Job Description

About GIC
GIC is one of the world's largest sovereign wealth funds. With over 2,000 employees across 11 locations around the world, we invest in more than 40 countries globally across asset classes and businesses. Working at GIC gives you exposure to an extraordinary network of the world's industry leaders. As a leading global long-term investor, we work at the Point of Impact for Singapore's financial future, and the communities we invest in worldwide.

Technology Group
We experiment, design, and lead a 24×7 global business where we support core capabilities in asset management, trading, investment operations, and risk management. We deliver secure, reliable, and integrated solutions, and provide insights on new and emerging technologies.

Strategy, Architecture, and Transformation Group
The Strategy, Architecture & Transformation (SAT) group shapes and drives GIC’s technology strategy, ensuring alignment with business priorities and enterprise goals. Bringing together expertise in strategy, architecture, engineering, and transformation, the team strengthens governance, promotes consistency, and accelerates delivery across the Technology Group. Through modern practices and close collaboration, SAT leads the development of an architectural strategy that reinforces oversight and accountability while enabling reliable, scalable solutions and informed decision making across the Technology Group and, more broadly, across GIC.

AI Engineering
The AI Engineering team within SAT is driving GIC's transformation from AI-enabled to AI-native. We build and operate the foundational AI platform — gateway, agent runtime, agentic IAM, memory, observability, and more — so that every team across GIC can develop and deploy AI agents that are secure, observable, and production-grade.

What impact can you make in this role?

Autonomous agents introduce a fundamentally different threat model: software that dynamically decides what to access, composes actions unpredictably, processes untrusted inputs, and operates at machine speed. Traditional security patterns assume human actors — you will design the security architecture for a world where they don’t.

As the AI Security Engineer, you will be the team’s subject-matter expert on both AI-specific and traditional security, responsible for the security posture of every service the AI Engineering team builds. You will design and drive the implementation of the agentic IAM layer — agent identity, composite identity (user + agent + tool), policy-driven authorisation, secret management, and blast-radius control — and embed security into every platform capability: the gateway, agent runtime, memory, and observability.

You will work closely with enterprise security teams — Cybersecurity Engineering, Cybersecurity Assurance & Defence, and IAM Engineering — to co-design the identity model, policy framework, and secret management patterns that make autonomous agents governable. Where enterprise solutions exist, you translate them into detailed design and implementation for the AI platform. Where they are still being built, you bridge the gap with interim frameworks and tooling so the team is never left unprotected.

You will partner with the AI Site Reliability Engineer to ensure the platform is both resilient and secure — inseparable concerns — and work with the core AI platform squad to make every service, SDK, and tool secure by design: threat models before architecture reviews, policy-as-code before deployment, and automated compliance checks before release.

You are not a security auditor reviewing after the fact. You are a hands-on security engineer who writes policy, builds identity frameworks, implements controls, and raises the security bar for the entire engineering squad — mentoring and equipping the team to do the same.

This is a platform security engineering role embedded within the AI Engineering team — not an enterprise cybersecurity function. Enterprise Cybersecurity Engineering owns the organisation-wide strategy, threat intelligence, and assurance standards; you engineer those standards into the AI platform.

Your Impact:

• Enable agentic IAM with enterprise IAM Engineering — architect the agent identity model (composite identity: user + agent + tool), session scoping, delegation chains, and identity propagation across the full call chain
• Implement policy-as-code — stand up the policy engine (Cedar / Amazon Verified Permissions preferred; OPA / Rego for cross-platform needs) enforcing zero-trust authorisation, action risk tiers, toxic combination detection, and blast-radius controls
• Own the AI threat model — identify, document, and mitigate AI-specific attack surfaces: prompt injection, tool poisoning, agent hijacking, privilege escalation, data exfiltration, and model manipulation
• Secure the gateway — embed controls for content-safety filtering, jailbreak mitigation, credential injection prevention, and per-request policy evaluation
• Bridge enterprise and platform security — translate enterprise baselines (network segmentation, SIEM integration, vulnerability management, incident response) into AI-platform-specific implementations
• Partner on resilience — design scoped sessions, kill switches, and deployment safety controls with the AI Site Reliability Engineer
• Ensure the platform is secure by design — embed threat modelling, scanning, policy validation, and compliance checks into CI/CD and deployment pipelines
• Build the security framework for the squad — define standards, review checklists, secure coding guidelines, and incident response playbooks
• Manage agent secrets — design the agent secret broker for just-in-time credential issuance, scoped access, and automatic revocation

What will you do as an AI Security Engineer?

