GRC Program Manager

We’re seeking a GRC Program Manager to own a defined set of compliance, risk, and security operations frameworks end-to-end. 

You won’t spend your time on routine evidence collection or manual audit checklists—we automate that. Instead, you’ll own the complexity: the stakeholder coordination, the conceptual design of how frameworks apply to our environment, and the human judgment calls that automation can’t make. Your scope extends beyond traditional GRC into the program and organizational aspects of Security Operations—ensuring detection, response, and operational processes are governed, measured, and continuously improved. Success means your frameworks run smoothly, auditors get what they need without chasing people, and control owners across the business understand what’s expected of them—because you designed it that way.

As a GRC Program Manager, you are the reference person for your assigned frameworks—spanning compliance, risk, and security operations. You own them from interpretation through implementation—designing how controls map to our systems, coordinating across teams to ensure accountability, and managing external auditor relationships. You also own the programmatic and organizational side of Security Operations: how we structure detection and response processes, measure operational effectiveness, and ensure continuous improvement.

Routine operational work is handled through AI and automation; your value is in the complexity
that requires human judgment.

Framework Ownership & Coordination:

• Own assigned compliance frameworks (e.g., SOC 2, ISO 27001, GDPR, AI regulations) endto-end—from interpreting requirements and designing control mappings to ensuring audit readiness
• Act as the single point of accountability for your frameworks: auditors, control owners, and leadership come to you for answers
• Coordinate cross-functional stakeholders (Engineering, Product, Legal, People) to ensure controls are embedded in their workflows—not bolted on as afterthoughts
• Manage external auditor relationships, including scoping discussions, audit planning, finding resolution, and certification delivery
• Anticipate how regulatory changes affect your frameworks and proactively adapt the control environment
• Own the program structure of Security Operations—defining how detection and incident response processes are organized, governed, and reported on

Conceptual Design & Judgment:

• Design how abstract regulatory requirements translate into concrete, testable controls for our specific technology stack and business model
• Make judgment calls on control applicability, risk acceptance recommendations, and framework interpretation where guidance is ambiguous
• Define the conceptual structure of vendor assessments for your domain—what matters, what doesn’t, and where to draw the line
• Design and maintain the organizational framework for security operations—playbook governance, escalation structures, SLA definitions, and operational metrics
• Author and maintain policies that are enforceable and aligned to how the business actually operates—not compliance theater

Stakeholder Enablement & Human Coordination:

• Enable control owners to be self-sufficient: design clear expectations, provide context on why controls exist, and remove friction from their compliance responsibilities
• Coordinate remediation across teams when gaps are identified—driving accountability without micromanaging execution
• Communicate compliance posture and framework status to leadership in business terms
• Resolve ambiguity and competing priorities between business velocity and compliance obligations—finding paths that serve both

AI & Automation Leverage:

• Design and maintain automated evidence collection, monitoring, and reporting workflow so routine compliance work runs without manual intervention
• Continuously identify where human effort in your programs can be replaced by automation, AI-assisted review, or platform configuration
• Use AI tools as a force multiplier for research, gap analysis, policy drafting, and audit preparation—the expectation is that you operate at a level only possible with these tools

Experience: 4+ years in GRC, compliance, security operations, or audit roles, with demonstrated experience owning at least one compliance framework or security operations program end-to-end (scoping, control design, audit coordination, certification).

Must-Have Skills:

• Deep knowledge of governance frameworks (ISO 27001, SOC 2) and data privacy regulations (GDPR, CCPA), with the ability to interpret requirements and design practical control implementations
• Experience managing external auditor relationships and driving audits to completion independently
• Strong stakeholder management skills—you can coordinate across technical and non-technical teams, hold people accountable, and resolve conflicts without escalation
• Ability to design control mappings and assessment methodologies, not just execute predefined checklists
• Experience configuring GRC platforms and designing automated compliance workflows— you think in systems, not spreadsheets
• Comfort with ambiguity: you can make sound judgment calls when regulatory guidance is unclear or when business context requires interpretation
• Experience in cloud-native environments (AWS preferred) with an understanding of how infrastructure choices affect compliance scope
• Strong written communication—you can author policies and reports that are clear, concise, and actionable for their intended audience
• AI-First Mindset: You leverage AI tools daily as a core part of how you work. You don’t wait to be told where to automate—you actively seek to eliminate routine work from your programs so you can focus on the hard problems that require human judgment.

Nice to Have

• Certifications such as CISA, CRISC, CIPP/E, or ISO 27001 Lead Auditor/Implementer
• Experience with emerging AI regulations (EU AI Act, ISO 42001) and building governance approaches for AI/ML systems
• Background in high-growth SaaS or platform companies where compliance programs had to scale quickly
• Experience building or significantly maturing a GRC program—not just inheriting a fully built one
• Experience with security operations frameworks—incident response lifecycle, detection engineering governance, or SOC program management
• Familiarity with security engineering practices and how compliance automation integrates with CI/CD and infrastructure-as-code

Founded 2020 in Munich, we are a rapidly expanding scale-up in the B2B SaaS area. We’ve already assembled a super innovative, smart and fun team of 320+ highly motivated employees around our offices in Munich, Barcelona, Madrid, Cluj and New York. At Aily Labs, we have the bold mission to democratize AI. 

Our groundbreaking product is an AI-powered mobile app that uses cutting edge GenAI and traditional ML to unlock valuable business insights and gives personalized recommendations. 

Our aim? Disrupting the way corporate entities operate, paving the way for the world’s first AI decision intelligence platform that enables faster, simpler and smarter decision-making across the entire value chain, aiming towards full Agentic automation of key business goals.