GRC Lead

BrainCo

$130K — $180K *
Enterprise Technology
8 - 10 years of experience
Job Overview by Ladders

Qualifications

  • 8+ years in GRC program management in regulated sectors (healthcare, finance, government, SaaS)
  • Hands-on experience with SOC 2 Type II and HIPAA compliance processes
  • Expertise in translating technical risk for both executive and engineering teams
  • Strong capability in policy writing, program design, and execution
  • Proficient in data classification, residency, and security frameworks
  • Ability to thrive in ambiguity and build new programs from the ground up

Responsibilities

  • Lead the governance, risk, and compliance (GRC) program from inception to implementation
  • Establish a robust framework for data handling and classification across diverse deployment environments
  • Conduct audits as a creator, ensuring automation of evidence processes
  • Develop and implement a comprehensive third-party risk management program
  • Enhance customer trust through transparent documentation and proactive engagement
  • Collaborate with engineering to integrate compliance within product development
  • Streamline risk management processes across all departments, ensuring clear ownership of compliance tasks

Benefits

  • Competitive salary plus equity
  • Daily lunches
  • Commuter benefits
  • 401(k) plan
  • Medical, dental, and vision insurance
  • Unlimited paid time off (PTO)
Full Job Description
About the Role:

At Brain Co., we focus on applying frontier AI to real institutional challenges, working alongside governments, healthcare systems, and critical industries to modernize how essential services operate. We are looking for leaders who want to help bring new technology into institutions that impact millions of people.

As our GRC Lead, you'll own the governance, risk, and compliance program end-to-end - and treat it as a strategic advantage, not a checklist. Brain Co. carries one of the most demanding regulatory loads of any company our size: SOC 2 Type II and HIPAA in place today, with ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and US/MENA data residency on the near-term roadmap. That's what selling to governments, hospitals, and financial institutions costs - and done right, it's how we win the next ones.

This is a 01 builder role. You'll define the principles, write the policies, run the audits, build the automation, and partner directly with engineering, legal, sales, and customer - not advising from the sidelines. This is a high-ownership role for someone who has built programs like this before and wants to build the next one from first principles. You'll be an IC on day one with the scope and trust to grow the function as the company scales.

What You'll Work On:
  • Own the end-to-end GRC program: SOC 2 Type II and HIPAA today, and the path through ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and MENA-specific regimes that don't map cleanly to a US playbook.
  • Build the data handling backbone: how customer data is classified, where it lives, who can touch it, and how we prove it - across Azure, on-prem MENA deployments, and the bespoke deployments we run for governments and hospitals.
  • Run audits as a builder, not a project manager: Own evidence, controls, gap remediation, and audit response, and automate the evidence pipeline so we're not rebuilding workpapers every cycle.
  • Stand up third-party risk as a real program: vendor reviews, data flow inventory, contractual security obligations, and a reassessment cadence that keeps pace with our SaaS footprint.
  • Be the function that unblocks enterprise deals: Build the customer-trust surface - security questionnaires, trust portal, DPAs, BAAs, customer-facing docs - so customers understand how we handle their data before they have to ask.
  • Partner with engineering: Bake compliance into the product: control inheritance from Azure, policy-as-code, automated access reviews, audit-ready logging, and evidence collection that runs without a human in the loop.
  • Run a single risk operating cadence across HR, Finance, Legal, IT, and Engineering: so data handling, vendor approvals, and audit requests always have a clear owner.
  • Be the translator between technical reality and regulatory expectations: the person engineers trust to interpret a control, and the person customers and auditors trust to explain the system behind it.


You Might Be a Great Fit If You...
  • Have 8+ years building and running GRC programs in regulated environments including healthcare, financial services, government, or enterprise SaaS where the stakes were real and the audits weren't theatre.
  • Have taken a company through SOC 2 Type II from a cold start, and lived HIPAA, GLBA, FedRAMP, or equivalent work hands-on, not just signed off on policies someone else wrote.
  • View compliance as a competitive advantage and a forcing function for good engineering, not a checklist and not a bureaucracy to defend.
  • Are a deep executor: you write the policies, draft the white papers, and ship the automation yourself, and can zoom out to design the program around them.
  • Are a high-trust cross-functional partner - you can sit with an engineer reasoning about IAM controls in the morning, walk GTM through a DPA at noon, and brief a customer's CISO in the afternoon.
  • Translate technical risk for the boardroom and regulatory risk for the engineers fluently in both directions.
  • Are at home in ambiguity and energized by a 01 program. We have a SOC 2 Type II baseline; the rest is yours to define.
  • Have a strong opinion about data: how it's classified, where it lives, who can see it, and how you prove it. You think in data flows, not policy templates.
  • Bias toward pragmatism over bureaucracy. You know which controls matter, which ones are noise, and which ones you can automate out of existence.


Bonus Points For:
  • Direct experience operating across US and MENA (or other multi-jurisdictional) regulatory environments, including on-prem and data residency requirements.
  • FedRAMP/GovRAMP, IL4/IL5, or equivalent government-customer compliance experience.
  • Standing up GRC programs at AI or ML-heavy companies, including the novel evidence and disclosure questions that come with model training data, agent actions, and customer data flowing through AI systems.
  • Hands-on with compliance automation tooling (Vanta, Drata, Secureframe, etc.) and a willingness to replace it when it's the wrong tool.
  • Comfort reading the technical controls themselves (Terraform, IAM policies, audit logs) well enough to verify what an auditor is being told.


Why Join Us:
  • Build the GRC function for an AI platform deployed in governments, hospitals, and critical industries worldwide - where the regulatory bar is real and the work matters.
  • Own the program 01. Define the principles, design the system, and grow the function under you as the company scales.
  • Work alongside senior engineers from Tesla, DeepMind, Databricks, and other top engineering orgs who treat compliance as a partner, not a tax.
  • Shape how compliance is done for AI-native companies, where the frameworks haven't caught up yet and the right answer is still being written.
  • Earn competitive compensation and meaningful equity in a high-growth company.


Benefits
  • Competitive salary plus equity
  • Daily lunches
  • Commuter benefits
  • 401(k)
  • Medical, Dental, and Vision
  • Unlimited PTO

Similar Jobs

More Jobs at BrainCo

  • GRC Lead
    $130K — $180K *
    San Francisco, CA 94112 (San Francisco County)
    Enterprise Technology
    In-Person
  • Event & Field Ops, Government Vertical
    $80K — $120K *
    San Francisco, CA 94112 (San Francisco County)
    Education, Government & Non-Profit
    In-Person
  • AI Deployment Lead - GTM
    $120K — $180K *
    San Francisco, CA 94112 (San Francisco County)
    Business Services
    In-Person
  • Business Operations Lead
    $120K — $150K *
    San Francisco, CA 94112 (San Francisco County)
    Business Services
    In-Person
  • AI Platform Engineer, DevX
    $130K — $180K *
    San Francisco, CA 94112 (San Francisco County)
    Information Technology
    In-Person

More Enterprise Technology Jobs

Find similar GRC Lead jobs: