The GRC Intel Brief — Issue #001

18 Roles reviewed

$275K Salary ceiling

44% Roles with salary posted

61% Remote – US

18 roles reviewed this week.
4 were posted in the last 7 days.

Those 4 are in the role cards below. The other 14 are still active in the market and they all feed the data in the market section. The trends come from all 18, not just the ones worth applying to right now.

What the full picture is showing: this market isn't asking for more GRC experience in isolation. It's asking for GRC fluency that extends into AI governance. Framework knowledge, coding in some cases, and the ability to build governance infrastructure rather than just audit it. Three of the four fresh roles require some form of technical work. All four list at least one cross-border AI regulation. That is not a coincidence.

Market pulse — June 1–8 roles

ROLE 01

GRC and AI Governance Senior Manager

CFGI

Financial Consulting / Advisory Remote – US Posted ~3 days ago

Lead end-to-end AI governance engagements for Fortune 500 and PE clients. Design AI governance frameworks, conduct AI risk assessments, build model inventories, deliver EU AI Act compliance. CFGI works directly with CISOs and CFOs at 85%+ of Fortune 500 PE portfolios.

EU AI ActISO 42001NIST AI RMFNIST CSF/800-53ISO 27001SOC 2GDPR/UK GDPRNYDFS 500SOX ITGC

The signal CFGI lists EU AI Act compliance as a client deliverable, not a footnote. EU AI Act is a US GRC problem the moment your clients sell AI into Europe. CFGI's client base is almost entirely PE-backed Fortune 500. That's not an edge case. That's the mainstream. If you're in advisory GRC, this is what the senior mandate looks like right now.

→ View role

ROLE 02

Senior AI GRC Engineer

Vanta

Security / Compliance SaaS Remote – US Posted ~2 days ago

Own and lead AI governance for Vanta's internal AI adoption and customer-facing AI products. Build control automation, own ISO 42001 certification internally. Requires coding in TypeScript, Go, or Python. Works with AI agent platforms including Anthropic, OpenAI, and LangChain.

ISO 42001EU AI ActNIST AI RMFUK AI Safety FrameworkISO 27001GDPRTypeScript / Go / PythonAWS

The signal This isn't a governance advisory role. It's an engineering role inside a GRC product. Governance as code, not governance as document. The coding requirement isn't optional and the scope includes AI agent platforms directly. For practitioners building toward the engineering track, this is what that job description actually looks like.

→ View role

ROLE 03

AI Governance Leader

phData

Data & AI Consulting Remote – US Posted this week

Lead AI governance engagements embedded in the data stack. Design frameworks, conduct AI risk assessments, build model inventories. Works inside Snowflake and AWS environments. 10+ years required. Travel up to 50%.

EU AI ActISO 42001NIST AI RMFAI FinOpsModel Risk ManagementSnowflakeAWS

The signal First role this week to list AI FinOps as a formal GRC mandate. Governing AI spend, budget thresholds, and license rationalization as an audit risk. That's new language. If it shows up in three or more roles next month, the GRC practitioner's scope just got structurally wider. Flag it now so you're not surprised later.

→ View role

ROLE 04

Staff Engineer, GRC

OpenLoop Health

Healthcare / Telehealth Remote – US Posted Jun 4, 2026

Build GRC infrastructure from the ground up. Not just manage it. Requires coding in Python and APIs, running an AI Governance Council, and GRC-as-code tooling for automated evidence collection and policy enforcement.

NIST AI RMFISO 42001SOC 2HITRUSTHIPAANIST CSFPython / APIs

The signal Healthcare regulatory depth. HITRUST and HIPAA combined with ISO 42001 and a coding requirement in one role. This is the second "Staff/Senior Engineer" title at the GRC + AI intersection in one week of data. The engineering-track GRC role in regulated industries is not a one-off.

→ View role

Market data — June 1–8

18Total roles reviewed

50%Hybrid GRC + AI roles

17%GRC Engineer titles

61%Remote – US

Top frameworks (18 roles)

EU AI Act

8/18

ISO 42001

7/18

NIST AI RMF

7/18

GDPR

6/18

ISO 27001

5/18

SOC 2

4/18

NIST 800-53 / CSF

3/18

FedRAMP

2/18

Certifications cited (18 roles)

CISM

4/18

CISSP

3/18

AIGP

2/18

CRISC

1/18

Active roles — salary data

Role	Company	Range
GRC Engineer	WorkOS	$175K–$275K
AI Governance & Risk Lead	Bloomberg	$185K–$245K
Senior Dir, Data Gov & Privacy	FTI Consulting	$116.5K–$256K
VP AI Risk Management	Moody's	$163.3K–$236.8K
AI Gov & Privacy Sr. Consultant	Deloitte	$118.7K–$218.6K
Senior GRC Analyst	Crusoe	$130K–$150K

Salary ceiling: $275,000 · Floor: $116,500 · None of this week's newest roles posted salary. Figures above are from active postings still live in the market.

New language in the market

GRC-AS-CODE

First seen this week · OpenLoop Health

Using software tooling to automate evidence collection, policy enforcement, and control testing. Not manually. When a job description uses this phrase, they're not looking for someone who understands GRC. They're looking for someone who can build the system that runs it.

