Senior Manager, Emerging Technology Risk
About the role
Bristol Myers Squibb is seeking a Senior Manager, Emerging Technology Risk to join our Security & IT Risk organization. This leader will own the governance, risk, and compliance (GRC) strategy for emerging and disruptive technologies with a primary emphasis on Artificial Intelligence (AI), Generative AI (GenAI), and Large Language Models (LLMs).
Responsibilities
Lead the design, implementation, and continuous improvement of BMS’s AI governance framework, including archetype-based control models covering risk classification, control objectives, implementation patterns, and acceptable evidence standards.
Conduct structured reviews of emerging AI technologies and tools being considered for enterprise adoption, evaluating each against BMS’s risk appetite, security standards, and regulatory obligations before deployment approval.
Lead AI risk and conformity assessments aligned to the EU AI Act, NIST AI RMF, ISO/IEC 42001, and applicable global privacy regulations (GDPR, EDPB, state-level AI laws), including risk classification for high-risk use cases across Clinical, Commercial, and R&D domains.
Assess GenAI tools and LLM deployments including Claude (via AWS Bedrock), ChatGPT, and other third-party services for data privacy, contractual, and data residency implications; navigate legal and licensing constraints including third-party data ingestion restrictions and BMS-controlled vs. SaaS deployment considerations.
Partner with business, technology, Legal, and Privacy stakeholders to define and implement controls for approved AI technologies, ensuring controls are practical, embedded in workflows, and aligned to identified risks.
Design and execute control testing programs for AI-specific controls, including pre-deployment validation, post-deployment effectiveness testing, and periodic re-assessment as AI capabilities and risk profiles evolve; document results, gaps, and remediation plans and track findings through to closure.
Collaborate with Cloud and security engineering to embed foundational GRC controls at the AI gateway and control plane levels prior to production deployment, incorporating model traceability, privacy-by-design, and audit trail requirements.
Serve as GRC subject matter expert on BMS’s Secure AI, translating complex risk assessments and control testing outcomes into executive-ready presentations, actionable guidance, and governance reporting for senior leadership.
Provide practical guidance to business units on compliant AI tool usage, risk-appetite alignment, and governance requirements; serve as a trusted advisor to product and technology teams navigating the AI review and approval process.
Monitor and assess risks from next-generation AI capabilities including agentic AI, multi-modal GenAI, synthetic data pipelines, and quantum-accelerated inference.
Requirements
Bachelor's degree required in Information Security, Computer Science, Risk Management, Data Science, or a related field.
8+ years of progressive experience in GRC, information security, or technology risk, with at least 2–3 years directly focused on AI, emerging technology, or data governance.
Demonstrated success designing and operationalizing GRC control frameworks for AI or advanced technology platforms in a large, complex enterprise.
Hands-on experience with AI governance frameworks: NIST AI RMF, EU AI Act compliance, and/or ISO/IEC 42001 or 23894.
Experience assessing LLM/GenAI tools for enterprise deployment risk including prompt injection, hallucination risk, IP leakage, and training data privacy.
Strong understanding of cloud-based AI deployment architectures and the data residency/privacy implications of BMS-controlled vs. third-party SaaS environments.
Proven ability to influence and communicate with senior executives and external advisors.
Preferred
Experience in Life Sciences, Pharma, or a highly regulated industry (FDA oversight, GxP, clinical data governance).
Experience with AI gateway architecture, API security controls, and control plane governance.
Exposure to agentic AI systems, model cards, data lineage frameworks, and model lifecycle governance.
Key Competencies & Skills
Technical GRC Skills: AI/ML risk assessment & model governance, EU AI Act, NIST AI RMF, ISO 42001, GenAI & LLM risk (hallucination, prompt injection, IP), cloud architecture & AI gateway controls (AWS/Azure), data lineage, model traceability, audit readiness, GRC platform tooling (ServiceNow, OneTrust).
Leadership & Business Skills: Executive presence & risk communication, cross-functional stakeholder influence, program management & workstream coordination, vendor & consultant management, training & change management.
Compensation Overview
The starting compensation range(s) for this role are listed above for a full-time employee (FTE) basis. Additional incentive cash and stock opportunities (based on eligibility) may be available. The starting pay rate takes into account characteristics of the job, such as required skills, where the job is performed, the employee’s work schedule, job-related knowledge, and experience.
Benefits
Health Coverage: Medical, pharmacy, dental, and vision care.
Wellbeing Support: Programs such as BMS Well-Being Account, BMS Living Life Better, and Employee Assistance Programs (EAP).
Financial Well-being and Protection: 401(k) plan, short- and long-term disability, life insurance, accident insurance, supplemental health insurance, business travel protection, personal liability protection, identity theft benefit, legal support, and survivor support.
Work-life Benefits
Paid Time Off: US Exempt Employees: flexible time off (unlimited, with manager approval, 11 paid national holidays (not applicable to employees in Phoenix, AZ, Puerto Rico or Rayzebio employees)), Phoenix, AZ, Puerto Rico and Rayzebio Exempt, Non-Exempt, Hourly Employees: 160 hours annual paid vacation for new hires with manager approval, 11 national holidays, and 3 optional holidays.