Senior GRC Analyst
Arist
IT
New York, NY, USA
Posted on May 5, 2026
About The Role
Arist is the AI talent intelligence and enablement platform for enterprises with large distributed workforces — including leading pharma, financial services, insurance, and industrial companies. As we scale our enterprise footprint and deploy AI agents into regulated environments, we're hiring a senior individual contributor to be the hands-on owner of our GRC program.
You'll be the person who actually runs SOC 2, builds the AI governance posture, and gets us through customer security reviews. This isn't a role where you'll manage a team or hand work off — you'll be doing the work, and you'll have the autonomy and executive air cover to do it well. You'll partner closely with Engineering, Product, Legal, and GTM, and report into the executive team.
This is a high-ownership role at a Series B company. You're setting the foundation, not inheriting a mature program.
What you'll do
Run our compliance program day-to-day. Maintain SOC 2 Type II, drive ISO 27001 certification end-to-end, and evaluate HIPAA, GDPR, and sector-specific requirements as our customer base expands. You'll personally own evidence collection, auditor coordination, and remediation tracking.
Build and operate our AI governance program. Develop model risk assessments, maintain Responsible AI documentation, and keep pace with the standards regulated-industry customers expect from an AI vendor.
Be the security review engine for sales. Own security questionnaires, RFP security sections, and customer due diligence requests. Build a reusable answer library and trust portal so these stop bottlenecking deals. Join customer security calls alongside Solutions Engineering when the conversation goes deep.
Run enterprise risk operations — third-party/vendor risk assessments, the internal risk register, business continuity planning, and policy lifecycle. Write policies people actually read and follow.
Partner with Engineering on controls implementation — access management, logging and monitoring, incident response readiness, data handling, and secure SDLC practices. You'll be in the technical conversations, not just reviewing them.
What we're looking for
5+ years in GRC, information security, or compliance roles, with at least 2 years at a B2B SaaS company selling into enterprise and regulated industries.
Hands-on experience running SOC 2 Type II and ideally ISO 27001 or HITRUST. You've led at least one certification cycle yourself, from scoping to clean report.
Working knowledge of AI/ML governance frameworks (NIST AI RMF, ISO 42001, EU AI Act). You don't need to be the world's foremost expert, but you need to be fluent enough to represent Arist credibly to a Fortune 500 risk committee on your own.
Self-directed operator. You're comfortable being the only GRC person in the room, scoping your own work, prioritizing across competing demands, and making judgment calls without a playbook.
Strong written communication. A lot of this job is translating risk and compliance concepts for customers, auditors, and internal teams in plain language.
Bias toward action and pragmatism. You know when a control needs to be airtight and when "good enough, documented, and revisited next quarter" is the right call.
Nice to have
We're building the infrastructure that helps enterprises identify and close workforce capability gaps — the AI-powered layer between their people data and the learning that actually reaches frontline workers. We're growing quickly in regulated industries where trust is the product, which makes GRC a genuine strategic function here, not an afterthought.
Arist is the AI talent intelligence and enablement platform for enterprises with large distributed workforces — including leading pharma, financial services, insurance, and industrial companies. As we scale our enterprise footprint and deploy AI agents into regulated environments, we're hiring a senior individual contributor to be the hands-on owner of our GRC program.
You'll be the person who actually runs SOC 2, builds the AI governance posture, and gets us through customer security reviews. This isn't a role where you'll manage a team or hand work off — you'll be doing the work, and you'll have the autonomy and executive air cover to do it well. You'll partner closely with Engineering, Product, Legal, and GTM, and report into the executive team.
This is a high-ownership role at a Series B company. You're setting the foundation, not inheriting a mature program.
What you'll do
Run our compliance program day-to-day. Maintain SOC 2 Type II, drive ISO 27001 certification end-to-end, and evaluate HIPAA, GDPR, and sector-specific requirements as our customer base expands. You'll personally own evidence collection, auditor coordination, and remediation tracking.
Build and operate our AI governance program. Develop model risk assessments, maintain Responsible AI documentation, and keep pace with the standards regulated-industry customers expect from an AI vendor.
Be the security review engine for sales. Own security questionnaires, RFP security sections, and customer due diligence requests. Build a reusable answer library and trust portal so these stop bottlenecking deals. Join customer security calls alongside Solutions Engineering when the conversation goes deep.
Run enterprise risk operations — third-party/vendor risk assessments, the internal risk register, business continuity planning, and policy lifecycle. Write policies people actually read and follow.
Partner with Engineering on controls implementation — access management, logging and monitoring, incident response readiness, data handling, and secure SDLC practices. You'll be in the technical conversations, not just reviewing them.
What we're looking for
5+ years in GRC, information security, or compliance roles, with at least 2 years at a B2B SaaS company selling into enterprise and regulated industries.
Hands-on experience running SOC 2 Type II and ideally ISO 27001 or HITRUST. You've led at least one certification cycle yourself, from scoping to clean report.
Working knowledge of AI/ML governance frameworks (NIST AI RMF, ISO 42001, EU AI Act). You don't need to be the world's foremost expert, but you need to be fluent enough to represent Arist credibly to a Fortune 500 risk committee on your own.
Self-directed operator. You're comfortable being the only GRC person in the room, scoping your own work, prioritizing across competing demands, and making judgment calls without a playbook.
Strong written communication. A lot of this job is translating risk and compliance concepts for customers, auditors, and internal teams in plain language.
Bias toward action and pragmatism. You know when a control needs to be airtight and when "good enough, documented, and revisited next quarter" is the right call.
Nice to have
- Experience with AI/ML products specifically
- Background supporting pharma, financial services, or other heavily regulated verticals
- Experience with GRC tooling (Vanta, Drata, Secureframe, OneTrust, etc.)
- CISSP, CISA, CRISC, or similar certification
- Prior experience as a first or early GRC hire at a Series B/C company
We're building the infrastructure that helps enterprises identify and close workforce capability gaps — the AI-powered layer between their people data and the learning that actually reaches frontline workers. We're growing quickly in regulated industries where trust is the product, which makes GRC a genuine strategic function here, not an afterthought.
