Member of Technical Staff - Deployment & Compliance (Air-Gapped Infrastructure)

About xAI xAI’s mission is to create AI systems that can accurately understand the universe and aid humanity in its pursuit of knowledge. Our team is small, highly motivated, and focused on engineering excellence. This organization is for individuals who appreciate challenging themselves and thrive on curiosity. We operate with a flat organizational structure. All employees are expected to be hands-on and to contribute directly to the company’s mission. Leadership is given to those who show initiative and consistently deliver excellence. Work ethic and strong prioritization skills are important. All employees are expected to have strong communication skills. They should be able to concisely and accurately share knowledge with their teammates. ABOUT THE ROLE: You will own security compliance for xAI's air-gapped GPU infrastructure program — end to end, at the speed the program demands. We are building and deploying classified AI inference platforms across multiple facilities. Each site needs accreditation, each deployment needs compliance evidence, and each update needs security validation. You will drive this directly rather than waiting on shared resources. You will prepare ATO packages, evaluate STIG findings, document control implementations, manage POAMs, compile software approval lists, and produce the security documentation that gets facilities authorized to operate. You will work with Authorizing Officials, 3PAOs, and CDSO/E to move accreditation forward. You will also coordinate with the central GRC team where their work intersects with yours, but you own the compliance timeline for this program. The strongest candidates will also bring technical depth — understanding the Kubernetes, container, and networking infrastructure well enough to evaluate whether a STIG finding is applicable, write a technically accurate control implementation statement, or identify a compliance gap that the engineering team missed. You don't need to write Gatekeeper policies yourself, but you need to understand what they do and whether they satisfy the control requirement you're documenting. RESPONSIBILITIES: Own the ATO process for air-gapped classified deployments: prepare System Security Plans (SSP) or SSP sections, compile bodies of evidence, document control implementations, and drive the authorization timeline with Authorizing Officials and 3PAOs. Evaluate STIG findings against deployed infrastructure: review OpenSCAP and SCAP Compliance Checker results, determine applicability (applicable, not applicable, inherently met), write justifications, and track remediation through POAMs. Compile and maintain the software approval list for classified deployments: complete inventory of every OS, runtime, driver, container image, binary, and library running on the high side, with versions, sources, and justifications. Update with every release bundle. Drive the CDS approval process: work with CDSO/E to document artifact types, sizes, signing process, and verification process for data diode transfer. Produce the CDS transfer policy document and coordinate the LBSA/SBSA timeline. Define and document security controls for the deployment platform: translate NIST 800-53 requirements into control implementation statements that accurately describe how the Kubernetes infrastructure, network fabric, monitoring stack, and key management system satisfy each control. Manage continuous compliance: ensure every update bundle passes compliance scans (STIG, CVE, CIS benchmark, FIPS validation) before it ships to a classified site. Work with the deployment infrastructure engineer to integrate scanning into the bundle CI pipeline. Own the compliance scanning pipeline requirements: define what must be scanned, what pass/fail criteria look like, and what evidence must be captured — the deployment infrastructure engineer builds the automation, you define the requirements and validate the results. Design key management and signing requirements: define ... (truncated, view full listing at source)