AI Platform Security Engineer

Kai is the AI company rebuilding cybersecurity for the machine-speed era. Founded by second time founders and trusted by Fortune 500 enterprises, Kai is building a future where security has no categories, no silos, and no human speed bottlenecks. The Kai Agentic Platform replaces fragmented, human-limited workflows with agentic AI systems that continuously contextualize, assess, reason, and execute security work at the speed of thought - making human defenders, superhuman. 


Why Kai?

  • Well-funded: With $125M raised, we have the capital, runway, and resolve to rebuild cybersecurity from first principles.
  • Proven: We've earned the trust of Fortune 500 and Global 1000 companies, and we're just getting started. Their confidence in Kai reflects what we've built: an AI-powered cybersecurity platform that performs at the scale and speed the enterprise demands.
  • Experienced founders: Our founding team consists of second-time entrepreneurs, each with over 20 years of experience in the cybersecurity industry. Their proven expertise and vision drive our ambitious goals.
  • World-class leadership team: Our Heads of AI, Engineering, and Product bring extensive experience from some of the world’s most influential companies, ensuring top-tier mentorship, direction, and vision.
  • Frontier AI Applied Research Team: Our researchers operate at the leading edge of agentic AI systems, translating breakthrough capabilities into real-world cybersecurity applications.
  • Generous compensation: We offer highly competitive salaries, equity options, and a supportive work environment. Your contributions will be valued and rewarded as we grow together. 

We're looking for a AI Platform Security Engineer to drive the security of the Azure infrastructure that powers the Kai AI-native cybersecurity product. This role centers on the security of the cloud foundation, data platform, AI/ML infrastructure, and internal developer platform that the product depends on.

This is a deeply technical, infrastructure-focused role. You'll work closely with Platform Engineering, DevOps, Data Engineering, and AI/MLOps teams to ensure that the systems, pipelines, and environments underpinning our product are designed, built, and operated securely. 


What You'll Do...


Cloud Infrastructure Security

  • Own the end-to-end security infrastructure architecture of our Azure environment, including landing zone design, management group and subscription structure, network topology, and resource governance.
  • Enforce and continuously improve guardrails using Azure Policy, Cloud security posture management (CSPM), and infrastructure-as-code (IaC) security scanning (Checkov, tfsec, or equivalent).
  • Manage and mature the Azure network security model: hub-and-spoke topology, NSG and Azure Firewall rule governance, Private Endpoints, and DDoS protection controls.
  • Lead cloud infrastructure security posture reviews, drive down misconfigurations, and own the organization's Secure Score improvement roadmap.
  • Maintain and harden Azure landing zones, ensuring new workloads are provisioned into a secure-by-default environment.


Identity, Access, and Secrets Management

  • Drive the organization's cloud identity and access management strategy, including Entra ID tenant configuration, Privileged Identity Management (PIM), Conditional Access policies, and workload identity (managed identities, federated credentials, service principals).
  • Enforce least-privilege IAM across all Azure subscriptions and resources; conduct regular access reviews and entitlement hygiene campaigns.
  • Architect and operate the enterprise secrets management program using Azure Key Vault with HSM-backed keys, including key rotation automation, certificate lifecycle management, and developer-facing secrets injection patterns.
  • Define and enforce policies for human and non-human identities across CI/CD systems, internal tooling, and AI/ML workloads.


Kubernetes and Container Platform Security

  • Secure the Azure Kubernetes Service (AKS) platform: cluster hardening, node pool configuration, admission control (OPA/Gatekeeper, Kyverno), runtime security, and network policy enforcement.
  • Own container security standards: base image governance, image signing and provenance (Notary, Cosign), container registry security (Azure Container Registry), and vulnerability scanning integration in the build pipeline.
  • Maintain and improve Pod Security Standards, workload identity binding (Azure Workload Identity), and namespace-level security isolation.
  • Collaborate with Platform Engineering on the internal developer platform (IDP) to ensure that developer self-service pathways are built with security guardrails as first-class controls.


AI and Data Platform Security

  • Secure the data and AI/ML infrastructure layer.
  • Define and enforce data security controls including storage encryption (CMK), data classification enforcement, network isolation for data services, and access boundary policies between training, staging, and production AI environments.
  • Establish security controls for AI/ML pipelines: training data provenance and integrity, model artifact signing, inference endpoint hardening, and isolation of multi-tenant AI workloads.
  • Work with Data Engineering and MLOps teams to ensure AI infrastructure changes go through security review and that data access patterns are auditable and compliant.


Detection, Response, and Vulnerability Management

  • Own the cloud-native detection and monitoring stack
  • Develop and maintain detection rules and analytic content tuned to cloud infrastructure and AI platform threats (e.g., credential abuse, lateral movement, data exfiltration from AI workloads).
  • Lead the infrastructure vulnerability management program: agent-based and agentless scanning across Azure VMs, AKS nodes, and container images; SLA-based remediation tracking; and patch compliance reporting.
  • Own cloud incident response runbooks for infrastructure-layer security events and serve as the technical lead for cloud-scoped security incidents.


Security Automation and Platform Hardening

  • Build and maintain policy-as-code frameworks that enforce security standards across IaC templates (Terraform, Bicep) before resources are provisioned.
  • Develop internal security automation for drift detection, misconfiguration remediation, and continuous compliance validation against CIS Azure Foundations Benchmark and equivalent baselines.
  • Partner with DevOps and Platform Engineering to embed security gates into infrastructure CI/CD pipelines, ensuring that insecure infrastructure changes cannot reach production.
  • Maintain the platform security baseline documentation and runbooks, enabling the broader engineering organization to build a well-understood, secure foundation.


What We're Looking For

Required

  • An ownership mentality that places the wellbeing of the company, our customers, and teammates at the forefront of everything that the role does.
  • Ability to thrive in a high-paced, high-growth startup environment.
  • 6+ years of experience in cloud security, infrastructure security, or platform security engineering, with at least 3 years working deeply in Microsoft Azure.
  • Expert-level knowledge of Azure security services: Entra ID, Key Vault, Azure Firewall, Azure Policy, and Private Networking.
  • Strong hands-on experience with Kubernetes security and AKS platform operations, including admission controllers, runtime security, and workload identity.
  • Demonstrated experience securing data platforms and AI/ML infrastructure (data lakes, blob storage, model training environments, inference endpoints).
  • Proficiency with infrastructure-as-code tools (Terraform and/or Bicep) and IaC security scanning.
  • Strong scripting and automation skills in Python, Bash, or PowerShell for building security tooling and automation workflows.
  • Experience with cloud identity architecture: Entra ID, managed identities, OAuth 2.0/OIDC, PIM, and Conditional Access.
  • Working knowledge of network security concepts: firewalls, NSGs, DNS security, private networking, and Zero Trust network access (ZTNA).


Preferred

  • Experience securing AI/ML platforms, LLM inference infrastructure, or vector database environments 
  • Familiarity with the MITRE ATT&CK for Cloud and MITRE ATLAS (adversarial ML) frameworks.
  • Experience developing detection content in Microsoft Sentinel (KQL authoring) or equivalent SIEM platforms.
  • Relevant certifications such as AZ-500, SC-100, CKS (Certified Kubernetes Security Specialist), CCSP, or GCIA.
  • Prior experience in a cybersecurity product company or securing multi-tenant SaaS infrastructure.
  • Familiarity with compliance frameworks relevant to cloud infrastructure: SOC 2, ISO 27001, CSA STAR, and NIST CSF.

Information Security

San Jose, CA

Teilen auf:

NutzungsbedingungenDatenschutzCookiesPowered by Rippling