AI Engineer

We are looking for a Security Compliance Engineer to build and operate AI-driven compliance systems that keep Unlimit continuously aligned with global regulatory, legal, and industry standards — including PSD2, DORA, PCI DSS, SWIFT CSP, ISO 27001, and GDPR. You will combine deep security knowledge with automation expertise to make compliance measurable, auditable, and real-time — ensuring that Unlimit remains always “audit-ready”.

What You’ll Be Doing

• At Unlimit, compliance is not paperwork — it’s an intelligent, automated process woven into every part of our technology stack. As a Security Compliance Engineer, you’ll design and run systems that continuously validate our security controls, collect evidence automatically, and generate insights for management and auditors with minimal manual intervention.

• Implement Continuous Control Monitoring across cloud and SaaS environments — leveraging AI/LLM/RAG models to map regulatory requirements to implemented controls, detect deviations in near real time, and surface risk heatmaps and dashboards for executive visibility.

• Automate evidence management for PCI DSS, ISO 27001, DORA, and SWIFT CSP — using AI-based extraction, classification, and correlation engines to assemble audit-ready evidence packs and draft responses; keep immutable trails and citations for auditor traceability.

• Own the lifecycle of Information Security policies, standards, and procedures.

• Run the end-to-end Risk Management workflow — register risks, score likelihood/impact, propose mitigations, track remediation and residual risk, and generate risk reports/heatmaps for management and auditors. Use automation to correlate risks with control gaps, incidents, and vendor posture.

• Maintain and evolve the Business Impact Reference Table (BIRT) — quantify business impacts (financial, regulatory, operational, reputational), calibrate impact categories using incident data and scenario analysis, and ensure consistent linkage between BIRT, risk scoring, and control priorities.

• Strengthen Third‑Party Risk Management (TPRM) — analyze vendor questionnaires (SIG, CAIQ, SWIFT CSP), cross‑check with threat intel and attack surface data, track CAPA/remediation, and enforce contractual/security clauses and review cycles.

• Operate the Policy Exception Register — capture exceptions with compensating controls, enforce expiry/review reminders, and validate effectiveness via continuous monitoring signals.

• Drive security awareness with automation — produce adaptive AI-generated content, run phishing simulations, and deliver personalized, role-based awareness metrics to reduce human‑factor risk.

• Continuously improve audit readiness — standardize templates, evidence locations, and control narratives; embed ChatOps for faster stakeholder responses; and uphold AI guardrails (data minimization, role scopes, approvals, auditability).

Must-Have:

• 3+ years in Information Security, Compliance, or Risk Management (preferably in fintech or cloud-native environments).

• Hands-on with PCI DSS, ISO 27001/27002, GDPR; working knowledge of DORA, PSD2, and SWIFT CSP.

• Experience running Risk Management cycles (risk register, scoring, treatment, residual risk, dashboards/heatmaps).

• Proven ability to maintain BIRT (impact categories, calibration, linkage to risk scoring and control priorities).

• Ownership of IS policies/standards/procedures: drafting, benchmarking, versioning, approvals, and periodic reviews.

• Familiarity with AWS/Azure, Terraform, Git-based workflows, and CI/CD pipelines.

• Automated evidence collection using OPA/Conftest, CloudTrail/Config, Security Hub (or equivalents); immutable evidence trails.

• Practical knowledge of AI workflows (LLMs, RAG) and automation tools (e.g., n8n, Windmill, Tines) for compliance tasks.

• Strong documentation and communication skills; ability to produce auditor-ready deliverables with clear citations and scope.

• Collaborative mindset across Security, Platform/DevOps, Legal, and Audit; crisp stakeholder communication.

Nice-to-Have:

• Exposure to financial regulator interactions and external audits (e.g., PCI QSA, ISO CB, scheme assessments).

• Knowledge of control frameworks (NIST CSF/800-53, ISO 27005, CIS Critical Security Controls).

• Experience with vendor risk tooling, threat intelligence feeds, and attack surface monitoring.

• Familiarity with vector databases/AI knowledge bases for policy and control mapping.

• Certifications: ISO 27001 Lead Implementer/Lead Auditor, CISA, CCSK, CompTIA Security+, or similar.