You will design and implement the security architecture for the AI platform, embedding zero-trust principles and agentic identity management into every layer of the stack. You will:

• Architect and implement the agentic IAM layer and policy-as-code engine
• Develop and maintain the AI-specific threat model and mitigation strategies
• Collaborate with enterprise cybersecurity and IAM teams to align standards and tooling
• Embed security controls into the AI gateway, runtime, and memory systems
• Integrate security scanning, validation, and compliance automation into CI/CD pipelines
• Partner with the AI Site Reliability Engineer to ensure resilience and security reinforce each other
• Mentor engineers on secure development practices and lead by example through hands-on implementation
• Build interim security frameworks and tooling where enterprise solutions are still evolving

What makes you a successful candidate?

• Must Have:
  • 8+ years in security engineering, application security, or platform security, with at least 2 years in a lead role responsible for platform or product security architecture
  • Deep security engineering expertise — hands-on in threat modelling, secure architecture review, penetration testing, and incident response
  • Zero-trust architecture experience — designing per-request verification, least-privilege access, micro-segmentation, and ABAC-based systems
  • Cloud-native workload identity — hands-on with AWS workload identity (EKS Pod Identity / IRSA, IAM Identity Center, SCIM, IAM Roles Anywhere)
  • Policy-as-code — production experience with Cedar / Amazon Verified Permissions or OPA / Rego
  • Cloud security (AWS preferred) — IAM, EKS, KMS, Secrets Manager, GuardDuty, Security Hub, WAF, and VPC security
  • CI/CD security — embedding SAST, DAST, dependency and container scanning, secrets detection, and policy gates
  • Hands-on coding proficiency in Python — building security tooling, policy integrations, and prototypes
  • Proven experience partnering with enterprise security teams and translating standards into platform implementations

• Nice to Have:
  • Experience with AI/ML security — prompt injection defence, content-safety filtering, model poisoning detection, and adversarial robustness
  • Familiarity with agentic systems and their unique security challenges
  • Experience with SPIFFE / SPIRE and platform-agnostic workload identity
  • Background in trusted identity propagation and data access control frameworks
  • Expertise in secret management architectures (Vault, AWS Secrets Manager)
  • Experience designing data classification and access control frameworks
  • Familiarity with MCP and its security considerations
  • Exposure to compliance frameworks (MAS TRM, ISO 27001, SOC 2, NIST AI RMF)
  • Contributions to open-source security tooling or published research

• Mindset & Working Style:
  • Secure by design, not by audit — security is architected in, not bolted on
  • Hands-on leader — you lead by building and mentoring
  • Bridge builder — you collaborate seamlessly across enterprise and platform teams
  • Pragmatic risk thinker — you calibrate controls to risk and make trade-offs explicit
  • Strong communicator — you can explain threat models, write clear documentation, and mentor effectively
  • Builder at heart — you thrive in early-stage environments defining foundational security architecture

Work at the Point of Impact
We need to be forward-looking to attract the right people to help us become the Leading Global Long-term Investor. Join our ambitious, agile, and diverse teams - be empowered to push boundaries and pursue innovative ideas, share your views, and be heard. Be anchored on our PRIME Values: Prudence, Respect, Integrity, Merit and Excellence, which guides us in how we make our day-to-day decisions. We strive to inspire. To make an impact.

Flexibility at GIC
At GIC, our offices are vibrant hubs for ideation, professional growth, and interpersonal connection. At the same time, we believe that flexibility allows us to do our best work and be our best selves. Thus, our teams come into the office four days per week to harness the benefits of in-person collaboration, but have the flexibility to choose which days they work from home and adjust this arrangement as situational needs arise.

GIC is an equal opportunity employer
GIC is an equal opportunity employer, and we value diversity. We do not discriminate based on race, religion, color, national origin, sex, gender, gender expression, sexual orientation, age, marital status, veteran status, or disability status. We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment.

Learn more about our Technology Group here:
https://gic.careers/group/technology-group/