Job Title: Cloud-Native Security & AI Architect (GCP / Zero Trust) Location: Hybrid — Dearborn, MI or Fully Remote (US based) Team: Ford Credit Enterprise Architecture
About the Role: Ford Credit is accelerating its transition to a Zero-Trust security model on Google Cloud Platform (GCP) and maturing their enterprise cloud security patterns. They are seeking a Cloud-Native Security & AI Architect to guide on-prem workload migrations into a secure, well-architected GCP environment, while also shaping their approach to safe and effective AI enablement (with a focus on agentic patterns in the SDLC). This role will help establish practical reference architectures, answering various “How do I do X securely?” questions from internal teams, driving clarity where standards are still emerging.
What Success Looks Like (6–12 Months):
-
Documented, adopted reference architectures and patterns for Zero Trust on GCP.
-
Reduced critical security gaps across migrated workloads; measurable maturity lift (e.g., from 1/5 toward 3/5).
-
Repeatable Apigee patterns established; known gaps documented with remediation backlog and owners.
-
Teams self-serve with “How to do X securely?” guides; faster decision cycles and fewer escalations.
-
Safe, pragmatic AI enablement patterns integrated into SDLC with clear guardrails and logging.
-
Established security governance frameworks and stage-gates with both automation and human-in-the-loop processes.
Tools & Ecosystem: GCP (IAM, Workload Identity, VPC, SCC, Cloud Armor, Secret Manager, Logging/Monitoring, GKE/Cloud Run, Build/Artifact), Apigee, GitHub, JIRA, Confluence, Vault (as applicable), Terraform (nice to have).
Zero-Trust Cloud Security Architecture (GCP) – primary focus
-
Define and mature security architecture patterns and reference architectures for cloud-native workloads on GCP.
-
Provide day-to-day guidance to application teams migrating from legacy environments to a new Zero-Trust GCP segment.
-
Conduct gap analyses and recommend remediations to raise security maturity.
-
Translate Ford’s Information Security Policies (ISP) into actionable architecture guidance and guardrails.
-
Establish “golden paths” for securing RPC endpoints, service-to-service auth, workload identity, runtime security, and logging.
-
Design and document secure patterns for hybrid connectivity, ensuring safe data exchange and identity federation between on-premise data centers (including mainframe environments) and GCP.
-
Develop a holistic security strategy for critical third-party SaaS applications, focusing on identity integration (SSO), data governance, and unified visibility.
-
Partner with threat modeling, networking, and data architecture teams to ensure holistic, risk-balanced designs.
API & Apigee Security Enablement
-
Define patterns for securing APIs and RPC endpoints with Apigee (authN/Z, token flows, rate limiting, telemetry).
-
Identify platform gaps; collaborate with Ford’s Apigee owner (EPEO) to drive improvements and reusable examples.
AI Architecture (Agentic SDLC) – secondary focus
-
Evaluate AI-enabled solutions for safety and security: “Is this secure? Is it safe? Are we allowed to do this?”
-
Define secure agent patterns for SDLC use cases (e.g., agents drafting JIRAs, triaging issues).
-
Apply AI safety best practices (prompt injection defenses, tool/API misuse prevention, data leakage controls).
-
Design human-in-the-loop, decision traceability, and auditable logging for AI-assisted decision flows.
Process & Enablement
-
Create and maintain clear, consumable architecture documentation and standards from multiple sources.
-
Mentor teams; answer questions rapidly; help the org balance speed with security in a zero-trust context.
-
Contribute to a pragmatic roadmap to improve security maturity across the portfolio.
Minimum Qualifications
-
10+ years of IT experience with 7+ years in cloud architecture/engineering with 4+ years focused on cloud security (enterprise scale).
-
Deep hands-on experience with GCP services relevant to security: IAM & Workload Identity, VPC/SCC/Cloud Armor, Secrets Manager, Cloud Logging/Monitoring, GKE/Cloud Run, Artifact/Build, Pub/Sub, Apigee.
-
Proven experience designing or maturing Zero-Trust architectures (BeyondCorp principles; identity-centric access).
-
Strong understanding of OAuth/OIDC, service-to-service auth, token flows, and API security patterns.
-
Experience designing security for hybrid architectures that connect modern cloud platforms with traditional enterprise data centers through GCP Interconnect, including mainframe systems.
-
Experience with SaaS security frameworks and tools, such as Cloud Access Security Brokers (CASB), SaaS Security Posture Management (SSPM), and advanced data loss prevention (DLP) strategies.
-
Integrate security seamlessly into the CI/CD pipeline (DevSecOps), ensuring automated guardrails and infrastructure-as-code (IaC) scanning are part of the "golden path."
-
Experience producing reference architectures, standards, and “golden paths” for engineering teams.
-
Good knowledge of security.
-
Hands-on use of AI tools to improve productivity (e.g., coding, analysis, documentation).
-
Excellent communication and stakeholder enablement skills.
Preferred Qualifications
-
GCP security certifications (e.g., Professional Cloud Security Engineer, Professional Cloud Architect).
-
Experience with Apigee at enterprise scale (API gateways, policies, auth patterns, observability).
-
Familiarity with LLM/agent attack vectors (prompt injection, jailbreaks, tool abuse, data exfiltration) and mitigations aligned to industry frameworks – OWASP for LLM, NIST AI RMF etc.
-
Exposure to spec-driven development and content-distributed architectures.
-
Understanding of regulated environment and associated compliance frameworks – PCI-DSS, SOC2, CCPA, GDPR and auditable human-in-the loop decisioning.
-
Comfortable navigating ambiguity and building standards in-flight during large-scale migrations.