Full role, time-allocation, and skills map: https://forgevista.ai/careers/ai-security-deployment-architect

The role

You'll walk into a client's IT and security organization, earn their trust, and get the environment ready for AI deployment before our Forward Deployed Engineers arrive. You're not the FDE and you don't build the agent workflows. You make sure that when the FDEs start, the licenses, sandboxes, security boundaries, and network egress are in place and the client IT team owns the configuration. Remote-first; expect ~25–35% on-site, since IT and security conversations often start in person.

How we work: ship with AI daily, live in the CLI, and operate with high agency. Please read our culture deck before applying.

What you'll do

• Run discovery with the client's CIO, CISO, and lead architects; map the current tenant (M365 / Entra ID, AWS / GCP / Azure, identity, egress) and the gaps to AI-readiness
• Walk client IT through the decision matrix: where work happens, where agent API calls go, who owns keys and billing, data posture, logging
• Pair with their team as they configure; they own the keystrokes, you own the architecture
• Deliver a signed-off deployment-readiness plan the FDE team can sprint on from day one
• Re-engage as the work expands: enterprise AI surfaces, hardened dev environments, bounded agent runtimes

What we look for

• 10+ years in IT systems architecture, security architecture, identity governance, or cloud platform engineering
• Depth in at least one: M365 / Entra ID / Azure landing zones; AWS Organizations / IAM; GCP Org Policy / VPC-SC; identity & privileged access; or SOC 2 / ISO 27001 / NIST CSF leadership
• Hands-on AI-native experience: enterprise procurement and rollout of Anthropic / OpenAI / Azure OpenAI, ZDR / BAA / DPA negotiation, at least one bounded agent deployed in a real tenant
• A consultative posture with CISOs: translate concerns into architecture without making anyone feel cornered
• Written, inspectable deliverables; the readiness plan is a document the client signs, not a deck

CLI and agent pairing should already be your daily default. This isn't for you if you think models "aren't ready," or if you can't let the client's team own the keyboard.

Nice to have

• Pace-calibration range: bringing both an early-stage IT team and a sophisticated cloud-native one up the curve
• A track record of respecting an existing security boundary rather than pushing a single vendor's cloud

Compensation & logistics

• $150K–$250K base, benchmarked and paid regardless of outcomes, plus discretionary Client Enablement incentives tied to handoff readiness and FDE velocity
• Health, dental, and vision coverage, plus a professional-development budget
• Remote-first; ~25–35% on-site, with key kickoffs and strategy sessions typically in person
• US-based only: open to candidates located in the US and authorized to work here; we are not sponsoring visas at this time
• To apply: share an architecture artifact you authored: a readiness plan, agent-deployment runbook, or Entra ID design for an AI rollout (redact freely)

ForgeVista is an equal opportunity employer. We evaluate candidates based on demonstrated ability and proven immersion — not pedigree or credentials.

About ForgeVista

ForgeVista deploys AI inside real businesses: production systems that change how work gets done, not slide decks or proofs of concept. Our forward-deployed teams embed with operating companies to build, ship, and scale AI at startup speed with enterprise quality. We work AI-first and CLI-native, and we hire for evidence, not pedigree.

Three things define how we work: AI Now (we ship with AI daily, not "someday"), CLI Native (the terminal is our cockpit, every role, every person), and High Agency (you own the outcome and move without waiting for permission).

Before you apply, please read our culture deck: https://forgevista.ai/culture — our culture isn't aspirational, it's how we actually operate. If it doesn't resonate, this probably isn't the right fit.