Cloud Architech

Job Description

Job Title: Cloud-Native Security & AI Architect (GCP / Zero Trust) Location: Hybrid — Dearborn, MI or Fully Remote (US based) Team: Ford Credit Enterprise Architecture

About the Role: Ford Credit is accelerating its transition to a Zero-Trust security model on Google Cloud Platform (GCP) and maturing their enterprise cloud security patterns. They are seeking a Cloud-Native Security & AI Architect to guide on-prem workload migrations into a secure, well-architected GCP environment, while also shaping their approach to safe and effective AI enablement (with a focus on agentic patterns in the SDLC). This role will help establish practical reference architectures, answering various “How do I do X securely?” questions from internal teams, driving clarity where standards are still emerging.

What Success Looks Like (6–12 Months):

• Documented, adopted reference architectures and patterns for Zero Trust on GCP.
• Reduced critical security gaps across migrated workloads; measurable maturity lift (e.g., from 1/5 toward 3/5).
• Repeatable Apigee patterns established; known gaps documented with remediation backlog and owners.
• Teams self-serve with “How to do X securely?” guides; faster decision cycles and fewer escalations.
• Safe, pragmatic AI enablement patterns integrated into SDLC with clear guardrails and logging.
• Established security governance frameworks and stage-gates with both automation and human-in-the-loop processes.
  
  
  

Tools & Ecosystem: GCP (IAM, Workload Identity, VPC, SCC, Cloud Armor, Secret Manager, Logging/Monitoring, GKE/Cloud Run, Build/Artifact), Apigee, GitHub, JIRA, Confluence, Vault (as applicable), Terraform (nice to have).

Responsibilities

Zero-Trust Cloud Security Architecture (GCP) – primary focus

• Define and mature security architecture patterns and reference architectures for cloud-native workloads on GCP.
• Provide day-to-day guidance to application teams migrating from legacy environments to a new Zero-Trust GCP segment.
• Conduct gap analyses and recommend remediations to raise security maturity.
• Translate Ford’s Information Security Policies (ISP) into actionable architecture guidance and guardrails.
• Establish “golden paths” for securing RPC endpoints, service-to-service auth, workload identity, runtime security, and logging.
• Design and document secure patterns for hybrid connectivity, ensuring safe data exchange and identity federation between on-premise data centers (including mainframe environments) and GCP.
• Develop a holistic security strategy for critical third-party SaaS applications, focusing on identity integration (SSO), data governance, and unified visibility.
• Partner with threat modeling, networking, and data architecture teams to ensure holistic, risk-balanced designs.
  
  
  

API & Apigee Security Enablement

• Define patterns for securing APIs and RPC endpoints with Apigee (authN/Z, token flows, rate limiting, telemetry).
• Identify platform gaps; collaborate with Ford’s Apigee owner (EPEO) to drive improvements and reusable examples.
  
  
  

AI Architecture (Agentic SDLC) – secondary focus

• Evaluate AI-enabled solutions for safety and security: “Is this secure? Is it safe? Are we allowed to do this?”
• Define secure agent patterns for SDLC use cases (e.g., agents drafting JIRAs, triaging issues).
• Apply AI safety best practices (prompt injection defenses, tool/API misuse prevention, data leakage controls).
• Design human-in-the-loop, decision traceability, and auditable logging for AI-assisted decision flows.
  
  
  

Process & Enablement

• Create and maintain clear, consumable architecture documentation and standards from multiple sources.
• Mentor teams; answer questions rapidly; help the org balance speed with security in a zero-trust context.
• Contribute to a pragmatic roadmap to improve security maturity across the portfolio.
  
  
  

Qualifications

• Minimum Qualifications
• 10+ years of IT experience with 7+ years in cloud architecture/engineering with 4+ years focused on cloud security (enterprise scale).
• Deep hands-on experience with GCP services relevant to security: IAM & Workload Identity, VPC/SCC/Cloud Armor, Secrets Manager, Cloud Logging/Monitoring, GKE/Cloud Run, Artifact/Build, Pub/Sub, Apigee.
• Proven experience designing or maturing Zero-Trust architectures (BeyondCorp principles; identity-centric access).
• Strong understanding of OAuth/OIDC, service-to-service auth, token flows, and API security patterns.
• Experience designing security for hybrid architectures that connect modern cloud platforms with traditional enterprise data centers through GCP Interconnect, including mainframe systems.
• Experience with SaaS security frameworks and tools, such as Cloud Access Security Brokers (CASB), SaaS Security Posture Management (SSPM), and advanced data loss prevention (DLP) strategies.
• Integrate security seamlessly into the CI/CD pipeline (DevSecOps), ensuring automated guardrails and infrastructure-as-code (IaC) scanning are part of the "golden path."
• Experience producing reference architectures, standards, and “golden paths” for engineering teams.
• Good knowledge of security.
• Hands-on use of AI tools to improve productivity (e.g., coding, analysis, documentation).
• Excellent communication and stakeholder enablement skills.
  
  
  

Preferred Qualifications

• GCP security certifications (e.g., Professional Cloud Security Engineer, Professional Cloud Architect).
• Experience with Apigee at enterprise scale (API gateways, policies, auth patterns, observability).
• Familiarity with LLM/agent attack vectors (prompt injection, jailbreaks, tool abuse, data exfiltration) and mitigations aligned to industry frameworks – OWASP for LLM, NIST AI RMF etc.
• Exposure to spec-driven development and content-distributed architectures.
• Understanding of regulated environment and associated compliance frameworks – PCI-DSS, SOC2, CCPA, GDPR and auditable human-in-the loop decisioning.
• Comfortable navigating ambiguity and building standards in-flight during large-scale migrations.