Job Description

The opportunity

The way software is built is changing, and fast. AI-native product development is redefining how teams discover, design, and ship – and with it, the entire security threat landscape.At Productboard, this transformation to being AI-native is not a side project; it is our entire focus. Spark, our AI-first product management experience, is now at the center of how customers plan, prioritize, and communicate product work.We are looking for a Staff Security Manager (AI & Product Security) to take end-to-end ownership of the security posture of Productboard, with a primary focus on Productboard Spark and AI capabilities. You’ll be stepping into a critical backfill role on a small, high-impact Security team, working at the intersection of application security, AI safety, governance, and customer trust.This role will be based in our Prague or Brno office with an office-centric hybrid schedule.

Why this matters for your career

The gap between security engineers who deeply understand AI-driven systems and those who don’t is widening fast.In this role, you won’t just be “supporting” an AI product. You will:

• Lead security architecture for LLM-powered workflows, agents, and connectors that touch sensitive product and customer data.
• Automate security operation tasks using AI agents
• Shape how we implement and operate AI governance (including ISO/IEC 42001 alignment, AI Terms, AIMS policy, and internal AI usage policies).
• Work directly with Engineering, Product, Legal, and Sales on Spark-related security, from design reviews to customer due diligence (DDQs, security questionnaires, AI-specific risk questions).

Skills you build here – AI-aware threat modeling, LLM security architecture, AI governance & assurance, secure agent workflows, and customer-facing AI risk communication – will define senior security leadership for the next decade.

AI is how we build

“AI first” is our operating model across Engineering, Product, and Design – and Security is no exception.

• Product teams use Spark and other AI tooling across the full lifecycle: discovery, spec writing, implementation, code review, and incident response.
• Our AI stack relies on leading LLM providers (Anthropic, OpenAI, Amazon Bedrock, and others) with strict data usage and subprocessor controls
• We are actively building out our AI Management System (AIMS), AI policies, and controls aligned to ISO/IEC 42001, on top of existing SOC 2 and ISO 27001 programs.
• Our AI product Spark is already in the hands of customers; we are continuously testing it through bug bounty, open beta, and targeted penetration testing

Your job is to make sure this AI-first way of working remains secure, compliant, and explainable – without slowing the organization down.

What you will do

In this role, you will be redefining security workflows through AI, setting architecture at scale, and shaping multi-year security strategy.You will:

• • Own product & application security for Spark and core ProductboardLead security reviews and threat modeling for Spark Jobs, Prompts, connectors (MCP), and LLM integrations across our stack.
  • Define and harden trust boundaries for multi-tenant AI agents that access customer feedback, product strategy docs, and external tools.
  • Partner with Engineering to build secure patterns for AI-powered document generation, retrieval-augmented generation (RAG), and agent workflows (including human-in-the-loop and fallback behaviors).
  • Lead AI security architecture and governanceTranslate our AI Management Policy (AIMS), AI Terms, and internal AI policy into concrete engineering controls and guardrails.
  • Design and evolve AI observability, abuse monitoring, and risk controls for Spark (prompt injection, data exfiltration, misuse, cost bombs, and model behavior drift).
  • Act as principal security counterpart in our journey toward ISO/IEC 42001 and related AI certifications.
  • Drive security testing & Bug Bounty for SparkOwn security testing strategy for Spark: from static/dynamic analysis, dependency scanning, and configuration hardening to specialized AI testing where tools exist.
  • Coordinate Spark-focused Bug bounty and penetration testing, including defining scope, triaging reports, partnering with Engineering on remediation, and improving signals/coverage based on findings.
  • Continuously refine runbooks for AI-related incidents, including hallucination-driven harm, misrouting of data, and cross-tenant exposure scenarios.
  • Partner with Legal, Sales, and Customer teams on AI riskSupport security reviews for sales involving Spark and AI terms, including responding to AI-specific DDQs, vendor risk assessments, and RFPs.
  • Help define and maintain Spark AI terms, AI FAQs, and security overviews that are understandable to non-technical stakeholders.
  • Work closely with Legal and Privacy to ensure we can clearly explain our AI subprocessors, data flows, retention, and usage restrictions to customers and regulators.
  • Scale security through AI and automationRedefine security workflows using AI: vulnerability triage, log analysis, control testing, policy enforcement, and evidence collection for audits.
  • Build and/or select AI agents and internal tools that help Security and Engineering teams detect issues faster and reduce manual toil, while keeping human judgment in control.
  • Contribute to security-ready, AI-ready codebase patterns (clear contracts, typed interfaces, structured context) that make secure-by-default development the easiest path.
  • Be a multiplier for the Security and Engineering orgMentor other engineers (Security, Infra, and Product Engineering) on secure AI usage and threat modeling, raising the bar on AI literacy and security awareness.
  • Document and evangelize security patterns for AI (when to use which workflow, how to keep agents within safe autonomy boundaries, how to safely connect Spark to external systems).
  • Represent Security in cross-functional forums (release readiness, risk committees, incident reviews) with a pragmatic, risk-based mindset.

