Staff GRC Engineer

Staff GRC Engineer

ID.me is the next-generation digital identity wallet that simplifies how individuals securely prove their identity online. Consumers can verify their identity with ID.me once and seamlessly login across websites without having to create a new login and verify their identity again. Over 152 million users experience streamlined login and identity verification with ID.me at 20 federal agencies, 45 state government agencies, and 70+ healthcare organizations. More than 600+ consumer brands use ID.me to verify communities and user segments to honor service and build more authentic relationships. ID.me's technology meets the federal standards for consumer authentication set by the Commerce Department and is approved as a NIST 800-63-3 IAL2 / AAL2 credential service provider by the Kantara Initiative. ID.me is committed to "No Identity Left Behind" to enable all people to have a secure digital identity.

Role Overview

ID.me is seeking a Staff GRC Engineer to lead the technical infrastructure build, management, and tooling supporting Governance, Risk, and Compliance operations. This individual will design, build, and maintain automation and tooling that streamline control testing, continuous monitoring, evidence collection, and compliance reporting.

As a Staff GRC Engineer, you'll turn governance and compliance into systems: codified controls, automated evidence, and opinionated guardrails that keep pace with rapid feature development and refactoring. You'll partner tightly with Security Engineering, Product/AppSec, Privacy, IT, and ERM to prevent compliance drift and make the secure path the paved path. As the technical owner of the GRC platform, the Senior GRC Engineer will architect data relationships, automate control workflows, and integrate evidence sources from security tools. Your north star is reduced manual effort, lower the cost and burden of compliance, and improve audit readiness through technical innovation.

This is a fully onsite position in one of our hub locations (Mountain View CA or McLean VA).

Key Responsibilities

• Compliance-as-code & guardrails
• Automation & evidence
• FedRAMP operations
• Design-stage coverage
• Risk & vendor oversight

Basic Qualifications

• 5+ years of experience in Security Engineering, DevOps, GRC Engineering, or Security Automation.
• Practical experience automating controls/evidence and familiarity with programmatic evidence lifecycle management, system-of-record validation, and compliance data architecture.
• Scripting/engineering proficiency (Python or TypeScript), REST APIs, JSON/YAML, Git, and basic SQL.
• Working knowledge of NIST 800-53r5, ISO 27001, and SOC 2; you can map controls across frameworks and test them.
• Strong documentation skills and stakeholder communication across Security, Product, and Compliance.
• Demonstrated ability to translate compliance requirements into logical rules, controls, and technical implementation plans.
• Experience integrating tools such as CrowdStrike, Tenable, Splunk, Nessus, Jira, or AWS Config into automated evidence collection pipelines.

Preferred Qualifications

• Experience with major compliance frameworks such as NIST 800-53, FedRAMP, ISO 27001, SOC 2, or HIPAA.
• Experience designing conditional logic for control outcomes, audit workflow triggers, or continuous control monitoring.
• Experience with CI/CD workflows or Infrastructure-as-Code tools (e.g., Terraform, Jenkins) as part of compliance automation.
• Ability to visualize and communicate compliance insights through dashboards, reports, and metrics.
• Understanding of control inheritance, POA&M management, and risk acceptance workflows in regulated environments.