Brain Co. Logo

Brain Co.

GRC Lead

Reposted 14 Days Ago
Remote or Hybrid
Hiring Remotely in CA
Senior level
Remote or Hybrid
Hiring Remotely in CA
Senior level
As GRC Lead, you'll own the governance, risk, and compliance program, ensuring mid to top-level regulatory adherence while partnering cross-functionally with teams to implement effective data handling and audit processes.
The summary above was generated by AI
About Brain Co.

Brain Co. is an applied AI startup co-founded by Jared Kushner and Elad Gil, and backed by leading Silicon Valley builders including Patrick Collison and Andrej Karpathy. We are building AI applications for the world's most important institutions, delivering impact on real-world problems across governments, healthcare systems, and critical industries. Our progress so far:

  • Automated construction permitting for a sovereign government → 80% faster, unlocking $375M+ in value

  • Optimized supply chains for a leading global energy company → 30% lower cost, 99% reliability, preventing $100M+ in losses

  • Streamlined hospital patient care across national health systems → 40% better outcomes, 80% less admin work

Company momentum:

  • Raised a $55M Series A from leading investors

  • Built a team of 70+ AI experts from Tesla, Google DeepMind, NVIDIA, and Databricks

 
About the Role:

At Brain Co., we focus on applying frontier AI to real institutional challenges, working alongside governments, healthcare systems, and critical industries to modernize how essential services operate. We are looking for leaders who want to help bring new technology into institutions that impact millions of people.

As our GRC Lead, you’ll own the governance, risk, and compliance program end-to-end - and treat it as a strategic advantage, not a checklist. Brain Co. carries one of the most demanding regulatory loads of any company our size: SOC 2 Type II and HIPAA in place today, with ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and US/MENA data residency on the near-term roadmap. That’s what selling to governments, hospitals, and financial institutions costs - and done right, it’s how we win the next ones.

This is a 0→1 builder role. You’ll define the principles, write the policies, run the audits, build the automation, and partner directly with engineering, legal, sales, and customer – not advising from the sidelines. This is a high-ownership role for someone who has built programs like this before and wants to build the next one from first principles. You’ll be an IC on day one with the scope and trust to grow the function as the company scales.

 
What You'll Work On:
  • Own the end-to-end GRC program: SOC 2 Type II and HIPAA today, and the path through ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and MENA-specific regimes that don’t map cleanly to a US playbook.

  • Build the data handling backbone: how customer data is classified, where it lives, who can touch it, and how we prove it - across Azure, on-prem MENA deployments, and the bespoke deployments we run for governments and hospitals.

  • Run audits as a builder, not a project manager: Own evidence, controls, gap remediation, and audit response, and automate the evidence pipeline so we’re not rebuilding workpapers every cycle.

  • Stand up third-party risk as a real program: vendor reviews, data flow inventory, contractual security obligations, and a reassessment cadence that keeps pace with our SaaS footprint.

  • Be the function that unblocks enterprise deals: Build the customer-trust surface — security questionnaires, trust portal, DPAs, BAAs, customer-facing docs — so customers understand how we handle their data before they have to ask.

  • Partner with engineering: Bake compliance into the product: control inheritance from Azure, policy-as-code, automated access reviews, audit-ready logging, and evidence collection that runs without a human in the loop.

  • Run a single risk operating cadence across HR, Finance, Legal, IT, and Engineering: so data handling, vendor approvals, and audit requests always have a clear owner.

  • Be the translator between technical reality and regulatory expectations: the person engineers trust to interpret a control, and the person customers and auditors trust to explain the system behind it.

 
You Might Be a Great Fit If You...
  • Have 8+ years building and running GRC programs in regulated environments including healthcare, financial services, government, or enterprise SaaS where the stakes were real and the audits weren’t theatre.

  • Have taken a company through SOC 2 Type II from a cold start, and lived HIPAA, GLBA, FedRAMP, or equivalent work hands-on, not just signed off on policies someone else wrote.

  • View compliance as a competitive advantage and a forcing function for good engineering, not a checklist and not a bureaucracy to defend.

