← All open positions

AI Security & Deployment Architect

Partner with client IT to get the environment ready for AI deployment. Translate enterprise IT and security primitives into agent-native architecture so Forward Deployed Engineers can sprint from day one.

Employment:
Full-Time
Location:
Remote (US)
Travel:
Client-dependent — typically 25-35% on-site, IT/security conversations often start in person
Compensation:
$150K–$250K + Discretionary Client Enablement Incentives

Senior · AISDA

$150K–$250K

+ Discretionary Client Enablement Incentives

Employment:
Full-Time
Location:
Remote (US)
Travel:
Client-dependent — typically 25-35% on-site, IT/security conversations often start in person
Apply for this role

Time allocation

Rough mix across the role. Every engagement varies.

Client success 20%Innovation 15%Business dev 20%Admin 5%Delivery 20%Delivery20%Discovery 20%Discovery20%Client success 20%Innovation 15%Business dev 20%Admin 5%
0%: Talent dev100%

About ForgeVista

We deploy AI into the real world. Not slide decks. Not proofs of concept. Production systems that change how businesses operate. Our team embeds directly with clients to build, ship, and scale AI, and we do it at startup speed with enterprise quality.

Three things define how we work: AI Now (we ship with AI daily, not "someday"), CLI Native (the terminal is our cockpit, every role, every person), and High Agency (you own the outcome and move without waiting for permission).

Before you apply, please read our culture deck. Our culture isn't aspirational. It's how we actually operate. If it doesn't resonate, this probably isn't the right fit. We'd rather you self-select than discover the mismatch after a few interviews.

The Role

You're the AI Security & Deployment Architect: the person who walks into a client's IT and security organization, earns their trust, and gets the environment ready for AI deployment before our Forward Deployed Engineers arrive.

You are not the FDE. You don't write the agent workflows. You don't build MissionOS. Your job is to make sure that when the FDEs arrive on day one of Foundation, they can sprint, because the licenses are procured, the sandboxes are real, the security boundaries are agreed, the network egress is clean, and the client IT team understands and owns the configuration.

This is a player/coach role with a twist: you do less hands-on-keyboard than the FDE team. Most of the keystrokes happen on the client's IT team's keyboards, in their tenant. You guide. You translate. You unblock. You pair with their senior IT and security folks to walk them up the AI-readiness curve at the right pace, never faster than they can absorb, never slower than the engagement requires.

A typical engagement might look like:

  • During Labs or pre-Strategy: Light-touch discovery with the client's CIO, CISO, and lead IT architect. Map their current tenant (M365 / Entra ID, AWS / GCP / Azure landing zone, identity governance, network egress). Identify the gaps between today's posture and what an FDE engagement requires.
  • During Strategy: Daily partnership with client IT. Walk them through the decision matrix: where does FDE work happen (local laptop / client VM / cloud workstation), where do agent API calls go (Anthropic direct / Azure OpenAI in-tenant / Bedrock / Vertex), who owns the API keys and billing, what's the data-handling posture, what gets logged. Pair with them as they configure. They own the keystrokes; you own the architecture. This work has to be in motion well before Foundation kicks off.
  • As the Foundation / MissionOS build kicks off: Deliver a signed-off deployment-readiness plan: an environment the client owns and is comfortable with, that the FDE team can sprint on from day one. You step back to oversight + escalation; the client IT team owns the runtime.
  • As MissionOS matures: Re-engage when the work expands: bringing a workforce-level agentic surface into the tenant (M365 Copilot, ChatGPT Enterprise, Claude for Enterprise), hardening the FDE environment for swarm-style development, eventually standing up bounded agent runtimes (Copilot Studio, Azure AI Foundry agents, custom service principals) for the agents MissionOS produces.

The role's first job, in plain terms

Get client IT comfortable with our team using a CLI and agent APIs. That sounds simple. It's not. There are five to seven legitimate answers to each of: where does the work happen, where do API calls go, who pays, what's the data posture, how is it audited, etc. Your job is to know the tradeoffs cold, meet the client IT team where they are, and pick the right answer for their environment, fast.

The Profile

You are a seasoned IT systems architect or security architect who has been thoroughly AI-pilled. You have years (likely a decade or more) of operating inside real enterprise IT environments. You know what an Entra ID conditional access policy is, what a service principal does, what a network egress allowlist looks like, what SOC 2 evidence collection requires. You have rebuilt your priors for the agentic era and can translate fluently in both directions: enterprise IT primitives and AI-native operating patterns.

You don't just understand AI. You've personally navigated the Anthropic Console, the OpenAI enterprise procurement process, the Azure OpenAI deployment pattern. You've stood up bounded agents in real tenants. You know what ZDR (zero data retention) actually means in a contract and how to argue for it. You can read a client IT team's culture, pace, and risk tolerance in the first meeting and adjust your approach accordingly.

