runpoint.home
Command Palette
Work
Thinking
Company
Type to search. Press Enter for the top match.
Back to roles

Specialist role

AI Security Expert

A security operator who understands what AI changes, where it breaks, and how to move fast without pretending the risks are theoretical.

AI security is a strange role right now. The conservative answer is too slow. The reckless answer is stupid. We want the person who can live in the middle without lying to either side.

You should be pushing AI systems hard. Claude Code, Codex, CodeQL, security scanners, agent workflows, internal sandboxes, custom harnesses, all of it. You should also know where the cliff edge is. Prompt injection, data exfiltration, tool permissions, auth boundaries, model behavior, supply chain risk, auditability, and the weird failure modes that only appear when agents start touching real systems.

If you are experimenting with Hermes, OpenClaw, local models, MCP servers, browser agents, and repo-level automation because you need to know what breaks, this is probably your lane.

What you will do

  • Review client AI workflows for security, privacy, permissions, and operational risk.
  • Build practical guardrails that let teams move faster instead of freezing them in policy mud.
  • Run threat modeling for agentic systems, internal tools, data flows, and AI-assisted engineering environments.
  • Use AI coding agents and security tooling to inspect repos, generate tests, find exposure, and validate fixes.
  • Translate security concerns into implementation decisions that operators and engineers will actually follow.

What we need

  • You have real security experience, either application security, cloud security, GRC with teeth, incident response, or engineering-heavy security work.
  • You use AI tools directly instead of reading whitepapers about them from a safe distance.
  • You can explain the risk of an AI agent with tool access without sounding like a conference panel.
  • You can build small tools, run scans, inspect logs, read code, and validate whether the fix really fixed anything.
  • You care about speed because unused security guidance is just expensive decoration.

Strong signals

If any of these describe you, the conversation will move quickly.

  • You have broken an agent workflow on purpose to understand the boundary.
  • You have opinions about MCP permissions, sandboxing, secrets, and approval loops.
  • You know CodeQL, Semgrep, dependency scanning, cloud IAM, or similar tools well enough to use them under pressure.
  • You can say yes with conditions instead of reflexively saying no.
← All roles