Member of Technical Staff - Deployment & Compliance (Air-Gapped Infrastructure)

About xAI

xAI’s mission is to create AI systems that can accurately understand the universe and aid humanity in its pursuit of knowledge. Our team is small, highly motivated, and focused on engineering excellence. This organization is for individuals who appreciate challenging themselves and thrive on curiosity. We operate with a flat organizational structure. All employees are expected to be hands-on and to contribute directly to the company’s mission. Leadership is given to those who show initiative and consistently deliver excellence. Work ethic and strong prioritization skills are important. All employees are expected to have strong communication skills. They should be able to concisely and accurately share knowledge with their teammates.

ABOUT THE ROLE:

You will own security compliance for xAI's air-gapped GPU infrastructure program — end to end, at the speed the program demands. We are building and deploying classified AI inference platforms across multiple facilities. Each site needs accreditation, each deployment needs compliance evidence, and each update needs security validation. You will drive this directly rather than waiting on shared resources.

You will prepare ATO packages, evaluate STIG findings, document control implementations, manage POAMs, compile software approval lists, and produce the security documentation that gets facilities authorized to operate. You will work with Authorizing Officials, 3PAOs, and CDSO/E to move accreditation forward. You will also coordinate with the central GRC team where their work intersects with yours, but you own the compliance timeline for this program.

The strongest candidates will also bring technical depth — understanding the Kubernetes, container, and networking infrastructure well enough to evaluate whether a STIG finding is applicable, write a technically accurate control implementation statement, or identify a compliance gap that the engineering team missed. You don't need to write Gatekeeper policies yourself, but you need to understand what they do and whether they satisfy the control requirement you're documenting.

RESPONSIBILITIES:

• Own the ATO process for air-gapped classified deployments: prepare System Security Plans (SSP) or SSP sections, compile bodies of evidence, document control implementations, and drive the authorization timeline with Authorizing Officials and 3PAOs.

• Evaluate STIG findings against deployed infrastructure: review OpenSCAP and SCAP Compliance Checker results, determine applicability (applicable, not applicable, inherently met), write justifications, and track remediation through POAMs.

• Compile and maintain the software approval list for classified deployments: complete inventory of every OS, runtime, driver, container image, binary, and library running on the high side, with versions, sources, and justifications. Update with every release bundle.

• Drive the CDS approval process: work with CDSO/E to document artifact types, sizes, signing process, and verification process for data diode transfer. Produce the CDS transfer policy document and coordinate the LBSA/SBSA timeline.

• Define and document security controls for the deployment platform: translate NIST 800-53 requirements into control implementation statements that accurately describe how the Kubernetes infrastructure, network fabric, monitoring stack, and key management system satisfy each control.

• Manage continuous compliance: ensure every update bundle passes compliance scans (STIG, CVE, CIS benchmark, FIPS validation) before it ships to a classified site. Work with the deployment infrastructure engineer to integrate scanning into the bundle CI pipeline.

• Own the compliance scanning pipeline requirements: define what must be scanned, what pass/fail criteria look like, and what evidence must be captured — the deployment infrastructure engineer builds the automation, you define the requirements and validate the results.

• Design key management and signing requirements: define what key generation, storage, rotation, and audit requirements apply at each classification level. Work with the engineering team on HSM architecture (Vault + hardware security module) and cosign signing infrastructure.

• Document egress controls: map every required network egress path per component, validate against NetworkPolicy implementations, and produce evidence for assessors that no unauthorized egress exists.

• Define node re-admission security requirements: what scans must pass, what agents must be running, and what state must be verified before a node serves classified workloads after reboot, reimage, or hardware swap.

• Coordinate with the central GRC team: align on frameworks, share evidence where programs overlap, leverage their expertise on regulatory changes, but own the timeline and deliverables for air-gapped deployments independently.

• Participate in security assessments and audits: present technical evidence, walk assessors through control implementations, and answer questions about the infrastructure's security posture.

This is an in-person role based in Palo Alto, CA or Washington, DC, with occasional travel to classified facilities for security assessments.

BASIC QUALIFICATIONS:

• Active Top Secret / SCI (TS/SCI) security clearance with Counterintelligence Polygraph (CI Poly).

• 5+ years of experience in security compliance, accreditation, or security engineering in DoD/IC classified environments.

• Direct experience with the RMF Authorization and Assessment (A&A) process: SSP preparation, control implementation documentation, POAM management, and working with AOs and 3PAOs.

• Hands-on experience with DISA STIG evaluation and validation: OpenSCAP, SCAP Compliance Checker, STIG Viewer, and applicability determination.

• Strong understanding of NIST 800-53 rev 5, NIST 800-171, CMMC, and FedRAMP HIGH requirements.

• Experience with FIPS 140-3 requirements and identifying non-compliant cryptographic usage.

• Experience compiling software approval lists and managing the software authorization process for classified systems.

• Excellent written communication — you will produce security documentation that must be clear, accurate, and defensible to assessors and AOs.

• Ability to work independently and drive compliance timelines without waiting on shared resources.

PREFERRED SKILLS AND EXPERIENCE:

• Understanding of Kubernetes infrastructure: pods, deployments, services, NetworkPolicies, RBAC, admission controllers — enough to evaluate whether a technical control satisfies a NIST control requirement.

• Experience with container image security concepts: CVE scanning, image signing, SBOM, and base image hardening.

• Experience with cross-domain solutions (CDS), data diodes, and the CDSO/E approval process.

• Experience with DoD Cloud Computing SRG IL5/IL6 authorization.

• Familiarity with HSM/key management concepts (Vault, FIPS 140-3 Level 3 hardware).

• Experience with compliance-as-code or automated compliance scanning pipelines.

• IAT Level II or III certification (Security+, CASP+, CISSP, or equivalent).

• Scripting skills (Python, Bash) for automating compliance evidence collection.

• Experience with CIS Kubernetes Benchmark and kube-bench.

• Previous experience as an ISSO, ISSM, or security control assessor for classified systems.

COMPENSATION AND BENEFITS:

$180,000 - $440,000 USD

Base salary is just one part of our total rewards package at xAI, which also includes equity, comprehensive medical, vision, and dental coverage, access to a 401(k) retirement plan, short & long-term disability insurance, life insurance, and various other discounts and perks.

xAI is an equal opportunity employer. For details on data processing, view our Recruitment Privacy Notice.