About you

You might be a great fit if:

• • Experience & level7+ years of experience in security engineering (AppSec, Product Security, or broadly as a senior security engineer), ideally in a SaaS / cloud-native company.
  • Proven track record operating at Staff/Senior Staff scope: owning broad technical domains, influencing roadmaps, and driving multi-quarter initiatives to completion.
  • Hands-on experience securing web applications and APIs in a microservices or service-oriented architecture.
  • Security & cloud expertiseStrong foundation in application security secure design, threat modeling, code review, hardening, and vulnerability management.
  • Solid experience with cloud infrastructure security (AWS), including IAM, networking, container orchestration (Kubernetes), secrets management (e.g. Vault), and CI/CD security.
  • Familiarity with security standards and certifications such as SOC 2, ISO 27001, and ideally exposure to emerging AI governance standards (e.g. ISO/IEC 42001).
  • AI & LLM security proficiencyHands-on experience building or securing AI/LLM-powered systems (RAG, agents, or workflow orchestration) and understanding their unique failure modes.
  • Comfortable redefining security workflows through AI, not just using AI as a helper – e.g., building AI-assisted runbooks, triage flows, or evidence collection pipelines.
  • Able to set AI security architecture at scale aligning model selection, context management, logging, and guardrails with cost, reliability, and compliance constraints.
  • Thinks in multi-year horizons can outline and drive a realistic AI security strategy, including build-vs-partner decisions, migration paths, and dependency risks.
  • Enjoys multiplying others you grow less senior engineers into AI-aware security leaders, not just doing the work yourself.
  • Customer-facing and cross-functionalComfortable joining customer-facing calls (with Security, Legal, Procurement) to explain our AI and security posture in clear, non-defensive language.
  • Experience collaborating closely with Product, Legal, and GTM on security and privacy topics, especially where risk and revenue intersect.
  • Strong communication skills: you can write concise, structured security documentation and present complex risk trade-offs clearly to executives.
  • MindsetPragmatic and risk-based: you know when to say “no”, when to say “not yet”, and when to design guardrails that unlock faster delivery safely.
  • Curious and learning-oriented, especially about AI security, governance, and regulation; you follow the space and can adapt our posture as it evolves.
  • Comfortable working in an environment where AI tools are heavily used internally and part of your role is to keep us safe while preserving velocity.

Nice to have:

• Prior experience with B ug Bounty programs (e.g., HackerOne) and coordinating penetration tests for AI-heavy products.
• Experience with data protection and privacy in an AI context (data minimization, regional hosting, subprocessors, DPIAs).
• Contributions to the security community (conference talks, blog posts, open source, standards working groups).

Our Tech Stack

You’ll partner closely with teams working with the following technologies:

• Frontend: TypeScript, React, GraphQL
• Backend: Python, Kotlin, Ruby, Kafka
• Storage: PostgreSQL, MongoDB, Elastic, Redis
• Data & AI: Snowflake, Looker, Spark, LLM providers (Anthropic, OpenAI, Amazon Bedrock, others)
• Infrastructure: AWS, Cloudflare, Kubernetes, Terraform, Vault
• Business tools: Slack, Jira, Google Workspace, Zoom, Notion, Glean

You don’t need to be an expert in every technology on day one, but you should be comfortable learning enough about each layer to meaningfully assess and influence security risk

You can look forward to the following benefits

• 💰 Stock options
• 💻 MacBook + 34″ monitor
• 📚 Budget for online courses, books, and conferences
• 🏝️ 5 weeks of vacation + 9 sick days
• 🫶 Volunteer Days for you to help causes close to your heart
• 🥕 Carrot Fertility Benefits
• 🥗 Free snacks, drinks, and yummy catered lunches
• 🏋️‍♂️ MultiSport card to access sports facilities
• ⏰ Flexible working hours and home office
• 🧑‍🧑‍🧒‍🧒 Parental benefits
• 🗣️ Language lessons
• 🍀 Mental Wellness Program to support your well-being and self-care

Relocation Opportunities

If joining us means making a move, we’re here to help make that transition easier.Candidates must have the legal right to work in the EU. While we are unable to provide visa sponsorship for this role, we’re happy to support relocation to Prague for candidates already authorized to work in the EU.

Relocation Support

We offer a one-time relocation bonus ranging from $6,000 to $13,000 USD, depending on your personal situation, whether you’re moving on your own or with a partner or family.This bonus is intended to help offset moving expenses and support your transition into your new city. While it may not cover every cost, it provides meaningful financial support as you get settled.If you’re thinking about relocating and want to explore what this could look like for you, we’d be happy to have that conversation.