What are the responsibilities and job description for the Senior Engineer - Security, Compliance & Policy Engineering position at IBM?
Introduction
At IBM Software, we transform client challenges into solutions. Building the world’s leading AI-powered, cloud-native products that shape the future of business and society. Our legacy of innovation creates endless opportunities for IBMers to learn, grow, and make an impact on a global scale. Working in Software means joining a team fueled by curiosity and collaboration. You’ll work with diverse technologies, partners, and industries to design, develop, and deliver solutions that power digital transformation. With a culture that values innovation, growth, and continuous learning, IBM Software places you at the heart of IBM’s product and technology landscape. Here, you’ll have the tools and opportunities to advance your career while creating software that changes the world.
Your Role And Responsibilities
We are building a core platform that enforces safety, policy, and compliance across all infrastructure and agent operations. This role owns the policy engine, identity layer, and audit/compliance foundations that make autonomous and supervised systems secure, auditable, and regulator‑ready.
You will design and implement a declarative policy engine that enforces safety tiers, agent constraints, and approval gates; build authentication and authorization for both humans and AI agents (OIDC, RBAC, mTLS); and deliver compliance frameworks and evidence pipelines suitable for regulated environments (PCI‑DSS v4.0 at GA).
What You’ll Do
Month 1: Onboard onto the codebase. Understand the existing safety tier enforcement, transport-level safety controls, and unified audit logging. Review design documents covering the compliance evidence framework, SSO/RBAC design, and agent policy architecture. Map the gap between current implementation and compliance readiness requirements. Deliver policy engine MVP — safety tier enforcement via a generic policy framework.
Month 2: Implement RBAC. Build the compliance evidence framework. Begin PCI-DSS v4.0 control mapping implementation. Stand up OIDC authentication path alongside existing session tokens.
Month 3: Ship PCI-DSS control mappings. Implement drift detection engine. Begin evidence export (JSON/CSV). Implement per-connection ACLs on the gateway proxy. Ship audit log enhancements (structured, signed records).
Preferred Education
Bachelor's Degree
Required Technical And Professional Expertise
You don’t need all of these coming in. The team will bring you up to speed:
At IBM Software, we transform client challenges into solutions. Building the world’s leading AI-powered, cloud-native products that shape the future of business and society. Our legacy of innovation creates endless opportunities for IBMers to learn, grow, and make an impact on a global scale. Working in Software means joining a team fueled by curiosity and collaboration. You’ll work with diverse technologies, partners, and industries to design, develop, and deliver solutions that power digital transformation. With a culture that values innovation, growth, and continuous learning, IBM Software places you at the heart of IBM’s product and technology landscape. Here, you’ll have the tools and opportunities to advance your career while creating software that changes the world.
Your Role And Responsibilities
We are building a core platform that enforces safety, policy, and compliance across all infrastructure and agent operations. This role owns the policy engine, identity layer, and audit/compliance foundations that make autonomous and supervised systems secure, auditable, and regulator‑ready.
You will design and implement a declarative policy engine that enforces safety tiers, agent constraints, and approval gates; build authentication and authorization for both humans and AI agents (OIDC, RBAC, mTLS); and deliver compliance frameworks and evidence pipelines suitable for regulated environments (PCI‑DSS v4.0 at GA).
What You’ll Do
- Build a unified policy enforcement stack spanning authentication, RBAC, transport safety, and per‑agent policy envelopes.
- Design policy as auditable, declarative configuration (YAML), including safety tiers and resource‑level controls.
- Implement enterprise‑grade identity: OIDC/SAML SSO, RBAC roles, agent identity via certificates and mTLS, and gateway‑level ACLs.
- Deliver the compliance evidence framework, including PCI‑DSS v4.0 control mappings and auditor‑ready evidence exports (JSON/CSV/PDF).
- Implement drift detection between declared and observed infrastructure state, with guided remediation and approval workflows.
- Harden audit infrastructure with structured, signed, immutable logs using FIPS‑aligned cryptography.
Month 1: Onboard onto the codebase. Understand the existing safety tier enforcement, transport-level safety controls, and unified audit logging. Review design documents covering the compliance evidence framework, SSO/RBAC design, and agent policy architecture. Map the gap between current implementation and compliance readiness requirements. Deliver policy engine MVP — safety tier enforcement via a generic policy framework.
Month 2: Implement RBAC. Build the compliance evidence framework. Begin PCI-DSS v4.0 control mapping implementation. Stand up OIDC authentication path alongside existing session tokens.
Month 3: Ship PCI-DSS control mappings. Implement drift detection engine. Begin evidence export (JSON/CSV). Implement per-connection ACLs on the gateway proxy. Ship audit log enhancements (structured, signed records).
Preferred Education
Bachelor's Degree
Required Technical And Professional Expertise
- Security engineering experience. You’ve built authentication, authorization, or policy enforcement systems. OIDC, RBAC, certificate-based auth, session management — you’ve implemented at least some of these in production.
- Compliance intuition. You don’t need to be a GRC analyst, but you understand how regulatory control requirements (PCI-DSS, SOX, HIPAA, NIST) translate into technical enforcement and evidence collection. You know what auditors need.
- Go proficiency. The policy engine, auth layer, and audit system are Go. You can be productive in Go from day one.
- You think adversarially. You design for the failure case. You write tests that try to break things. You think about what happens when the policy is misconfigured, the token is expired, or the agent tries something it shouldn’t.
You don’t need all of these coming in. The team will bring you up to speed:
- IBM Z security architecture (RACF, LDAP, SSH key management on z/OS) and mainframe security models
- Our safety tier enforcement model and how it integrates with the gateway proxy
- Agent policy envelopes — how to bound what AI agents can do within their sessions