Head of Artificial Intelligence

Company Description

VSI Technologies is a global leader in delivering innovative IT solutions that empower businesses and government agencies to optimize operations, enhance security, and scale efficiently. With expertise in Artificial Intelligence, Cloud Computing, Cybersecurity, and Enterprise Software, VSI Technologies is committed to helping clients thrive in an ever-evolving digital landscape. The company is renowned for its client-centric approach, security-first solutions, and global reach, supporting organizations with strategic IT consulting, application development, and digital transformation initiatives. As a trusted partner for government entities, VSI Technologies provides secure, compliant, and mission-critical solutions to modernize infrastructure and improve efficiency. Discover how VSI Technologies can enable smarter, more future-ready systems for long-term success.

Role Description

You build AI systems that enterprise clients and government agencies stake real operations on. Not demos. Not pilots. Production systems that cannot fail. A bug in a consumer app costs a bad review. A bug in a government AI system costs a contract, a clearance, or worse. You write the code, you deploy the infrastructure, you own the security posture, and you hold your team to the same standard — personally, in writing, before any code is committed.

This team builds across three deployment contexts simultaneously: commercial enterprise clients who need reliable, scalable AI applications; federal government agencies who require FedRAMP-aware architecture, NIST 800-53 controls, and zero-trust network design; and classified or sensitive environments where data handling, audit logging, and access control are not optional features — they are the product. You have built in at least two of these three environments. You understand why they are different. You never mix their standards downward.

THREE DEPLOYMENT CONTEXTS YOU OWN

Commercial Enterprise Scalable APIs, SLA-backed uptime, SSO integration, role-based access, audit logging, SOC 2-aligned data handling. You deploy to production and you own what happens after deployment.

Government Contracts FedRAMP-aware infrastructure, NIST 800-53 control families, FISMA alignment, Authority to Operate (ATO) documentation support, and CUI data handling protocols. You know what makes an AI app disqualified from a federal contract and you build to prevent it from Day 1.

Sensitive and Secure Environments Zero-trust architecture, end-to-end encryption, air-gap compatible design where required, multi-factor access controls, immutable audit trails, and data residency compliance. Security is not a layer you add at the end. It is built into the first commit.

WHAT YOU DO EVERY SINGLE DAY

• Write production-grade code in Python, Node.js, and React — minimum 4 hours of actual engineering daily. You are not a meeting-room architect who delegates the build
• Write the technical specification for every task before any developer begins — deployment environment, security controls required, acceptance criteria, and performance benchmarks. No spec means no start. This is not negotiable
• Design all deployment infrastructure with the target environment's security requirements in mind from the first commit — security is never retrofitted before launch
• Personally implement and review all authentication, authorization, audit logging, and data encryption layers — these are never delegated to a junior developer on this team under any circumstances
• Architect and build all agentic systems — LangChain, AutoGen, or CrewAI — with explicit data handling controls for each environment type. An agent that works in a commercial environment does not automatically comply in a government environment. You know the difference and you build accordingly
• Build and own all RAG pipelines with data residency controls — where the data lives, who can access it, how it is logged, and how it is deleted must be documented and approved before the pipeline runs in any production environment
• Review every pull request from every team member with a security-first lens, not just a functionality lens. If a commit introduces a data exposure risk or a hardcoded credential, it does not merge. Ever. No exceptions
• Own all deployment pipelines — CI/CD configuration, environment promotion controls, rollback procedures, and incident response protocols. When something breaks in production, you are the first call and you already know what to do
• Conduct 30-day and 60-day precision reviews for every developer — scored against a written standard, documented, and shared with the CEO. Drift from standard is addressed in writing within 48 hours of identification
• Submit a written Friday report to the CEO every single week — what shipped, what the security status of each active project is, what is blocked, and what is being built next week. This is a written document. It is not a Slack message. It is not moved to Monday

WHAT YOU BUILD — DELIVERABLES THIS TEAM SHIPS

• AI-powered applications deployed to commercial enterprise clients with full SLA and uptime accountability
• Government-facing AI tools built to FedRAMP-aware standards with ATO documentation support
• Agentic workflow systems that automate complex multi-step processes for enterprise and government clients
• RAG pipelines that allow clients to query their own classified or sensitive document repositories securely
• Automation engines that replace manual government contracting workflows — proposal analysis, compliance checking, pricing data extraction
• Secure API layers that connect AI capabilities to existing enterprise and government systems without creating data residency violations
• AI marketing and revenue analytics tools for commercial clients with SOC 2-aligned data handling

SECURITY STANDARDS — EVERY APP MUST MEET THESE BEFORE IT TOUCHES A CLIENT

Authentication and Access OAuth 2.0 / OIDC with MFA enforcement. No shared credentials. Role-based access with least-privilege principle. Session management with configurable timeout and forced re-authentication for sensitive operations.

Data Protection Encryption at rest (AES-256 minimum) and in transit (TLS 1.2+). PII and CUI identified, tagged, and handled per data classification policy before any pipeline runs. No sensitive data in logs. No sensitive data in error messages.

Audit and Logging Immutable audit logs for every user action, every data access, and every model inference in government or sensitive deployments. Logs are tamper-evident, timestamped, and retained per contract requirement. You can produce an audit report within 24 hours of a client request.

Network and Infrastructure Zero-trust network design. No implicit trust between services. API gateway with rate limiting and input validation on every endpoint. No hardcoded secrets anywhere in any codebase — secrets management via vault or equivalent is mandatory.

Deployment and CI/CD Container-based deployment with image signing. SAST and dependency vulnerability scanning in CI/CD pipeline before any build reaches staging. Rollback procedure documented, tested, and executable in under 15 minutes before any production launch.

Government Compliance FedRAMP-aware infrastructure choices documented in architecture decision records. NIST 800-53 control families addressed before deployment to any government environment. ATO support documentation producible on request. CUI data never processed in a non-compliant environment under any circumstances.

WHAT WE REQUIRE — NO EXCEPTIONS

• You have deployed AI applications to production that enterprise clients or government agencies actively use. Not demos. Not internal tools. Production. You can describe the architecture, the security controls you implemented, and what broke during development
• You understand FedRAMP, NIST 800-53, FISMA, and CUI handling well enough to make architecture decisions that support an ATO process. You do not need to be a compliance officer — you need to build systems a compliance officer can certify
• You have personally implemented zero-trust architecture, multi-factor access controls, immutable audit logging, and end-to-end encryption in a real application. You can describe the specific technical implementation, not just the concept
• You write Python fluently. Node.js and React at a professional working level. You can debug a broken pipeline, a failed deployment, or a security misconfiguration at any hour without asking anyone for help
• You have used LangChain, AutoGen, CrewAI, or built your own agentic framework. You have implemented RAG pipelines with real production data — not toy datasets
• You have managed developers before and you have documented and addressed an underperforming hire. You know what a real performance standard looks like and you enforce it in writing
• PST morning overlap is non-negotiable — Belgrade 1pm to 5pm every working day. Government and enterprise client calls happen in US business hours and your team's day must align to it
• Your written English is precise, technical, and unambiguous. Specifications, security documentation, and client-facing architecture summaries all pass through you. Vague writing produces broken and insecure software

Apply ---> https://vsitechnologies.bamboohr.com/careers/52