[Internal] Senior Security Engineer – GRC Controls and Audit

1Password is growing. We’ve surpassed $400M in ARR and we’re continuing to accelerate, earning a spot on the Forbes Cloud 100 for four years in a row and teaming up with iconic partners like Oracle Red Bull Racing.

At 1Password, we’re building the foundation for a safe, productive digital future. Our mission is to unleash employee productivity without compromising security by ensuring every identity is authentic, every application sign-in is secure, and every device is trusted. We innovated the market-leading enterprise password manager and pioneered Unified Access Management, a new cybersecurity category built for the way people and AI agents work today. As one of the most loved brands in cybersecurity, we take a human-centric approach in everything from product strategy to user experience. Over 180,000 businesses, from Fortune 100 leaders to the world’s most innovative AI companies, trust 1Password to help their teams securely adopt the SaaS and AI tools they need to do their best work.

If you're excited about the opportunity to contribute to the digital safety of millions, to work alongside a team of curious, driven individuals, and to solve hard problems in a fast-paced, dynamic environment, then we want to hear from you. Come join us and help shape a safer, simpler digital future.

Good audits don't start when the auditors arrive — they start the moment a control is designed. 1Password is looking for a Senior Security Engineer – GRC Controls and Audit to serve as the technical and methodological anchor for our compliance audit programs.

You'll partner directly with the Senior Manager of GRC to lead our commercial audit programs — from evidence collection and control testing to deep technical walkthroughs with external auditors and internal SMEs. You'll own the question of what "good evidence" looks like across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701, and you'll know where to find it in the systems that generate it. Along the way, you'll help build the AI-assisted workflows and automation that make our audit programs more efficient and our compliance posture more continuous.

This is a controls expert role for someone with deep audit experience — ideally from the auditor's side of the table — who also brings a builder's instinct for making GRC more repeatable and scalable. You won't just coordinate evidence; you'll know exactly why each artifact satisfies a control requirement, and you'll be able to explain that to a skeptical Big 4 auditor and a first-time control owner in the same day.

This is a remote opportunity within Canada and the US.

• 5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor — public accounting, Big 4, boutique audit firm, or a rigorous internal audit function.

• Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701).

• Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions — not just coordinating evidence collection.

• The ability to define what "good evidence" looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny.

• Proven ability to design and execute control testing — writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure.

• Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source.

• Strong written and verbal communication skills — you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes.

• Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard.

• A builder's instinct — you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations.
  
  

• CPA, CIA, CISA, or CISSP certification.

• Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling.

• Experience building or improving continuous control monitoring capabilities.

• Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks — increasingly relevant as 1Password governs access for AI agents alongside human users.

• Experience with vendor risk assessments — reviewing SOC 2 reports, evaluating third-party compliance documentation, and advising on vendor risk posture.

At 1Password, using AI to do more with less isn't a bonus — it's how we operate. For this role, building with AI is secondary to controls expertise — but it's still a real expectation. We're looking for someone who actively uses AI to accelerate their audit and compliance work and can identify where automation creates leverage for the team.

• Active and thoughtful AI user: You've used AI tools — not just ChatGPT for writing — to meaningfully speed up audit prep: control narrative drafting, framework cross-mapping, evidence gap identification. You can walk through what you applied, what it produced, and how you validated the output before relying on it.

• Automation spotter: You identify manual, repetitive GRC processes that can be AI-assisted or automated and bring specific proposals to the team. You don't need to build everything yourself — but you need to see the opportunity and articulate it clearly.

• AI literacy in a compliance context: You understand the accuracy tradeoffs — when AI-generated control narratives need careful human validation, where framework mapping output requires scrutiny, and why non-determinism is a meaningful risk in audit-facing work.

• Curiosity and self-direction: You actively track what's happening in AI-assisted compliance tooling, have experimented with more than one approach, and can compare tools with informed opinions rather than general awareness.

• Own and lead technical audit walkthroughs across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701 programs — preparing control owners, surfacing the right evidence, and serving as the primary technical liaison with external auditors.

• Define and maintain the evidence library — what good evidence looks like for each control domain, where it lives in source systems, and how it maps to trust service criteria.

• Execute deep-dive control testing and gap analysis across the Unified Control Framework (UCF), identifying design and operating effectiveness gaps before external testing and driving remediation with clear ownership.

• Drive continuous evidence library maturity — shifting GRC from reactive, point-in-time evidence collection toward proactive, continuously-maintained audit-ready artifacts.

• Partner cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence workflows at the source.

• Contribute to policy, standards, and baseline development with an eye toward auditability and testability — requirements that control owners can implement and auditors can test.

• Apply AI tools to accelerate control narrative drafting, framework cross-mapping, and audit prep — with clear discipline around validation and when human judgment is required.

• Mentor A–B level GRC team members on audit methodology, control design, and evidence quality standards.

USA-based roles only: The annual base salary for this role is between $153,000 USD and $214,000 USD, plus immediate participation in 1Password's benefits program (health, dental, 401k and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs.

Canada-based roles only: The annual base salary for this role is between $144,000 CAD and $202,000 CAD, plus immediate participation in 1Password’s generous benefits program (health, dental, RRSP and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs.


At 1Password, we approach each individual's compensation with a promise of fair market value and internal equity commensurate with experience and specific skill set.

This posting is for an existing vacancy.

1Password is proud to be an equal opportunity employer. We are committed to fostering an inclusive, diverse and equitable workplace that is built on trust, support and respect. We welcome all individuals and do not discriminate on the basis of gender identity and expression, race, ethnicity, disability, sexual orientation, colour, religion, creed, gender, national origin, age, marital status, pregnancy, sex, citizenship, education, languages spoken or veteran status. Be yourself, find your people and share the things you love.

Accommodation is available upon request at any point during our recruitment process. If you require an accommodation, please speak to your talent acquisition partner or email us at nextbit@agilebits.com and we’ll work to meet your needs.

Remote work is a part of our DNA. Given that our company was founded remotely in 2005, we can safely say we're experts at building remote culture. That said, remote work at 1Password does mean working from your home country. If you've got questions or concerns about this, your talent partner would be happy to address them with you.

Successful applicants will be required to complete a background check that may consist of prior employment verification, reference checks, education confirmation, criminal background, publicly available social media, credit history, or other information, as permitted by local law.

1Password uses artificial intelligence (AI) and machine learning (ML) technologies, including natural language processing and predictive analytics, to assist in the initial screening of employment applications and improve our recruitment process. See here for the latest third party bias audit information. If you prefer not to have your application assessed using AI/ML features, you may opt out by completing this form. For additional information see our Candidate Privacy Notice.