Good audits don't start when the auditors arrive - they start the moment a control is designed. 1Password is looking for a Senior Security Engineer - GRC Controls and Audit to serve as the technical and methodological anchor for our compliance audit programs. You'll partner directly with the Senior Manager of GRC to lead our commercial audit programs - from evidence collection and control testing to deep technical walkthroughs with external auditors and internal SMEs. You'll own the question of what "good evidence" looks like across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701, and you'll know where to find it in the systems that generate it. Along the way, you'll help build the AI-assisted workflows and automation that make our audit programs more efficient and our compliance posture more continuous. This is a controls expert role for someone with deep audit experience - ideally from the auditor's side of the table - who also brings a builder's instinct for making GRC more repeatable and scalable. You won't just coordinate evidence; you'll know exactly why each artifact satisfies a control requirement, and you'll be able to explain that to a skeptical Big 4 auditor and a first-time control owner in the same day. This is a remote opportunity within Canada and the US. What we're looking for: - 5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor - public accounting, Big 4, boutique audit firm, or a rigorous internal audit function. - Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701). - Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions - not just coordinating evidence collection. - The ability to define what "good evidence" looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny. - Proven ability to design and execute control testing - writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure. - Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source. - Strong written and verbal communication skills - you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes. - Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard. - A builder's instinct - you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations. Bonus points for: - CPA, CIA, CISA, or CISSP certification. - Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling. - Experience building or improving continuous control monitoring capabilities. - Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks - increasingly relevant as 1Password governs access for AI agents alongside human users. - Experience with vendor risk assessments - reviewing SOC 2 reports, evaluating third-party compliance documentation, and advising on vendor risk posture. At 1Password, we build with AI: At 1Password, using AI to do more with less isn't a bonus - it's how we operate. For this role, building with AI is secondary to controls expertise - but it's still a real expectation. We're looking for someone who actively uses AI to accelerate their audit and compliance work and can identify where automation creates leverage for the team. - Active and thoughtful AI user: You've used AI tools - not just ChatGPT for writing - to meaningfully speed up audit prep: control narrative drafting, framework cross-mapping, evidence gap identification. You can walk through what you applied, what it produced, and how you validated the output before relying on it. - Automation spotter: You identify manual, repetitive GRC processes that can be AI-assisted or automated and bring specific proposals to the team. You don't need to build everything yourself - but you need to see the opportunity and articulate it clearly. - AI literacy in a compliance context: You understand the accuracy tradeoffs - when AI-generated control narratives need careful human validation, where framework mapping output requires scrutiny, and why non-determinism is a meaningful risk in audit-facing work. - Curiosity and self-direction: You actively track what's happening in AI-assisted compliance tooling, have experimented with more than one approach, and can compare tools with informed opinions rather than general awareness. What you can expect: - Own and lead technical audit walkthroughs across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701 programs - preparing control owners, surfacing the right evidence, and serving as the primary technical liaison with external auditors. - Define and maintain the evidence library - what good evidence looks like for each control domain, where it lives in source systems, and how it maps to trust service criteria. - Execute deep-dive control testing and gap analysis across the Unified Control Framework (UCF), identifying design and operating effectiveness gaps before external testing and driving remediation with clear ownership. - Drive continuous evidence library maturity - shifting GRC from reactive, point-in-time evidence collection toward proactive, continuously-maintained audit-ready artifacts. - Partner cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence workflows at the source. - Contribute to policy, standards, and baseline development with an eye toward auditability and testability - requirements that control owners can implement and auditors can test. - Apply AI tools to accelerate control narrative drafting, framework cross-mapping, and audit prep - with clear discipline around validation and when human judgment is required. - Mentor A-B level GRC team members on audit methodology, control design, and evidence quality standards. USA-based roles only: The annual base salary for this role is between $153,000 USD and $214,000 USD, plus immediate participation in 1Password's benefits program (health, dental, 401k and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs. Canada-based roles only: The annual base salary for this role is between $144,000 CAD and $202,000 CAD, plus immediate participation in 1Password's generous benefits program (health, dental, RRSP and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs. At 1Password, we approach each individual's compensation with a promise of fair market value and internal equity commensurate with experience and specific skill set. This posting is for an existing vacancy.