Security and Compliance Lead

We're the ~50-person team behind FLUX.1, FLUX.2, and Stable Diffusion—models with 400M+ downloads that have become critical infrastructure for companies from scrappy startups to Fortune 500 enterprises. Our founding team pioneered latent diffusion and continues to push the boundaries of what's possible in visual AI. Now we're wrestling with a harder question: How do you secure AI infrastructure that's evolving faster than security playbooks can be written?

That's the challenge you'll own.

This isn't a checkbox compliance role. You'll be architecting security for AI infrastructure that doesn't fit conventional patterns. What does "secure by default" mean when you're running distributed GPU clusters processing sensitive training data? How do you protect model weights that represent months of compute and billions in value? What does incident response look like when your threat model includes both traditional attacks and novel AI-specific risks?

You'll build our security program from solid foundations upward—establishing the frameworks, controls, and culture that let us move fast without breaking trust. One day you're designing access controls for model serving endpoints; the next, you're walking enterprise customers through our compliance posture. You'll partner deeply with Engineering and DevOps to embed security into our development lifecycle, not bolt it on afterward.

This role owns the full security landscape: infrastructure protection, application security, corporate IT, compliance programs, risk management, and incident response. You'll lead our global compliance efforts (ISO 27001, SOC 2), build relationships with auditors and customers, and navigate the emerging regulatory landscape around AI—from data usage to model governance.

Your responsibilities:

• Own and evolve the company-wide security strategy across infrastructure, application, and corporate environments as we scale
• Build and maintain a comprehensive security program specifically designed for AI training and inference infrastructure—including distributed GPU clusters, data pipelines, training datasets, and model serving endpoints
• Lead our global compliance programs (ISO 27001, SOC 2, and emerging AI-specific frameworks), ensuring we meet regulatory requirements and customer trust expectations
• Address AI-specific compliance challenges around data usage, model governance, and responsible AI practices in a rapidly evolving regulatory landscape
• Partner closely with Engineering and DevOps to embed "secure by default" principles into our architecture, development lifecycle, and operational practices
• Design and implement security controls for large-scale Kubernetes environments hosting both training and inference workloads
• Secure critical AI assets: model training infrastructure, inference endpoints, API gateways, production deployment pipelines, model versioning, storage, and distribution
• Implement robust access controls and audit trails for sensitive training data, model weights, and production systems
• Manage and scale our IT function, ensuring a secure, efficient, and user-friendly digital workplace that supports a distributed, technical team
• Establish and maintain risk management frameworks, security policies, incident response procedures, and governance structures
• Build and maintain trusted relationships with auditors, regulators, and enterprise customers who depend on our security posture
• Create and optimize detections, playbooks, and workflows for rapid incident identification and response
• Lead internal risk assessments and external audits with a focus on transparency and continuous improvement
• Make pragmatic, risk-based security decisions that protect the company while maintaining development velocity
• Establish security as a competitive advantage and enabler of business growth, not a blocker

How do you secure infrastructure that's fundamentally different from traditional SaaS—where the "product" is both API endpoints and 50GB model weight files? What does access control look like for training data that might include customer-uploaded content? How do you audit who touched a model during training when your compute is distributed across hundreds of GPUs?

What compliance frameworks actually matter for AI companies in 2025, and which are security theater? How do we navigate the emerging patchwork of AI regulations across jurisdictions? What does "responsible AI" mean operationally, not just philosophically?

How do you build security culture in a team of researchers and engineers who move fast and think in abstractions? Where's the line between enabling velocity and accepting unacceptable risk? How do we make security decisions that scale as we grow from 50 to 500 people?

We're figuring this out in real time. That's why this role exists.

You've built security programs before—ideally in technical environments where you had to create structure from ambiguity. Maybe you've secured cloud infrastructure at scale, managed compliance certifications, or led security operations in high-growth companies. You understand both the strategic ("What should our security posture be?") and the tactical ("How do I actually lock down this Kubernetes cluster?").

You're deeply technical but not dogmatic. You can review Kubernetes network policies, understand authentication flows, and have informed opinions about secrets management—but you also know when "good enough now" beats "perfect eventually." You've investigated security incidents, written runbooks, and made hard calls under pressure.

You're comfortable with ambiguity and velocity. AI infrastructure security is an emerging field—there aren't established playbooks for everything we're doing. You'll need to figure out what "right" looks like, often before auditors or regulators have clear guidance. You're energized by that challenge, not paralyzed by it.

Crucially: You understand that security is a means to an end, not the end itself. Your goal isn't maximum security—it's optimal security that enables the business to move fast, win customer trust, and build responsibly. You know how to say "yes, if..." instead of just "no."

Experience you'll need:

• 5+ years in security roles (Security Officer, Security Engineer, Compliance & Security Manager, or equivalent), with demonstrated progression toward strategic ownership
• Deep technical understanding of infrastructure security, application security, and cloud security—you can have credible conversations with engineers about architecture and threat models
• Hands-on experience performing security operations or investigations in complex, large-scale environments (Kubernetes experience strongly preferred)
• Proven track record successfully managing compliance certifications (SOC 2, ISO 27001, or equivalent frameworks)
• Experience securing cloud infrastructure (Azure strongly preferred) at scale, including identity management, network security, and secrets management
• Exceptional communication and collaboration skills—you can translate technical risks for executives and explain compliance requirements to engineers without losing either audience
• Ability to lead projects with minimal guidance, creating structure and process where none exists
• Experience thriving in high-growth startup environments where priorities shift and you need to make pragmatic tradeoffs

Nice to have:

• Experience with or strong interest in securing ML/AI infrastructure (training pipelines, model serving, data governance for training datasets)
• Familiarity with emerging AI regulations and responsible AI frameworks
• Experience building security programs from early stages (not just maintaining mature ones)
• Background in incident response, threat hunting, or security operations
• Understanding of developer workflows and DevSecOps practices
• Experience managing distributed or remote security teams

This isn't a role where you enforce policies someone else wrote or check boxes on an audit template. You'll build the program, not inherit one. That means more influence and less certainty. If you need established runbooks for every scenario or prefer environments where security decisions flow from headquarters, this isn't the place.

We also don't want security that slows down innovation without commensurate risk reduction. If your instinct is to lock everything down first and ask questions later, you'll struggle here. We need someone who can balance protection with velocity—who understands that sometimes shipping securely is better than waiting for perfect security.