About Sully.ai

Our mission is "One Human, One Doctor". We are creating superhuman doctors, because access to doctors is a basic human right.

Start with making doctors superhuman. Our vision is to eliminate doctor distractions and help them navigate the best treatments for their patients.

About the role

Sully.ai is building the future of AI healthcare employees—scribes, coders, assistants—that help clinicians work faster and safer, integrated with leading EHRs. Our mission is “One Human, One Doctor,” and security is foundational to delivering on that promise. We're hiring our first Security & Compliance Manager to own:

• Control ownership across frameworks is fragmented and growing in scope.
• Maintaining audit-grade compliance has become a near full-time job.
• Security work lacks a clear champion and consistent prioritization.
• Gaps in best practices risk audit findings—or worse, a security incident.

What you’ll do

• Own our controls across SOC 2 Type II, ISO 27001, and HIPAA; keep live evidence green in Delve and ensure continuous audit readiness.
• Run identity & access lifecycle (SSO/SCIM/JIT/RBAC) across IdP, AWS/GCP/Azure, and critical SaaS; drive least-privilege and quarterly reviews.
• Triage and drive security engineering work with Eng leads; manage backlog, SLAs, and closure in Linear/Jira.
• Prep/host audits (SOC 2/ISO/HIPAA): policies, risk register, vendor risk, BAAs/DPAs, corrective actions.
• Handle customer trust work: security reviews, RFPs, and technical diligence; clearly explain PHI flows and safeguards in an EHR-integrated environment.
• Coordinate monitoring runbooks for CSPM, endpoint, CI/CD, data access; lead weekly control-health reviews.
• Champion “security-by-default” in AI pipelines: dataset governance, PHI handling, model access, environment segregation.
• Own vendor relationships (e.g., Delve; familiarity with platforms like Electric.ai helpful).

What success looks like (OKRs)

• Control health: ≥95% controls passing in Delve; zero >14-day overdue items.
• Audit readiness: 0 major nonconformities; ≤3 minor per audit; evidence ready ≥30 days pre-fieldwork.
• Access hygiene: 100% offboarding <4 business hours; quarterly reviews with <2% exceptions >7 days.
• Backlog throughput: ≥80% of committed security tickets per sprint; avg cycle time <14 days.
• Customer trust: Median turnaround for security questionnaires ≤5 business days; AE/CSM CSAT ≥4.5/5.
• Incident prep: 2 tabletops/year; MTA for monitoring alerts <15 minutes during business hours.

What you bring

• 5+ years in Security GRC / SecOps / IT with healthcare exposure; hands-on with SOC 2 & ISO 27001 (evidence, CAPs).
• Working knowledge of HIPAA/HITECH, BAAs, and PHI data flows; HITRUST familiarity is a plus.
• Multi-cloud IAM (AWS/GCP/Azure), SSO/SCIM, RBAC, just-in-time access; can read Terraform/IaC and basic logs.
• Experience with compliance automation and device/identity platforms (e.g., Delve; Electric.ai), ticketing (Linear/Jira), and CSPM/EDR.
• Strong program/project management; able to lead cross-functional work without formal authority; crisp customer-facing communicator.
• Light scripting (Python/Bash) to automate evidence pulls or access reviews; SQL basics for data-access checks.

Nice to have

• HITRUST, ISO 27001 Lead Implementer/Lead Auditor, or CCSK/CISSP.
• Experience supporting enterprise security questionnaires and technical due diligence.

Why Join Sully.ai?

• Shape the Future of Healthcare: Build category-defining partnerships that enable doctors to focus on saving lives.
• Early-Stage Impact: Join early and play a critical role in shaping our partnership roadmap and overall company growth.
• Remote-First Culture: Work with a talented, mission-driven team in a flexible, remote environment.
• Competitive Compensation: Enjoy a competitive salary, equity, and the opportunity to make a real difference.
• Solve Scalability Challenges: Tackle complex challenges in a rapidly growing company, driving impactful change in healthcare.

Sully.ai is an equal opportunity employer. In addition to EEO being the law, it is a policy that is fully consistent with our principles. All qualified applicants will receive consideration for employment without regard to status as a protected veteran or a qualified individual with a disability, or other protected status such as race, religion, color, national origin, sex, sexual orientation, gender identity, genetic information, pregnancy or age. Sully.ai prohibits any form of workplace harassment.