Principal Security Engineer – AI & Copilot Data Protection
About the role
Northern Trust, a Fortune 500 company, seeks a Principal-level individual contributor to lead the secure enablement of Microsoft 365 Copilot and enterprise AI capabilities within Northern Trust's Cyber Team. This role owns the end-to-end technical strategy, architecture, and operationalization of AI-driven data protection and compliance controls across Microsoft Purview, Defender, and M365 security services.
Scope of Accountability (Principal Expectations)
This Role Is Expected To Own the technical vision and control strategy for AI and Copilot data protection, not just implement features. Define durable, repeatable patterns for securing LLM-enabled workflows that other teams can adopt. Operate with wide autonomy, minimal oversight, and direct influence across Security, Compliance, Privacy, M365, and Risk. Anticipate risk before incidents occur, translating emerging AI threats into preventive controls. Serve as escalation point and design authority for complex or ambiguous AI security decisions.
Key Responsibilities
- AI & Copilot Security Architecture
- Act as hands-on technical lead and design authority for Copilot and enterprise AI security controls across Microsoft Purview, Defender, and M365.
- Define and evolve the AI data protection reference architecture, mapping controls to AI threat models and regulatory expectations.
- Review and harden Copilot platform configurations, including: Web grounding and search behaviors, Agents, plugins, and connectors, Permission inheritance and identity context, Transcripts, prompt history, and retention models.
- Ensure controls are designed for default-secure behavior, least privilege, and fail-safe operation.
- Control Engineering & Operations
- Design, implement, and operate AI-related controls spanning: Information Protection and labeling strategy, DLP and Endpoint DLP (including AI-specific scenarios), Insider Risk Management and Communication Compliance, Data Lifecycle Management and retention enforcement, DSPM for AI, including exposure detection and oversharing remediation.
- Configure, deploy, troubleshoot, and operate controls across AD and EntraID environments.
- Support production changes through disciplined change management and approved deployment windows.
- AI Risk Detection, Monitoring & Response
- Define AI-specific risk use cases, signals, and thresholds aligned to data exposure, misuse, and policy violation scenarios.
- Build monitoring, alerting, and automation for abnormal or high-risk AI usage patterns.
- Develop operational runbooks that enable consistent response, investigation, and evidence preservation.
- Ensure solutions are audit-ready, regulator-defensible, and operationally sustainable.
- Governance & Institutionalization
- Translate AI threat models into policy-aligned, enforceable technical controls.
- Partner with governance stakeholders to support: AI risk assessments, Control mapping and documentation, Decision logs and exception handling, Executive and stakeholder reporting.
- Contribute expert guidance to Copilot readiness, Zero Trust alignment, and broader AI governance initiatives.
- Track delivery and technical debt using Azure DevOps, establishing transparency and accountability.
- Copilot-Focused Control Outcomes
- Define and enforce Copilot-protected labels for files, groups, sites, and content sources.
- Prevent unauthorized content ingestion and unintended grounding into AI prompts.
- Expand browser and endpoint DLP protections, including: Copy/paste and screen capture controls, AI prompt and response handling, Operationalize DSPM for AI to continuously reassess exposure and remediate oversharing.
- Establish durable workflows for AI-related insider risk and communication compliance scenarios.
Required AI Security Expertise
- Deep understanding of LLM security fundamentals and threat modeling, including: Data exposure risks, Indirect and chained prompt injection, Model-mediated data exfiltration, Practical mitigation strategies for: Prompt injection and prompt data leakage, Over-privileged grounding sources, Agent and connector misuse.
- Experience securing agentic or tool-augmented AI systems, including least-privilege access and approval models.
- Strong grasp of AI governance concepts, including risk classification, control frameworks, and policy alignment.
- Ability to translate abstract AI risk into concrete, enforceable technical controls.
Qualifications
- Bachelor’s degree or equivalent experience in cybersecurity, engineering, or a related field.
- Extensive hands-on experience with Microsoft Purview and Microsoft Defender (including Cloud Apps).
- Strong background in data protection, DLP technologies, and enterprise information security.
- Prioritizing experience with scripting and automation capability (PowerShell, Python, Power Automate).
- Experience operating within formal incident, problem, and change management processes (e.g., ServiceNow).
Preferred Experience & Certifications
- Deep familiarity with M365 services such as SharePoint Online, Teams, Exchange, and Entra ID.
- Experience integrating or operating with Sentinel, Zscaler, Symantec DLP, or comparable platforms.
Salary Range
$137,400 - 233,600 USD
Benefits
Comprehensive benefits package including retirement benefits (401k and pension), health and welfare benefits (medical, dental, vision, spending accounts and disability), paid time off, parental and caregiver leave, life & accident insurance, and other voluntary and well-being benefits. Northern Trust also provides a discretionary bonus program that may include an equity component.