thumbtack - Senior Enterprise Secruity Engineer

• This role focuses on improving AI-adjacent security at Thumbtack, including the agents, identities, integrations, and data pipelines that modern AI systems depend on. It also covers broader security engineering work across the enterprise platforms and services that support them. • Deliver high-quality security assessments and threat models for first-party and third-party AI tools, agents, and AI-integrated systems, ensuring they adhere to enterprise security principles and approved patterns, with sound authentication, authorization, data access, and observability by design. • Design and validate technical guardrails and reusable patterns that keep AI usage safe at Thumbtack. This spans AI behavior (safe defaults for agent actions, tool and permission scoping, human-in-the-loop boundaries for sensitive access, input and output controls, audit and observability) and AI connectivity (MCP servers, integrations, trust boundaries, and the data pipelines that feed first- and third-party AI systems). Contribute to the frameworks and tooling that support secure AI development and use across Thumbtack. • Harden IAM across the enterprise, with particular focus on the non-human and delegated identities behind AI systems (service accounts, agent credentials, SaaS-to-SaaS OAuth, and SCIM federation). Bring least-privilege and lifecycle hygiene to identities that increasingly act at machine speed. • Provide broader security engineering support across Thumbtack's enterprise platforms and services, including SaaS security and posture management, third-party and integration security, data governance, endpoint security, and identity-centric controls. Build paved paths, shared tooling, and automation that scale these controls. • Lead cross-functional security initiatives end-to-end. Partner with IT, Engineering, Legal, Privacy, Procurement, and business stakeholders to surface risk early, set clear requirements, and support scalable adoption of secure patterns. Conduct security design and architecture reviews for enterprise applications, SaaS platforms, and internally developed systems. • Mentor engineers and partner-team members, raising the overall security bar through guidance and example. • Support security incident response and drive learning through post-incident analysis. • IN ORDER TO BE SUCCESSFUL, YOU MUST BRING • 6+ years of experience in security engineering, enterprise security, application security, cloud security, or a related field. • Experience developing threat models and proposing technical guardrails for AI tooling and agentic systems, including non-human identities, tool/permission scoping, and safe defaults for agent behavior. • Deep expertise in modern enterprise security disciplines: authentication and authorization (SSO, OAuth/OIDC, SAML, federation, SCIM), API security and token handling, secrets management, least-privilege design, SaaS security and posture management. • Strong experience evaluating risk and conducting security design and architecture reviews across enterprise applications, SaaS platforms, integrations, and internally developed systems, including evaluating data flows, third-party integrations, trust boundaries, automation platforms, AI-connected workflows, and emerging integration patterns such as MCP. • Strong experience securing modern, cloud-native systems (AWS and/or GCP) and familiarity with core control domains such as audit logging, encryption, access control, data retention, and incident response. • Strong sense of ownership and accountability, balancing hands-on technical execution with the ability to mentor others, raise standards, and drive measurable improvements in enterprise security. • Excellent written and verbal communication skills, with the ability to influence without authority and translate technical risk into clear requirements and actionable guidance for both technical and non-technical audiences.