Cyber & AI Risk Analyst

Your Role:

As a Cyber & AI Risk Analyst, you will play a critical role in strengthening Alpaca’s security, compliance, and AI risk posture across the organization. Working closely with the Cyber GRC Lead, you will support the identification, assessment, and documentation of cybersecurity and AI-related risks that impact our infrastructure, products, trading systems, and internal operations.

You will contribute to the design and execution of our risk management framework across traditional cyber domains (cloud security, infrastructure, application security, third-party risk, regulatory compliance) while also helping establish foundational governance controls for AI systems, models, and AI-enabled product features.

This role sits at the intersection of cybersecurity, emerging AI governance, regulatory expectations, and financial services risk management. You’ll collaborate closely with Engineering, Product, Legal, Compliance, and IT teams to ensure Alpaca remains resilient, compliant, and forward-looking in how we manage both Cyber and AI risk.

We’re looking for someone curious, organized, and eager to grow. If you enjoy learning how technical systems work, translating risk into clear language, and building structured programs from the ground up - then this role is for you. Prior GRC experience is a plus, but not required; we’re happy to invest in the right candidate.

Things You Get To Do:

• Support the execution of Alpaca’s cybersecurity risk management program
• Conduct cyber risk assessments across cloud infrastructure, APIs, trading systems, and internal platforms
• Assist in identifying, documenting, and evaluating AI-related risks (model risk, data privacy, bias, explainability, adversarial threats, model misuse)
• Help develop and maintain AI governance controls aligned with evolving regulatory expectations, such as the EU AI Act
• Perform third-party/vendor security and AI risk assessments
• Contribute to control testing across frameworks such as SOC 2, ISO 27001, CSA Star, NIST CSF, and emerging AI governance standards
• Track remediation efforts and maintain risk registers and reporting dashboards
• Support internal and external audits by preparing documentation and evidence
• Monitor regulatory developments related to cybersecurity, financial services, and AI governance
• Help mature policies, standards, and procedures for both cyber and AI domains

Who You Are (Must-Haves):

• 1+  years of experience in cybersecurity, risk management, IT audit, GRC, or a related field - internships, coursework, or equivalent experience is welcome
• Foundational understanding of cybersecurity principles (network security, cloud security, IAM, application security, vulnerability management)
• Familiarity with common frameworks such as NIST CSF, ISO 27001, SOC 2, or similar
• Understanding of AI/ML concepts and associated risks (data governance, model bias, hallucinations, prompt injection, model misuse, etc.) - you don’t need to be an expert, just curious
• Strong written communication and documentation skills
• Ability to assess technical risks and clearly communicate them to non-technical stakeholders
• Experience working cross-functionally with engineering and product teams
• Highly organized with strong attention to detail
• Comfort working in a fast-paced environment

Who You Might Be (Nice-to-Haves):

• Academic background, personal interest, or real-world experience in fintech, financial services, or trading platforms
• Exposure to AI governance, model risk management, or responsible AI programs
• Familiarity with emerging AI regulatory frameworks (e.g., NIST AI RMF, EU AI Act concepts, model governance practices)
• Experience with GCP or other major cloud platforms
• Experience supporting or observing SOC 2, ISO 27001, or regulatory audits
• Security certifications (e.g., Security+, SSCP) or early-stage GRC certifications
• Interest in pursuing advanced certifications (CISA, CRISC, CISSP, or AI governance certifications)
• Experience working remotely or in distributed teams