Key skills
PythonAIMLClaudeLookerBIBusiness IntelligenceTableauPower BIAWSGCPTerraformCloudFormationREST APIGitHubCI/CDRisk ManagementCloud Security
About this role
OpenLoop is a telehealth company focused on providing care anywhere through innovative solutions. The role of GRC Engineer involves building automated workflows and systems to support the Security Governance, Risk, and Compliance program, ensuring effective risk management and compliance operations.
Responsibilities:
- Design, build, and maintain automated evidence collection and continuous control testing workflows in Vanta and supporting tools
- Develop and operate GRC automation pipelines using Claude Code and similar AI-assisted development tools — writing scripts, building integrations, and eliminating manual compliance processes at speed
- Build and maintain business intelligence dashboards and metrics reporting for the Security GRC team and broader security organization — including security posture, issue tracking, exception management, risk trends, and program delivery metrics
- Develop integrations between GRC platforms, cloud environments (AWS, GCP), identity providers, and business systems to automate compliance data flows
- Operationalize the AI Governance Council's review process — build intake workflows, risk assessment tooling, and tracking for AI use case governance
- Develop and maintain AI risk assessment frameworks and guardrails aligned to NIST AI RMF, ISO 42001, and emerging regulatory requirements
- Support SOC 2 Type II, HITRUST, HIPAA SRA/PRA, and other audit and assurance activities, through automated evidence preparation and control documentation
- Write scripts and build tooling (Python, APIs, workflow platforms, AI-assisted coding tools) to reduce cycle time and focus on scaling
- Maintain and improve the control framework — map controls to obligations, identify gaps, and automate testing where possible
- Partner with SecOps, IT, Privacy, and Engineering teams to integrate GRC requirements into their toolchains and workflows
- Support enterprise risk management activities including risk register maintenance, KRI automation, and risk reporting
- Define and track key metrics across the security organization — translating raw data into executive-ready insights that drive decisions and demonstrate program maturity
- Other duties as assigned
Requirements:
- 5+ years of combined experience in GRC, security engineering, or compliance automation, with demonstrated ability to build automated workflows and integrations
- Experienced cloud security engineer that has moved into governance, believing that in automated GRC best practices
- Hands-on experience automating GRC workflows using Claude Code or similar AI-assisted development tools (e.g., Cursor, GitHub Copilot). Must be able to demonstrate practical AI-assisted automation work
- Hands-on experience with GRC platforms, preferably Vanta. Ability to configure, customize, and extend platform capabilities
- Proficiency in Python scripting and REST API integration for evidence collection, data transformation, and workflow automation
- Strong business intelligence and data visualization skills — experience building dashboards and metrics reporting (Looker, Tableau, Power BI, or similar) for security or risk programs
- Strong understanding of control frameworks (SOC 2, HITRUST, HIPAA, NIST CSF) and how to operationalize them through tooling
- Working knowledge of AI/ML risk frameworks (NIST AI RMF, ISO 42001) and practical experience with AI governance processes
- Experience with cloud platforms (AWS or GCP) including security configuration review and evidence collection
- Self-directed and comfortable operating with high autonomy in a lean, fast-paced environment
- Experience supporting AI governance councils or responsible AI programs
- Familiarity with data governance frameworks (CDMC, DAMA DMBOK) and data quality/availability standards
- CISSP, CISA, CCSK, or equivalent certifications
- Experience with infrastructure-as-code (Terraform, CloudFormation) and CI/CD pipeline security
- Background in healthcare, fintech, or other regulated industries
- Experience building executive-level security metrics programs or security scorecards