  • Are a deep executor: you write the policies, draft the white papers, and ship the automation yourself, and can zoom out to design the program around them.

  • Are a high-trust cross-functional partner - you can sit with an engineer reasoning about IAM controls in the morning, walk GTM through a DPA at noon, and brief a customer’s CISO in the afternoon.

  • Translate technical risk for the boardroom and regulatory risk for the engineers fluently in both directions.

  • Are at home in ambiguity and energized by a 0→1 program. We have a SOC 2 Type II baseline; the rest is yours to define.

  • Have a strong opinion about data: how it’s classified, where it lives, who can see it, and how you prove it. You think in data flows, not policy templates.

  • Bias toward pragmatism over bureaucracy. You know which controls matter, which ones are noise, and which ones you can automate out of existence.

 
Bonus Points For:
  • Direct experience operating across US and MENA (or other multi-jurisdictional) regulatory environments, including on-prem and data residency requirements.

  • FedRAMP/GovRAMP, IL4/IL5, or equivalent government-customer compliance experience.

  • Standing up GRC programs at AI or ML-heavy companies, including the novel evidence and disclosure questions that come with model training data, agent actions, and customer data flowing through AI systems.

  • Hands-on with compliance automation tooling (Vanta, Drata, Secureframe, etc.) and a willingness to replace it when it’s the wrong tool.

  • Comfort reading the technical controls themselves (Terraform, IAM policies, audit logs) well enough to verify what an auditor is being told.

 
Why Join Us:
  • Build the GRC function for an AI platform deployed in governments, hospitals, and critical industries worldwide — where the regulatory bar is real and the work matters.

  • Own the program 0→1. Define the principles, design the system, and grow the function under you as the company scales.

  • Work alongside senior engineers from Tesla, DeepMind, Databricks, and other top engineering orgs who treat compliance as a partner, not a tax.

  • Shape how compliance is done for AI-native companies, where the frameworks haven’t caught up yet and the right answer is still being written.

  • Earn competitive compensation and meaningful equity in a high-growth company.

 
Benefits
  • Competitive salary plus equity

  • Daily lunches

  • Commuter benefits

  • 401(k)

  • Medical, Dental, and Vision

  • Unlimited PTO

Similar Jobs

Senior level
Big Data • Food • Hardware • Machine Learning • Retail • Automation • Manufacturing
Perform monthly commodity analyses for grains and vegetable oils using supply/demand data and market forecasts; build and manage market intelligence databases; develop and improve constraint-optimization price models and long-range forecasts; support CPRM hedging and coverage strategy decisions; track team KPIs and deliver insights to inform pricing and risk management.
Top Skills: Artificial IntelligenceExcelPythonR
An Hour Ago
Easy Apply
Remote
Canada
Easy Apply
Mid level
Mid level
Cloud • Security • Software • Cybersecurity • Automation
Build, ship, and maintain backend features enabling AI agents to interact with GitLab. Design GraphQL/REST APIs, extend tests (RSpec), work with PostgreSQL, troubleshoot production issues, and collaborate cross-functionally to integrate AI tooling responsibly.
Top Skills: Background JobsGitlabGraphQLPostgresRest ApisRspecRubyRuby On RailsSQL
An Hour Ago
Easy Apply
Remote
Canada
Easy Apply
Senior level
Senior level
Cloud • Security • Software • Cybersecurity • Automation
Ownership of backend features for Agentic Tools: design and implement GraphQL/REST APIs, build secure scalable Ruby on Rails services, improve RSpec automated tests, collaborate across product and AI teams, participate in Tier 2 on-call, and shape architecture for AI agent interactions with GitLab.
Top Skills: Gitlab McpGraphQLPythonRestRspecRuby On RailsVue

What you need to know about the Vancouver Tech Scene

Raincouver, Vancity, The Big Smoke — Vancouver is known by many names, and in recent years, it has gained a reputation as a growing hub for both tech and sustainability. Renowned for its natural beauty, the city has become a magnet for professionals eager to create environmental solutions, and with an emphasis on clean technology, renewable energy and environmental innovation, it's attracted companies across various industries, all working toward a shared goal: advancing clean technology.

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account