AI FINOPS (AS A GRC MANDATE)

First seen this week · phData

Governing AI spend as an audit and compliance risk. Budget thresholds, license rationalization, cost allocation across AI tools and models. FinOps in cloud infrastructure has existed for years. Its appearance in a GRC job description signals that AI spend is now being treated the same way: something that needs governance, not just optimization.

ISO 23894

First seen this week · Bloomberg (active posting)

The ISO standard for AI risk management guidance, published January 2024. Most job descriptions are still at NIST AI RMF and ISO 42001 basics. Bloomberg citing ISO 23894 signals a governance program operating past framework-checking. If this starts appearing in more JDs over the next few months, it marks a maturity shift in what enterprise AI governance actually requires.

Trending story

$1MPer day penalty

3yrState law preemption

Jun 4Bill introduced

12+State laws affected

The Great American Artificial Intelligence Act of 2026 was introduced June 4 by a bipartisan Senate group. It creates a federal AI regulatory framework for the first time in US history. The enforcement structure is not a suggestion.

$1,000,000 per day for deploying high-risk AI systems without required impact assessments. Per day, not per violation. Risk-tiering model closely based on the EU AI Act: mandatory impact assessments, documentation, human oversight, and incident reporting before deployment for high-risk systems.

Two things matter most right now. The 3-year preemption clause. If passed as introduced, it preempts state AI laws including California AB 2885, Colorado SB 205, Texas HB 1709, and a dozen others. One federal framework instead of a patchwork. And the company size thresholds. Smaller companies may have reduced obligations, which matters for your third-party risk program as much as your own.

Whether this bill passes, gets amended, or stalls. GRC teams need to know it exists. The penalty structure will move board attention and budgets before the law takes effect. That's already happening with the EU AI Act.

Source: Great American Artificial Intelligence Act of 2026 — introduced June 4, 2026 (US Senate)

What I'm learning this week

AI Career Pro

AI Governance

Built by James Kavanagh · Microsoft + Amazon · Led first ISO 42001 cert for a global cloud provider

AI governance isn't one thing. It's seven stages. Where you sit in that lifecycle changes everything.

This week I started with the architecture. A seven-stage AI lifecycle model where governance work runs alongside engineering work at every stage. AI systems accumulate risk as they progress from idea to operation, and each stage is a natural gate to ask the right questions and put controls in place before moving forward. An AI resume screening tool at conception is just an idea to reduce time-to-hire. By deployment it's making decisions that affect people's livelihoods, at scale, with potential bias baked in from the training data. The governance requirements between those two points are completely different. The shift-left principle applies here the same way it does in security: the earlier you catch a governance gap, the cheaper it is to fix. This is the foundation.

→ Read: AI Lifecycle Governance Free intro course Free assessment Full platform

GRC Engineering

Building

GRC Engineering Club · Founded by AJ Yawn · Author of GRC Engineering for AWS

The job descriptions say "GRC-as-code." This week I started building it.

This week I did Lab 2.3. Wrote my first Terraform from scratch and deployed a compliant AWS S3 bucket that satisfies five NIST 800-53 controls. SC-28, AC-3, CM-6, AU-3, AU-6. No screenshots as evidence. Machine-readable JSON from the live infrastructure. First primitive in what becomes a full portfolio by the end of the course. The thing that hit different: every control has a line of code behind it. Not a checkbox. Not a policy doc. Code that either passes or fails. That's GRC engineering.

Terraform AWS S3 NIST 800-53 SC-28 AC-3 CM-6 AU-3/AU-6

→ github.com/LSDubose/cgep-labs → GRC Engineering Club

Listening

Podcast

GRC Uncensored · Will FedRAMP 20x Repeat SOC 2's Mistakes?

S1 EP 15 · ~58 min · Hosts: Troy Fine & Elliot Volkman · Guest: John Santore, Director of Cyber Acceleration, Constellation GovCloud

FedRAMP 20x is a pilot program designed to make government cloud authorizations faster by replacing hundreds of controls with a handful of Key Security Indicators. The episode digs into whether that's actually a good thing or whether it's the same pattern that made SOC 2 easier to get but harder to trust. Worth a listen if you work anywhere near FedRAMP or are watching how compliance frameworks evolve under automation pressure.

→ Listen on Spotify

Free resources

ISO 27701 Lead Auditor Course

Mastermind Assurance · 30-day free access · Privacy management certification course by the team that issued the world's first ISO 27701 cert

Expires: Jun 30, 2026 → Get access

Google Cybersecurity Certificate

Coursera / Google · Free with financial aid · Foundational cybersecurity cert — 6 months, recognized by employers

Always free w/ aid → Apply

Anthropic Academy

Anthropic · Free · Prompt engineering and AI fundamentals directly from the people building the models

Always free → Start learning

CyberExam Practice Labs

CyberExam · Free dashboard access · Hands-on practice labs for cybersecurity and GRC certifications — CISM, CISSP, and more

Always free → Start practicing

Forward this to one person who needs it.

New videos every week on the LDubose channel.

Subscribe to the Brief

Watch on YouTube → youtube.com/LDubose