Role OverviewButterflyMX is seeking a GRC Engineer who is equal parts practitioner and builder. You will own the governance, risk, and compliance program. But more importantly, you will re-engineer how that program operates: replacing manual, point-in-time processes with AI-assisted, automated, and agentic workflows wherever possible. From continuous controls monitoring to automated vendor risk intake to AI-accelerated policy drafting, you will design a GRC function built for scale.
This is a generalist role that spans the full GRC surface: compliance operations, risk management, audit management, trust and assurance, vendor/supply chain risk, and operational privacy support. You will own the day-to-day operations of our compliance posture: managing audit readiness, maintaining our risk register, driving policy development, coordinating vendor risk assessments, and building sustainable processes through engineering automations.
You are equally comfortable automating a controls evidence request (not just handing it to the control owner!); conducting a supply chain risk analysis (software, firmware, hardware); and building automations and workflows to reduce compliance and documentation burdens. It is an individual contributor position reporting directly to the CISO to build and sustain our governance, risk, and compliance program.
Responsibilities- Own and continuously mature the company risk register; design a risk management workflow that uses AI tooling to surface, score, and route emerging risks with minimal manual intervention, ensuring the register reflects real-time posture, not a quarterly snapshot.
- Lead external audit management (SOC 2 Type II); automate evidence collection pipelines in Vanta so that audit cycles are driven by continuous monitoring rather than evidence sprints, and begin scoping a readiness path for ISO 42001 (AI management systems).
- Engineer the Trust and Assurance program for scale: build automated intake and triage workflows for security questionnaire requests, deploy AI-assisted response generation against a curated knowledge base, and expand the trust portal so that partner due diligence is largely self-service.
- Build a vendor and supply chain risk program that goes beyond static spreadsheets. Design automated vendor intake, tiered risk scoring, and continuous monitoring triggers (news alerts, rating service integrations, release notes, expiration tracking) that surface risk without requiring manual sweeps.
- Redesign and maintain security and privacy policies; use AI to draft, version, and track policy updates, and build a lightweight workflow for owner review, approval, and attestation that doesn't require a ticketing system to chase people down.
- Own common controls monitoring in Vanta. Configure and tune integrations, checks, and alerting so that control failures surface automatically to the right owners, not just to a GRC inbox. Drive the organization toward an always-on compliance posture.
- Modernize the security awareness and training program.
- Design and operationalize an integrated compliance calendar covering SOC 2, security and IT systems licensing renewals, applicable state privacy regulations, and any other active frameworks with automated reminders and status tracking rather than manual coordination.
- Support the CISO and General Counsel on operational privacy practices: administer cookie consent management tooling, handle or route data subject requests (DSRs) through a documented and auditable workflow, and help maintain the company's privacy notice and data mapping inventory.
- Monitor the regulatory and compliance landscape, including AI governance developments (EU AI Act, NIST AI RMF, ISO 42001). Proactively surface changes that require a policy, control, or product response.
- Leverage AI tools across every GRC workflow; this role is expected to demonstrate measurable efficiency gains through automation and tooling, not simply to own a portfolio of manual processes.
Requirements- 3+ years of experience in GRC, information security compliance, or risk management.
- Working knowledge of SOC 2 (Trust Services Criteria), with hands-on experience supporting or leading audits.
- Familiarity with additional frameworks is a strong plus: CIS Controls v8, NIST CSF, NIST AI RMF, NIST Privacy Framework, NIST SP 1800 series, NIST 800-53 r5, ISO 42001, ISO 27701, ISO 27001, OWASP Top 10 for Agentic Applications, MITRE D3FEND, MITRE SoT, MITRE ALTAS.
- Experience conducting rapid third-party/vendor risk assessments and managing a supply chain risk program.
- Strong organizational skills with the ability to manage multiple concurrent workstreams and deadlines.
- Excellent written communication, capable of drafting clear, audience-appropriate policy documents and executive risk summaries.
- Experience with Vanta platform (or equivalent)
- Relevant certifications a plus: CISA, CRISC, CISSP, CIPP, or equivalent.
- Proven experience with leveraging AI tools in both professional and personal settings. ButterflyMX is an AI-forward organization and the ability to optimize efficiency using AI is crucial in every role.
Benefits- Comprehensive Medical, Dental and Vision plans (ButterflyMX covers 80% of the cost) starting day 1
- 401(k) plan with a match
- 10 paid holidays, 20 vacation days, 5 sick days, 3 floating holidays
- Basic Life and Accidental Death and Dismemberment Insurance (ButterflyMX covers 100% of the cost)
- Short and Long Term Disability (ButterflyMX covers 100% of the cost)
- Paid Family Leave
- Employee Assistance Program
- Quarterly self-care stipends
- Access to optional benefits including pre-tax flexible healthcare spending accounts (FSA and HSA), Dependent Care FSA, and Commuter Benefits, as well as optional Supplemental Life, AD&D, Hospital Indemnity, Legal, Accident, Critical Illness, Pet, and Personal Liability Insurance
- And more!