GRC Lead

Global Brain Corporation

GRC Lead overseeing governance, risk, and compliance programs at an AI startup driving innovation. Spearheading compliance with SOC 2 and HIPAA for critical industries.

Posted 5/22/2026full-timeSan Francisco • California • 🇺🇸 United StatesSeniorWebsite

Tech Stack

Tools & technologies

Azure

About the role

Key responsibilities & impact

Own the end-to-end GRC program: SOC 2 Type II and HIPAA today, and the path through ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and MENA-specific regimes that don’t map cleanly to a US playbook.
Build the data handling backbone: how customer data is classified, where it lives, who can touch it, and how we prove it - across Azure, on-prem MENA deployments, and the bespoke deployments we run for governments and hospitals.
Run audits as a builder, not a project manager: Own evidence, controls, gap remediation, and audit response, and automate the evidence pipeline so we’re not rebuilding workpapers every cycle.
Stand up third-party risk as a real program: vendor reviews, data flow inventory, contractual security obligations, and a reassessment cadence that keeps pace with our SaaS footprint.
Be the function that unblocks enterprise deals: Build the customer-trust surface — security questionnaires, trust portal, DPAs, BAAs, customer-facing docs — so customers understand how we handle their data before they have to ask.
Partner with engineering: Bake compliance into the product: control inheritance from Azure, policy-as-code, automated access reviews, audit-ready logging, and evidence collection that runs without a human in the loop.
Run a single risk operating cadence across HR, Finance, Legal, IT, and Engineering: so data handling, vendor approvals, and audit requests always have a clear owner.
Be the translator between technical reality and regulatory expectations: the person engineers trust to interpret a control, and the person customers and auditors trust to explain the system behind it.

Requirements

What you’ll need

Have 8+ years building and running GRC programs in regulated environments including healthcare, financial services, government, or enterprise SaaS where the stakes were real and the audits weren’t theatre.
Have taken a company through SOC 2 Type II from a cold start, and lived HIPAA, GLBA, FedRAMP, or equivalent work hands-on, not just signed off on policies someone else wrote.
View compliance as a competitive advantage and a forcing function for good engineering, not a checklist and not a bureaucracy to defend.
Are a deep executor: you write the policies, draft the white papers, and ship the automation yourself, and can zoom out to design the program around them.
Are a high-trust cross-functional partner - you can sit with an engineer reasoning about IAM controls in the morning, walk GTM through a DPA at noon, and brief a customer’s CISO in the afternoon.
Translate technical risk for the boardroom and regulatory risk for the engineers fluently in both directions.
Are at home in ambiguity and energized by a 0→1 program. We have a SOC 2 Type II baseline; the rest is yours to define.
Have a strong opinion about data: how it’s classified, where it lives, who can see it, and how you prove it. You think in data flows, not policy templates.
Bias toward pragmatism over bureaucracy. You know which controls matter, which ones are noise, and which ones you can automate out of existence.

Benefits

Comp & perks

Competitive salary plus equity
Daily lunches
Commuter benefits
401(k)
Medical, Dental, and Vision
Unlimited PTO

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

GRC program managementSOC 2 Type IIHIPAA complianceISO 27001NIST 800-171FedRAMPGLBA compliancedata classificationpolicy-as-codeaudit automation

Soft Skills

cross-functional collaborationcommunicationtrust buildingproblem solvingexecutive presentationadaptabilitypragmatismtechnical translationdata-driven decision makingprogram design