Lead Security Engineer - Artificial Intelligence

Why Wellmark: We are a mutual insurance company owned by our policy holders across Iowa and South Dakota, and we’ve built our reputation on over 80 years’ worth of trust. We are not motivated by profits. We are motivated by the well-being of our friends, family, and neighbors–our members. If you’re passionate about joining an organization working hard to put its members first, to provide best-in-class service, and one that is committed to sustainability and innovation, consider applying today! 

Why Wellmark Technology? Wellmark is building innovative, modern solutions using cutting edge technology. We are driving organizational transformation and business strategy by empowering our technology team to innovate new and elegant solutions to enhance the customer experience. Together, we are leaning into the future, owning the outcome, and driving organizational change to transform how we work. 

We are seeking a Lead Security Engineer with deep experience securing enterprise systems, cloud platforms, and agent‑based AI development environments at scale. This role is hands‑on and execution‑focused, responsible for defining guardrails around AI workloads across the full lifecycle—development, deployment, training, and inference. 

The ideal candidate combines production grade AI engineering with advanced expertise in cloud security, DevSecOps, identity, and governance, enabling organizations to adopt GenAI, Microsoft Agents, and AI‑assisted code generation platforms safely and at scale. 

This role aligns closely to modern Engineer expectations, with a specialization in AI platform security, and risk‑aware AI delivery. 

What you will do:  

• Secure corporate AI capabilities used in enterprise applications 
• Establish Best Practices for model implementation, versioning, monitoring and governance for AI Systems on the Enterprise.  
• Design/Implement guardrails for AI code‑generation tools used in developer workflows 
• Enable and implement safe AI‑assisted development across IDEs, CI/CD pipelines, and local developer environments 
• Support model selection and integrations within the organization (Claude class, GPT‑class, and similar platforms) 
• Engineer and secure Microsoft Agents, Copilot‑style workflows, and agent‑driven automation.  
• Prevent insecure code generation, prompt leakage, and unsafe agent behavior while preserving developer velocity 

Preferred:  

• Strong proficiency in Python for AI workflows, automation, and orchestration 
• Experience with RAG pipelines, embeddings, APIs, and AI service integration 
• Understanding of AI lifecycle risks 
• Strong experience securing AI workloads on AWS & Azure 
• Experience with Cloud Hardening Best Practices. 
• Strong Infrastructure-as-Code (IaC) for Cloud, preferably Terraform 
• Strong background in application security, cloud security, and IAM 
• Experience embedding security into CI/CD, IaC, and SDLC workflows 
• Automation experience using Python, PowerShell, Bash, and APIs 
• Strong RHEL Linux skills, especially at the command line level. 
• Strong understanding of AI/LLM-specific threats such as prompt injection, data poisoning, model theft, adversarial attacks, sensitive data leakage, etc.  
• Experience implementing AI security controls such as guardrails, content filtering, input/output validation, RBAC for AI systems, secure prompt handling, and AI audit logging  
• Understanding of secure AI architecture and AI governance frameworks  
• Familiarity with:  
  • OWASP Top 10 for LLM Applications  
  • NIST AI Risk Management Framework  
  • Responsible AI and AI compliance practices 
  • SIEM, threat detection, and vulnerability management. Previous experience with integrating AI with SIEM systems 

Required:  

• Bachelor's degree or direct and applicable work experience.  
• 7+ years of experience working in architecting of server or network controls in any of the following: DevOps, DevSecOps, Identity and Access Management (IAM), system virtualization, Windows and Linux Security, Cloud Security, Network and Network Security, Active Directory, Java, XML, JSON, Azure, AWS, MySQL, Federation, SSO.  
• Knowledge of compliance and regulatory program requirements, such as HIPAA, ISO 27000, NIST, FISMA, and SOC standards.  
• Experience architecting and designing security solutions at the enterprise level. Strong knowledge of high-scale cloud systems within multiple accounts and how they can be secured using agreed best practices.  
• Experience with DevSecOps and automation in highly scalable environments.  
• Strong analytical and problem-solving skills. A certain degree of creativity, innovation and latitude is required (the ability to think outside the box when faced with challenges).  
• High attention to detail while completing tasks and processes. Ability to prioritize to maximize personal efficiency.  
• Ability to help design solutions for cybersecurity problems.  
• Strong compliance and regulatory-focused customer service orientation with effective verbal and written communication skills working with technical and non-technical personnel, with the ability to address all levels of leadership, business, technical, and non-technical staff.  
• Travel required up to 5%  

a. Identify risk-related issues and architect solutions to avoid potential security incidents and business impact. 

b. Create architecture policies aligning with industry best practices for cybersecurity and resiliency. 

c. Design security for monitoring, logging, IAM, encryption, data protection, detection. and preventive controls. 

d. Provide expertise and best practices for implementing cloud security and secured code detection and prevention. 

e. Deploy strong identity and access management (IDAM) controls across applications and computing environments. 

f. Develop and maintain secure, resilient enterprise-grade cloud processes in tandem with architects and system engineers. 

g. Actively monitor, assess, and recommend tactical and strategic initiatives based on new and emerging threats posing risk to cloud computing environments. 

h. Align with architects to create secure workloads in AWS, Microsoft Azure and Google Cloud. 

i. Advise and design with commercial and open-source security tools and controls. 

j. Communicate security posture to cybersecurity leaders, stakeholders, IT and developers. 

k. Design for integrated security controls, workflows, data protection, authentication and authorization. 

l. Acts as technical architect for Windows, Linux, VMware, Kubernetes, Docker and others used to support business needs. 

m. Other duties as assigned. 

All your information will be kept confidential according to EEO guidelines.

An Equal Opportunity Employer

The policy of Wellmark Blue Cross Blue Shield is to recruit, hire, train and promote individuals in all job classifications without regard to race, color, religion, sex, national origin, age, veteran status, disability, sexual orientation, gender identity or any other characteristic protected by law.

Applicants requiring a reasonable accommodation due to a disability at any stage of the employment application process should contact us at [email protected]

Please inform us if you meet the definition of a "Covered DoD official".

At this time, Wellmark is not considering applicants for this position that require any type of immigration sponsorship (additional work authorization or permanent work authorization) now or in the future to work in the United States. This includes, but IS NOT LIMITED TO: F1-OPT, F1-CPT, H-1B, TN, L-1, J-1, etc. For additional information around work authorization needs please refer to the following resources:Nonimmigrant Workers and Green Card for Employment-Based Immigrants 

Wellmark supports and expects the responsible use of AI for our workforce! We welcome the responsible use of these tools by job seekers as well and are interested in learning from you; you will have an opportunity in the application process to share which tools you used and how you applied them.