Cloud-Native Security and AI Architect

Cloud Architech

Job Title: Cloud-Native Security & AI Architect (GCP / Zero Trust) Location: Hybrid — Dearborn, MI or Fully Remote (US based) Team: Ford Credit Enterprise Architecture

About the Role: Ford Credit is accelerating its transition to a Zero-Trust security model on Google Cloud Platform (GCP) and maturing their enterprise cloud security patterns. They are seeking a Cloud-Native Security & AI Architect to guide on-prem workload migrations into a secure, well-architected GCP environment, while also shaping their approach to safe and effective AI enablement (with a focus on agentic patterns in the SDLC). This role will help establish practical reference architectures, answering various “How do I do X securely?” questions from internal teams, driving clarity where standards are still emerging.

What Success Looks Like (6–12 Months):

• Documented, adopted reference architectures and patterns for Zero Trust on GCP.
• Reduced critical security gaps across migrated workloads; measurable maturity lift (e.g., from 1/5 toward 3/5).
• Repeatable Apigee patterns established; known gaps documented with remediation backlog and owners.
• Teams self-serve with “How to do X securely?” guides; faster decision cycles and fewer escalations.
• Safe, pragmatic AI enablement patterns integrated into SDLC with clear guardrails and logging.
• Established security governance frameworks and stage-gates with both automation and human-in-the-loop processes.

Tools & Ecosystem: GCP (IAM, Workload Identity, VPC, SCC, Cloud Armor, Secret Manager, Logging/Monitoring, GKE/Cloud Run, Build/Artifact), Apigee, GitHub, JIRA, Confluence, Vault (as applicable), Terraform (nice to have).

Zero-Trust Cloud Security Architecture (GCP) – primary focus

• Define and mature security architecture patterns and reference architectures for cloud-native workloads on GCP.
• Provide day-to-day guidance to application teams migrating from legacy environments to a new Zero-Trust GCP segment.
• Conduct gap analyses and recommend remediations to raise security maturity.
• Translate Ford’s Information Security Policies (ISP) into actionable architecture guidance and guardrails.
• Establish “golden paths” for securing RPC endpoints, service-to-service auth, workload identity, runtime security, and logging.
• Design and document secure patterns for hybrid connectivity, ensuring safe data exchange and identity federation between on-premise data centers (including mainframe environments) and GCP.
• Develop a holistic security strategy for critical third-party SaaS applications, focusing on identity integration (SSO), data governance, and unified visibility.
• Partner with threat modeling, networking, and data architecture teams to ensure holistic, risk-balanced designs.

API & Apigee Security Enablement

• Define patterns for securing APIs and RPC endpoints with Apigee (authN/Z, token flows, rate limiting, telemetry).
• Identify platform gaps; collaborate with Ford’s Apigee owner (EPEO) to drive improvements and reusable examples.

AI Architecture (Agentic SDLC) – secondary focus

• Evaluate AI-enabled solutions for safety and security: “Is this secure? Is it safe? Are we allowed to do this?”
• Define secure agent patterns for SDLC use cases (e.g., agents drafting JIRAs, triaging issues).
• Apply AI safety best practices (prompt injection defenses, tool/API misuse prevention, data leakage controls).
• Design human-in-the-loop, decision traceability, and auditable logging for AI-assisted decision flows.

Process & Enablement

• Create and maintain clear, consumable architecture documentation and standards from multiple sources.
• Mentor teams; answer questions rapidly; help the org balance speed with security in a zero-trust context.
• Contribute to a pragmatic roadmap to improve security maturity across the portfolio.

• Minimum Qualifications

  • 10+ years of IT experience with 7+ years in cloud architecture/engineering with 4+ years focused on cloud security (enterprise scale).
  • Deep hands-on experience with GCP services relevant to security: IAM & Workload Identity, VPC/SCC/Cloud Armor, Secrets Manager, Cloud Logging/Monitoring, GKE/Cloud Run, Artifact/Build, Pub/Sub, Apigee.
  • Proven experience designing or maturing Zero-Trust architectures (BeyondCorp principles; identity-centric access).
  • Strong understanding of OAuth/OIDC, service-to-service auth, token flows, and API security patterns.
  • Experience designing security for hybrid architectures that connect modern cloud platforms with traditional enterprise data centers through GCP Interconnect, including mainframe systems.
  • Experience with SaaS security frameworks and tools, such as Cloud Access Security Brokers (CASB), SaaS Security Posture Management (SSPM), and advanced data loss prevention (DLP) strategies.
  • Integrate security seamlessly into the CI/CD pipeline (DevSecOps), ensuring automated guardrails and infrastructure-as-code (IaC) scanning are part of the "golden path."
  • Experience producing reference architectures, standards, and “golden paths” for engineering teams.
  • Good knowledge of security.
  • Hands-on use of AI tools to improve productivity (e.g., coding, analysis, documentation).
  • Excellent communication and stakeholder enablement skills.

  Preferred Qualifications

  • GCP security certifications (e.g., Professional Cloud Security Engineer, Professional Cloud Architect).
  • Experience with Apigee at enterprise scale (API gateways, policies, auth patterns, observability).
  • Familiarity with LLM/agent attack vectors (prompt injection, jailbreaks, tool abuse, data exfiltration) and mitigations aligned to industry frameworks – OWASP for LLM, NIST AI RMF etc.
  • Exposure to spec-driven development and content-distributed architectures.
  • Understanding of regulated environment and associated compliance frameworks – PCI-DSS, SOC2, CCPA, GDPR and auditable human-in-the loop decisioning.
  • Comfortable navigating ambiguity and building standards in-flight during large-scale migrations.

Experience Level

Senior Level