Staff GRC Engineer

ID.me is seeking a Staff GRC Engineer to lead the technical infrastructure build, management, and tooling supporting Governance, Risk, and Compliance operations. This individual will design, build, and maintain automation and tooling that streamline control testing, continuous monitoring, evidence collection, and compliance reporting.

As a Staff GRC Engineer, you’ll turn governance and compliance into systems: codified controls, automated evidence, and opinionated guardrails that keep pace with rapid feature development and refactoring. You’ll partner tightly with Security Engineering, Product/AppSec, Privacy, IT, and ERM to prevent compliance drift and make the secure path the paved path. As the technical owner of the GRC platform, the Senior GRC Engineer will architect data relationships, automate control workflows, and integrate evidence sources from security tools. Your north star is reduced manual effort, lower the cost and burden of compliance, and improve audit readiness through technical innovation. 

This role is based out of our Mountain View, CA or McLean, VA offices and requires full-time in-office attendance.

• Compliance-as-code & guardrails
• Translate NIST 800-53r5 (FedRAMP Moderate), ISO/IEC 27001:2022, and SOC 2 controls into testable checks (e.g., OPA/Rego, Conftest, Checkov, InSpec) integrated with CI/CD and infrastructure-as-code (Terraform, Helm).
• Build pre-release gates tied to control impact (e.g., boundary changes, data flows, authz patterns) and publish “green paths” via reusable modules and reference architectures.
• Automation & evidence
• Engineer integrations (Python/TypeScript, APIs, webhooks) to continuously collect evidence from GCP/GKE, AWS/K8s, GitHub, Jira, Okta, endpoint/EDR, vuln scanners, and code scanning tools.
• Maintain a single source of truth for the control catalog, mappings, and tests; drive KCI/KRI dashboards and near-real-time conformance reporting.
• FedRAMP operations
• Support ConMon operations (scan results, inventory, change logs), POA&M lifecycle, and programmatic SSP updates (OSCAL/OpenControl where possible) so authorization posture keeps pace with releases.
• Coordinate with 3PAO/assessors and support artifacts for audits (SOC 2 Type II, ISO surveillance).
• Design-stage coverage
• Embed lightweight threat modeling and control checkpoints in early design (intake forms, templates, design reviews); track exceptions and time-boxed compensating controls.
• Risk & vendor oversight
• Support code and data management for FAIR-informed risk analysis and treatment plans.
• Partner with TPRM control automation and system interoperability.

• 5+ years of experience in Security Engineering, DevOps, GRC Engineering, or Security Automation.
• Practical experience automating controls/evidence and familiarity with programmatic evidence lifecycle management, system-of-record validation, and compliance data architecture.
• Scripting/engineering proficiency (Python or TypeScript), REST APIs, JSON/YAML, Git, and basic SQL.
• Working knowledge of NIST 800-53r5, ISO 27001, and SOC 2; you can map controls across frameworks and test them.
• Strong documentation skills and stakeholder communication across Security, Product, and Compliance.
• Demonstrated ability to translate compliance requirements into logical rules, controls, and technical implementation plans.
• Experience integrating tools such as CrowdStrike, Tenable, Splunk, Nessus, Jira, or AWS Config into automated evidence collection pipelines.

• Experience with major compliance frameworks such as NIST 800-53, FedRAMP, ISO 27001, SOC 2, or HIPAA.
• Experience designing conditional logic for control outcomes, audit workflow triggers, or continuous control monitoring.
• Experience with CI/CD workflows or Infrastructure-as-Code tools (e.g., Terraform, Jenkins) as part of compliance automation.
• Ability to visualize and communicate compliance insights through dashboards, reports, and metrics.
• Understanding of control inheritance, POA&M management, and risk acceptance workflows in regulated environments.

#LI-JS1