[Internal] Senior Security Engineer – GRC Controls and Audit

1Password is growing. We’ve surpassed $400M in ARR and we’re continuing to accelerate, earning a spot on the Forbes Cloud 100 for four years in a row and teaming up with iconic partners like Oracle Red Bull Racing. About 1Password At 1Password, we’re building the foundation for a safe, productive digital future. Our mission is to unleash employee productivity without compromising security by ensuring every identity is authentic, every application sign-in is secure, and every device is trusted. We innovated the market-leading enterprise password manager and pioneered Unified Access Management, a new cybersecurity category built for the way people and AI agents work today. As one of the most loved brands in cybersecurity, we take a human-centric approach in everything from product strategy to user experience. Over 180,000 businesses, from Fortune 100 leaders to the world’s most innovative AI companies, trust 1Password to help their teams securely adopt the SaaS and AI tools they need to do their best work. If you're excited about the opportunity to contribute to the digital safety of millions, to work alongside a team of curious, driven individuals, and to solve hard problems in a fast-paced, dynamic environment, then we want to hear from you. Come join us and help shape a safer, simpler digital future. Good audits don't start when the auditors arrive — they start the moment a control is designed. 1Password is looking for a Senior Security Engineer – GRC Controls and Audit to serve as the technical and methodological anchor for our compliance audit programs. You'll partner directly with the Senior Manager of GRC to lead our commercial audit programs — from evidence collection and control testing to deep technical walkthroughs with external auditors and internal SMEs. You'll own the question of what "good evidence" looks like across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701, and you'll know where to find it in the systems that generate it. Along the way, you'll help build the AI-assisted workflows and automation that make our audit programs more efficient and our compliance posture more continuous. This is a controls expert role for someone with deep audit experience — ideally from the auditor's side of the table — who also brings a builder's instinct for making GRC more repeatable and scalable. You won't just coordinate evidence; you'll know exactly why each artifact satisfies a control requirement, and you'll be able to explain that to a skeptical Big 4 auditor and a first-time control owner in the same day. This is a remote opportunity within Canada and the US. What we're looking for: 5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor — public accounting, Big 4, boutique audit firm, or a rigorous internal audit function. Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701). Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions — not just coordinating evidence collection. The ability to define what "good evidence" looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny. Proven ability to design and execute control testing — writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure. Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source. Strong written and verbal communication skills — you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes. Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard. A builder's instinct — you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations. Bonus points for: CPA, CIA, CISA, or CISSP certification. Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling. Experience building or improving continuous control monitoring capabilities. Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks — increasingly relevant as 1Password governs access for AI agents alongside human users. Experience with vendor risk assessments — reviewing SOC 2 reports, evaluating third-party compliance documentation, and advising on vendor risk posture. At 1Password, we build with AI: At 1Password, using AI to do more with less isn't a bonus — it's how we operate. For this role, building with AI is secondary to controls expertise — but it's still a real expectation. We're looking for someone who actively uses AI to accelerate their audit and compliance work and can identify where automation creates leverage for the team. Active and thoughtful AI user: You've used AI tools — not just ChatGPT for writing — to meaningfully speed up audit prep: control narrative drafting, framework cross-mapping, evidence gap identification. You can walk through what you applied, what it produced, and how you validated the output before relying on it. Automation spotter: You identify manual, repetitive GRC processes that can be AI-assisted or automated and bring specific proposals to the team. You don't need to build everything yourself — but you need to see the opportunity and articulate it clearly. AI literacy in a compliance context: You understand the accuracy tradeoffs — when AI-generated control narratives need careful human validation, where framework mapping output requires scrutiny, and why non-determinism is a meaningful risk in audit-facing work. Curiosity and self-direction: You actively track what's happening in AI-assisted compliance tooling, have experimented with more than one approach, and can compare tools with informed opinions rather than general awareness. What you can expect: Own and lead technical audit walkthroughs across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701 programs — preparing control owners, surfacing the right evidence, and serving as the primary technical liaison with external auditors. Define and maintain the evidence library — what good evidence looks like for each control domain, where it lives in source systems, and how it maps to trust service criteria. Execute deep-dive control testing and gap analysis across the Unified Control Framework (UCF), identifying design and operating effectiveness gaps before external testing and driving remediation with clear ownership. Drive continuous evidence library