The challenge

AI is reshaping how work gets done at Thumbtack. Employees leverage AI assistants in their daily work and teams are building autonomous agents that act on their behalf - reading data, calling APIs, and making changes across enterprise systems. This introduces changes in the risk landscape. Identities now belong to agents and services as often as to people. Protocols like MCP are opening new pathways between AI and enterprise data. And the pipelines feeding AI systems cross more services, vendors, and trust boundaries than they have previously.

The challenge is to evolve security controls to address these shifts in the technology and risk landscape driven by AI-adoption: hardening IAM for non-human and delegated identities, defining safe defaults for MCP servers and autonomous agents, and securing the data pipelines that feed AI systems. We package these controls as secure defaults, paved paths, and reusable patterns so teams can adopt them with confidence. The goal is straightforward - keep Thumbtack moving fast on AI while keeping customer and employee data protected.

What you'll do

• This role focuses on improving AI-adjacent security at Thumbtack, including the agents, identities, integrations, and data pipelines that modern AI systems depend on. It also covers broader security engineering work across the enterprise platforms and services that support them.
• Deliver high-quality security assessments and threat models for first-party and third-party AI tools, agents, and AI-integrated systems, ensuring they adhere to enterprise security principles and approved patterns, with sound authentication, authorization, data access, and observability by design.
• Design and validate technical guardrails and reusable patterns that keep AI usage safe at Thumbtack. This spans AI behavior (safe defaults for agent actions, tool and permission scoping, human-in-the-loop boundaries for sensitive access, input and output controls, audit and observability) and AI connectivity (MCP servers, integrations, trust boundaries, and the data pipelines that feed first- and third-party AI systems). Contribute to the frameworks and tooling that support secure AI development and use across Thumbtack.
• Harden IAM across the enterprise, with particular focus on the non-human and delegated identities behind AI systems (service accounts, agent credentials, SaaS-to-SaaS OAuth, and SCIM federation). Bring least-privilege and lifecycle hygiene to identities that increasingly act at machine speed.
• Provide broader security engineering support across Thumbtack's enterprise platforms and services, including SaaS security and posture management, third-party and integration security, data governance, endpoint security, and identity-centric controls. Build paved paths, shared tooling, and automation that scale these controls.
• Lead cross-functional security initiatives end-to-end. Partner with IT, Engineering, Legal, Privacy, Procurement, and business stakeholders to surface risk early, set clear requirements, and support scalable adoption of secure patterns. Conduct security design and architecture reviews for enterprise applications, SaaS platforms, and internally developed systems.
• Mentor engineers and partner-team members, raising the overall security bar through guidance and example.
• Support security incident response and drive learning through post-incident analysis.

In order to be successful, you must bring

• 6+ years of experience in security engineering, enterprise security, application security, cloud security, or a related field.
• Experience developing threat models and proposing technical guardrails for AI tooling and agentic systems, including non-human identities, tool/permission scoping, and safe defaults for agent behavior.
• Deep expertise in modern enterprise security disciplines: authentication and authorization (SSO, OAuth/OIDC, SAML, federation, SCIM), API security and token handling, secrets management, least-privilege design, SaaS security and posture management.
• Strong experience evaluating risk and conducting security design and architecture reviews across enterprise applications, SaaS platforms, integrations, and internally developed systems, including evaluating data flows, third-party integrations, trust boundaries, automation platforms, AI-connected workflows, and emerging integration patterns such as MCP.
• Strong experience securing modern, cloud-native systems (AWS and/or GCP) and familiarity with core control domains such as audit logging, encryption, access control, data retention, and incident response.
• Strong sense of ownership and accountability, balancing hands-on technical execution with the ability to mentor others, raise standards, and drive measurable improvements in enterprise security.
• Excellent written and verbal communication skills, with the ability to influence without authority and translate technical risk into clear requirements and actionable guidance for both technical and non-technical audiences.

Expected salary ranges

• For candidates living in San Francisco / Bay Area, San Jose, New York City, or Seattle metros, the expected salary range for the role is currently $210,800.00 - $272,800.00.
• For candidates living in Austin, TX or Washington DC metros or in California, Massachusetts, New Jersey, or Washington states, the expected salary range for the role is currently $189,600.00 - $245,300.00.
• For candidates living in all other US locations, the expected salary range for this role is currently $179,400.00 - $232,100.00.

Actual offered salaries will vary and will be based on various factors, such as calibrated job level, qualifications, skills, competencies, and proficiency for the role.