You bring:

  • 10+ years in IT systems architecture, security architecture, identity governance, cloud platform engineering, or related senior IT-side roles
  • Deep enterprise IT chops: at least one of:
    • M365 / Entra ID / Azure landing zone architecture at depth
    • AWS Control Tower / Organizations / IAM architecture
    • GCP Org Policy / VPC Service Controls / Workload Identity
    • Identity governance + privileged access management (CyberArk, BeyondTrust, etc.)
    • Security architecture (SOC 2 / ISO 27001 / NIST CSF implementation leadership)
  • AI-native rebuild of priors: you can show that you've personally done:
    • Anthropic / OpenAI / Azure OpenAI enterprise procurement and rollout
    • ZDR / BAA / DPA negotiations with frontier-model vendors
    • At least one bounded agent deployment in a real tenant (Copilot Studio, Azure AI Foundry, custom service principal + scoped token pattern)
    • CLI + agent pairing as your daily default (you wouldn't take this role if you didn't already live this way)
  • Consultative posture: you can sit with a client CISO, hear their concerns, and translate them into actionable architecture changes without making them feel cornered
  • Writing discipline: your deliverables are written, inspectable, and signed. The readiness plan is a real document the client signs off on, not a deck.
  • Pace calibration: you can read an IT team that's "almost nowhere" on AI and walk them up the curve without losing them, and you can pair with a sophisticated cloud-native IT team and move fast when they're ready

You probably haven't (and that's fine):

  • Worked at an AI lab or a model-training shop
  • Built consumer products
  • Spent your career inside a single hyperscaler's marketing org

What disqualifies:

  • "AI is overhyped" or "models aren't ready" thinking
  • Wanting to be the FDE (different role; we hire FDEs separately)
  • Vendor-lock-in evangelism. Frontier labs want to pull everything into their cloud; our stance is to respect the client's existing security boundary and meet them there
  • Inability or unwillingness to let the client IT team own the keyboard

What We Evaluate

1. AI-native systems thinking (AI Now)

Can you architect an AI deployment that respects an enterprise IT security boundary? Show us: when you've configured a bounded agent inside a real tenant, what choices did you make and why?

2. IT-team translation (CLI Native, by way of IT primitives)

Can you sit with a client IT lead who has never deployed an AI agent and walk them through the decision matrix without losing them? We'll role-play this in the interview.

3. Ownership without taking the keyboard

Can you own outcomes when most of the execution happens on someone else's keyboard? This is harder than it sounds. Show us an engagement where you owned the architecture but didn't implement it yourself. What was your accountability mechanism?

4. Pace calibration

How do you read where a client IT team is on the AI-readiness curve? Walk us through how you'd assess a 150-employee professional services firm vs. a 3,000-employee regulated manufacturer in their first hour of discovery.

How to Apply

Eligibility: This role is open to candidates based in the United States who are authorized to work in the US. We are not sponsoring work visas or considering applicants located outside the US at this time.

Apply through the link below. We evaluate artifacts before resumes. When you apply, you'll be asked to share an architecture artifact you authored (a deployment-readiness plan, an agent-deployment runbook, an Entra ID design for an AI rollout, or similar). Redact freely. Show us the work.

What We Offer

  • $150K–$250K base salary. Competitive, benchmarked, paid regardless of outcomes.
  • Discretionary Client Enablement Incentives: calibrated to customer success, not sprint throughput. Tied to outcomes like how ready the environment is at handoff, FDE velocity post-handoff, client IT team capability uplift, and repeat engagements. Awarded at the leadership team's discretion based on demonstrated impact.
  • Health + development benefits: health, dental, and vision coverage, plus a professional development budget for learning, conferences, and the tools you need to stay sharp.
  • A defining role: this is one of the first hires in a new role category. You shape what it becomes.
  • Growth trajectory: Three tracks (IC, Manager, Executive) with real progression. As one of the first AISDA hires, you shape the senior-IC path for this discipline. See how we grow.
  • Real authority: you set the standards for how ForgeVista engages with client IT and security organizations
  • CLI-native tooling: frontier AI agents, the best infrastructure tools
  • Remote-first. Travel depends on the client's IT culture; some IT/security architect conversations are best in person. Expect 25–35% on-site overall, with key kickoffs and strategy sessions typically in person.

What This Isn't

  • It's not an FDE role. You're not the one building MissionOS
  • It's not a vendor-relations role. You're not pushing a specific frontier lab's contract
  • It's not a "deck and recommend" role. You sign a deployment-readiness plan that has to actually work
  • It's not for someone who needs to do all the keystrokes themselves. Your job is to make the client IT team excellent at this

ForgeVista is an equal opportunity employer. We evaluate candidates based on demonstrated ability and proven immersion, not pedigree or credentials.

Skills + tools

Filled area = hire-bar (day-1 expectation). Scale: 1 = exposure, 5 = mastery. Same axes across all ForgeVista roles so you can compare. The dashed axis is something we deliberately don't do.

12345AI-NativeDevelopmentLLM ApplicationEngineeringEnterprise AgentEngineeringAgentic SystemsEngineeringDataEngineeringAnalyticsEngineeringBusiness Analysis& DiscoveryChange Management& Client SuccessSolution & PlatformArchitectureIdentity, Security& IT SystemsML Research &Model Training
Hire-bar (expected day 1)We don't do this
Apply for this role