maturity — shifting GRC from reactive, point-in-time evidence collection toward proactive, continuously-maintained audit-ready artifacts. Partner cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence workflows at the source. Contribute to policy, standards, and baseline development with an eye toward auditability and testability — requirements that control owners can implement and auditors can test. Apply AI tools to accelerate control narrative drafting, framework cross-mapping, and audit prep — with clear discipline around validation and when human judgment is required. Mentor A–B level GRC team members on audit methodology, control design, and evidence quality standards. USA-based roles only: The annual base salary for this role is between $153,000 USD and $214,000 USD, plus immediate participation in 1Password's benefits program (health, dental, 401k and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs. Canada-based roles only: The annual base salary for this role is between $144,000 CAD and $202,000 CAD, plus immediate participation in 1Password’s generous benefits program (health, dental, RRSP and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs. At 1Password, we approach each individual's compensation with a promise of fair market value and internal equity commensurate with experience and specific skill set. This posting is for an existing vacancy. Our culture At 1Password, we prioritize collaboration, clear and transparent communication, receptiveness to feedback, and alignment with our core values: keep it simple, lead with honesty, and put people first. You’ll be part of a team that challenges the status quo, and is excited to experiment and iterate in search of the best solution. That said, 1Password is not for everyone . Our work is demanding, we strive for excellence, and the pace is fast. We need people who are keen to take on challenging problems, who seek feedback to grow, and who are driven to make an impact. If you're looking for a place where you can settle into a comfortable routine, this might not be the right fit for you. We’re looking for individuals who are proven experts in their fields, as well as those who are highly adaptable, can thrive in ambiguity and through change, are curious, and above all deliver results. How we work with AI We are committed to leveraging cutting-edge technology—including AI—to achieve our mission. We also understand that thinking critically about AI in its current forms will help us create better solutions for our customers and ourselves with its future forms, which will help us continue to close the gap between security and privacy and achieve our mission. We want team members at all levels to take the approach of actively learning AI best practices, identifying opportunities to apply AI in meaningful ways, and driving innovative solutions in their daily work. Embracing the future of AI isn't just encouraged—it's an essential part of how we will be successful at 1Password. This approach extends to our hiring process—candidates are welcome to use AI tools responsibly and thoughtfully during the application process. Our approach to remote work We believe in the power of remote work, but recognize that in-person connection is important to help us achieve our mission. While we are a remote-first company, travel for in-person engagement is a part of almost all roles, and we require our employees to be ready and willing to take part. Frequency will depend on role and responsibilities, and may include, but is not limited to: annual department-wide offsites, team meetings, and customer/industry events. What we offer We believe in working hard, and rewarding that hard work through our benefits. While not an exhaustive list, here is a glance at what we currently offer: Health and wellbeing 👶 Maternity and parental leave top-up programs 🩺 Competitive health benefits 🏝 Generous PTO policy Growth and future 📈 RSU program for most employees 💸 Retirement matching program 🔑 Free 1Password account Community 🤝 Paid volunteer days 🏆 Peer-to-peer recognition through Bonusly 🌎 Remote-first work environment *Some roles in our GTM team are currently being hired for in-person hybrid work in Toronto and Austin. These roles will specify on the posting. You belong here. 1Password is proud to be an equal opportunity employer. We are committed to fostering an inclusive, diverse and equitable workplace that is built on trust, support and respect. We welcome all individuals and do not discriminate on the basis of gender identity and expression, race, ethnicity, disability, sexual orientation, colour, religion, creed, gender, national origin, age, marital status, pregnancy, sex, citizenship, education, languages spoken or veteran status. Be yourself, find your people and share the things you love. Accommodation is available upon request at any point during our recruitment process. If you require an accommodation, please speak to your talent acquisition partner or email us at [email protected] and we’ll work to meet your needs. Remote work is a part of our DNA. Given that our company was founded remotely in 2005, we can safely say we're experts at building remote culture. That said, remote work at 1Password does mean working from your home country. If you've got questions or concerns about this, your talent partner would be happy to address them with you. Successful applicants will be required to complete a background check that may consist of prior employment verification, reference checks, education confirmation, criminal background, publicly available social media, credit history, or other information, as permitted by local law. 1Password uses artificial intelligence (AI) and machine learning (ML) technologies, including natural language processing and predictive analytics, to assist in the initial screening of employment applications and improve our recruitment process. See here for the latest third party bias audit information. If you prefer not to have your application assessed using AI/ML features, you may opt out by completing this form . For additional information see our Candidate Privacy Notice .