. - Work with Data Engineering and MLOps teams to ensure AI infrastructure changes go through security review and that data access patterns are auditable and compliant. Detection, Response, and Vulnerability Management - Own the cloud-native detection and monitoring stack - Develop and maintain detection rules and analytic content tuned to cloud infrastructure and AI platform threats (e.g., credential abuse, lateral movement, data exfiltration from AI workloads). - Lead the infrastructure vulnerability management program: agent-based and agentless scanning across Azure VMs, AKS nodes, and container images; SLA-based remediation tracking; and patch compliance reporting. - Own cloud incident response runbooks for infrastructure-layer security events and serve as the technical lead for cloud-scoped security incidents. Security Automation and Platform Hardening - Build and maintain policy-as-code frameworks that enforce security standards across IaC templates (Terraform, Bicep) before resources are provisioned. - Develop internal security automation for drift detection, misconfiguration remediation, and continuous compliance validation against CIS Azure Foundations Benchmark and equivalent baselines. - Partner with DevOps and Platform Engineering to embed security gates into infrastructure CI/CD pipelines, ensuring that insecure infrastructure changes cannot reach production. - Maintain the platform security baseline documentation and runbooks, enabling the broader engineering organization to build a well-understood, secure foundation. What We're Looking For Required - An ownership mentality that places the wellbeing of the company, our customers, and teammates at the forefront of everything that the role does. - Ability to thrive in a high-paced, high-growth startup environment. - 6+ years of experience in cloud security, infrastructure security, or platform security engineering, with at least 3 years working deeply in Microsoft Azure. - Expert-level knowledge of Azure security services: Entra ID, Key Vault, Azure Firewall, Azure Policy, and Private Networking. - Strong hands-on experience with Kubernetes security and AKS platform operations, including admission controllers, runtime security, and workload identity. - Demonstrated experience securing data platforms and AI/ML infrastructure (data lakes, blob storage, model training environments, inference endpoints). - Proficiency with infrastructure-as-code tools (Terraform and/or Bicep) and IaC security scanning. - Strong scripting and automation skills in Python, Bash, or PowerShell for building security tooling and automation workflows. - Experience with cloud identity architecture: Entra ID, managed identities, OAuth 2.0/OIDC, PIM, and Conditional Access. - Working knowledge of network security concepts: firewalls, NSGs, DNS security, private networking, and Zero Trust network access (ZTNA). Preferred - Experience securing AI/ML platforms, LLM inference infrastructure, or vector database environments - Familiarity with the MITRE ATT&CK for Cloud and MITRE ATLAS (adversarial ML) frameworks. - Experience developing detection content in Microsoft Sentinel (KQL authoring) or equivalent SIEM platforms. - Relevant certifications such as AZ-500, SC-100, CKS (Certified Kubernetes Security Specialist), CCSP, or GCIA. - Prior experience in a cybersecurity product company or securing multi-tenant SaaS infrastructure. - Familiarity with compliance frameworks relevant to cloud infrastructure: SOC 2, ISO 27001, CSA STAR, and NIST CSF.