Sully.ai Inc.
Security & Compliance Manager (Healthcare)
Sully.ai Inc., San Francisco, California, United States, 94199
About Sully.ai Sully.ai is building the future of AI healthcare employees—scribes, coders, assistants—that help clinicians work faster and safer, integrated with leading EHRs. Our mission is “One Human, One Doctor,” and security is foundational to delivering on that promise. We're hiring our first Security & Compliance Manager to own:
Is this the role you are looking for If so read on for more details, and make sure to apply today. Control ownership across frameworks is fragmented and growing in scope.
Maintaining audit-grade compliance has become a near full-time job.
Security work lacks a clear champion and consistent prioritization.
Gaps in best practices risk audit findings—or worse, a security incident.
What you’ll do
Own our controls
across SOC 2 Type II, ISO 27001, and HIPAA; keep live evidence green in Delve and ensure continuous audit readiness.
Run identity & access lifecycle
(SSO/SCIM/JIT/RBAC) across IdP, AWS/GCP/Azure, and critical SaaS; drive least-privilege and quarterly reviews.
Triage and drive security engineering work
with Eng leads; manage backlog, SLAs, and closure in Linear/Jira.
Prep/host audits
(SOC 2/ISO/HIPAA): policies, risk register, vendor risk, BAAs/DPAs, corrective actions.
Handle customer trust work : security reviews, RFPs, and technical diligence; clearly explain PHI flows and safeguards in an EHR-integrated environment.
Coordinate monitoring runbooks
for CSPM, endpoint, CI/CD, data access; lead weekly control-health reviews.
Champion “security-by-default” in AI pipelines : dataset governance, PHI handling, model access, environment segregation.
Own vendor relationships
(e.g., Delve; familiarity with platforms like Electric.ai helpful).
What success looks like (OKRs)
Control health:
≥95% controls passing in Delve; zero >14-day overdue items.
Audit readiness:
0 major nonconformities; ≤3 minor per audit; evidence ready ≥30 days pre-fieldwork.
Access hygiene:
100% offboarding
Is this the role you are looking for If so read on for more details, and make sure to apply today. Control ownership across frameworks is fragmented and growing in scope.
Maintaining audit-grade compliance has become a near full-time job.
Security work lacks a clear champion and consistent prioritization.
Gaps in best practices risk audit findings—or worse, a security incident.
What you’ll do
Own our controls
across SOC 2 Type II, ISO 27001, and HIPAA; keep live evidence green in Delve and ensure continuous audit readiness.
Run identity & access lifecycle
(SSO/SCIM/JIT/RBAC) across IdP, AWS/GCP/Azure, and critical SaaS; drive least-privilege and quarterly reviews.
Triage and drive security engineering work
with Eng leads; manage backlog, SLAs, and closure in Linear/Jira.
Prep/host audits
(SOC 2/ISO/HIPAA): policies, risk register, vendor risk, BAAs/DPAs, corrective actions.
Handle customer trust work : security reviews, RFPs, and technical diligence; clearly explain PHI flows and safeguards in an EHR-integrated environment.
Coordinate monitoring runbooks
for CSPM, endpoint, CI/CD, data access; lead weekly control-health reviews.
Champion “security-by-default” in AI pipelines : dataset governance, PHI handling, model access, environment segregation.
Own vendor relationships
(e.g., Delve; familiarity with platforms like Electric.ai helpful).
What success looks like (OKRs)
Control health:
≥95% controls passing in Delve; zero >14-day overdue items.
Audit readiness:
0 major nonconformities; ≤3 minor per audit; evidence ready ≥30 days pre-fieldwork.
Access hygiene:
100% offboarding