AI Security Governance Architect
Plain Concepts • Spain
Posted: May 18, 2026
Job Description
Mission
Support the client’s AI Security Governance Program by defining, operationalizing and continuously improving the cybersecurity control framework for AI, GenAI and agentic AI use cases. The role will work with security, architecture and business teams to ensure AI initiatives are registered, assessed, governed and secured across their lifecycle.
The profile will act as the cybersecurity subject matter expert for AI governance, complementing the project manager and helping translate AI-related risks into practical controls, processes, requirements, evidences and decision criteria.
Key Responsibilities
1. AI security governance framework
Define and mature the security governance model for AI systems, including intake, registration, risk classification, control mapping, approvals, exceptions, monitoring and periodic reassessment.
Align the governance model with recognized frameworks such as NIST AI RMF, NIST Generative AI Profile, ISO/IEC 42001, OWASP Top 10 for LLM Applications, and local relevant ruling as EU AI Act obligations where applicable. NIST’s GenAI Profile was released to help organizations manage unique generative AI risks; ISO/IEC 42001 provides a structured AI management system standard; OWASP tracks LLM-specific risks such as prompt injection, insecure output handling, data poisoning and supply-chain vulnerabilities.
2. AI use case risk assessment
Assess AI and GenAI use cases from a cybersecurity perspective, covering:
- Access control and identity context
- Agentic AI permissions and tool execution
- Logging, monitoring and incident response
- Model exposure and misuse risk
- Prompt injection and indirect prompt injection
- Sensitive data leakage
- Data classification and data residency
- Model supply chain and third-party AI services
- Human oversight and approval workflows
- Security-by-design requirements for AI applications
3. Control design and operationalization
Translate risks into practical security controls, including policies, technical requirements, architecture patterns, guardrails, evidence requirements, control owners and acceptance criteria.
The role should be able to define what “good” looks like for different AI patterns: internal copilots, M365 Copilot, custom GenAI apps, RAG systems, AI agents, vendor AI features, ML models and low-code/no-code AI automations.
4. Tooling integration and control mapping
Work with existing tools such as HiddenLayer, Sentra, Zenity and the AI registration/control tower process to ensure the governance model is not theoretical.
Expected activities include:
- Mapping tool capabilities to governance controls
- Defining required data fields in the AI registry
- Establishing dashboards and control evidence
- Identifying gaps between tooling coverage and policy expectations
- Supporting integration with GRC, CMDB, DLP, IAM, SIEM/SOC, cloud security and data governance processes
6. Deliverables
Typical deliverables should include:
- AI control framework
- AI use case classification model
- Security requirements for AI/GenAI projects
- AI security architecture patterns
- AI registry/control tower data model recommendations
- Tooling-to-control mapping
- Exception and risk acceptance process
- KPI/KRI dashboard proposal
- Security review templates
- AI security awareness material for project teams
- Roadmap for maturity improvement
Must have:
8+ years in cybersecurity, with strong experience in security governance, security architecture, risk management or AppSec/CloudSec.
Real understanding of AI/GenAI security risks, especially LLM application risks, prompt injection, data leakage, model supply chain, AI agent permissions, RAG security, model/API exposure and third-party AI usage.
Ability to build governance that works operationally, not just policy documents. This is important: Nestlé likely does not need someone to explain that AI is risky; they need someone who can help make the program executable.
Experience with enterprise control frameworks
Excellent documentation and communication skills, with the ability to produce executive-ready material and technical control definitions.
Strongly desirable:
Experience with one or more of:
- AI governance programs
- AISPM Experience
- GenAI application security reviews
- M365 Copilot / enterprise copilots
- AI agent governance
- ML/LLM model risk management
- Data Security Posture Management
- Cloud security architecture
- Secure SDLC / DevSecOps
- Third-party AI vendor risk
- GRC tooling and control evidence automation
- SOC monitoring for AI-related threats
Experience with tools such as HiddenLayer, Sentra, Zenity, Wiz, Microsoft Purview, Defender, CSPM/CWPP, DLP, SIEM/SOAR, cloud-native security tooling or GRC platforms would be valuable.
Certifications / knowledge:
Useful but not mandatory:
- CISSP, CISM, CRISC or equivalent
- Cloud security certifications: AWS, Azure, GCP, CCSP
- AI governance / AI risk training
- Privacy knowledge: GDPR, DPIA, data classification
- Familiarity with EU AI Act requirements for deployers of high-risk AI systems, including governance, monitoring, human oversight and logging obligations where applicable.
Additional Content
Mission
Support the client’s AI Security Governance Program by defining, operationalizing and continuously improving the cybersecurity control framework for AI, GenAI and agentic AI use cases. The role will work with security, architecture and business teams to ensure AI initiatives are registered, assessed, governed and secured across their lifecycle.
The profile will act as the cybersecurity subject matter expert for AI governance, complementing the project manager and helping translate AI-related risks into practical controls, processes, requirements, evidences and decision criteria.
Key Responsibilities
1. AI security governance framework
Define and mature the security governance model for AI systems, including intake, registration, risk classification, control mapping, approvals, exceptions, monitoring and periodic reassessment.
Align the governance model with recognized frameworks such as NIST AI RMF, NIST Generative AI Profile, ISO/IEC 42001, OWASP Top 10 for LLM Applications, and local relevant ruling as EU AI Act obligations where applicable. NIST’s GenAI Profile was released to help organizations manage unique generative AI risks; ISO/IEC 42001 provides a structured AI management system standard; OWASP tracks LLM-specific risks such as prompt injection, insecure output handling, data poisoning and supply-chain vulnerabilities.
2. AI use case risk assessment
Assess AI and GenAI use cases from a cybersecurity perspective, covering:
- Access control and identity context
- Agentic AI permissions and tool execution
- Logging, monitoring and incident response
- Model exposure and misuse risk
- Prompt injection and indirect prompt injection
- Sensitive data leakage
- Data classification and data residency
- Model supply chain and third-party AI services
- Human oversight and approval workflows
- Security-by-design requirements for AI applications
3. Control design and operationalization
Translate risks into practical security controls, including policies, technical requirements, architecture patterns, guardrails, evidence requirements, control owners and acceptance criteria.
The role should be able to define what “good” looks like for different AI patterns: internal copilots, M365 Copilot, custom GenAI apps, RAG systems, AI agents, vendor AI features, ML models and low-code/no-code AI automations.
4. Tooling integration and control mapping
Work with existing tools such as HiddenLayer, Sentra, Zenity and the AI registration/control tower process to ensure the governance model is not theoretical.
Expected activities include:
- Mapping tool capabilities to governance controls
- Defining required data fields in the AI registry
- Establishing dashboards and control evidence
- Identifying gaps between tooling coverage and policy expectations
- Supporting integration with GRC, CMDB, DLP, IAM, SIEM/SOC, cloud security and data governance processes
6. Deliverables
Typical deliverables should include:
- AI control framework
- AI use case classification model
- Security requirements for AI/GenAI projects
- AI security architecture patterns
- AI registry/control tower data model recommendations
- Tooling-to-control mapping
- Exception and risk acceptance process
- KPI/KRI dashboard proposal
- Security review templates
- AI security awareness material for project teams
- Roadmap for maturity improvement
Must have:
8+ years in cybersecurity, with strong experience in security governance, security architecture, risk management or AppSec/CloudSec.
Real understanding of AI/GenAI security risks, especially LLM application risks, prompt injection, data leakage, model supply chain, AI agent permissions, RAG security, model/API exposure and third-party AI usage.
Ability to build governance that works operationally, not just policy documents. This is important: Nestlé likely does not need someone to explain that AI is risky; they need someone who can help make the program executable.
Experience with enterprise control frameworks
Excellent documentation and communication skills, with the ability to produce executive-ready material and technical control definitions.
Strongly desirable:
Experience with one or more of:
- AI governance programs
- AISPM Experience
- GenAI application security reviews
- M365 Copilot / enterprise copilots
- AI agent governance
- ML/LLM model risk management
- Data Security Posture Management
- Cloud security architecture
- Secure SDLC / DevSecOps
- Third-party AI vendor risk
- GRC tooling and control evidence automation
- SOC monitoring for AI-related threats
Experience with tools such as HiddenLayer, Sentra, Zenity, Wiz, Microsoft Purview, Defender, CSPM/CWPP, DLP, SIEM/SOAR, cloud-native security tooling or GRC platforms would be valuable.
Certifications / knowledge:
Useful but not mandatory:
- CISSP, CISM, CRISC or equivalent
- Cloud security certifications: AWS, Azure, GCP, CCSP
- AI governance / AI risk training
- Privacy knowledge: GDPR, DPIA, data classification
- Familiarity with EU AI Act requirements for deployers of high-risk AI systems, including governance, monitoring, human oversight and logging obligations where applicable.