Senior / Principal Security Architect (AI/OT)

We have 1 open position for an AI-focused Security Architect (Sr or Principal) and 1 open position for an OT-focused Security Architect (Sr. or Principal). Both descriptions below –  

AI-focused Security Architect 

Position Summary 

This is a hybrid AI/IAM Security Architect role; ensure that Xcel’s artificial intelligence (AI) and machine learning (ML) capabilities are designed, deployed, and operated securely—while also serving as a security architecture lead for Identity & Access Management (IAM) more broadly across the enterprise (not limited to agentic or AI-specific identity). This role provides security oversight for AI-enabled products and platforms (including generative AI/LLM solutions) and for IAM capabilities such as authentication, authorization, privileged access, and identity governance, partnering with engineering, data, infrastructure, and business teams to define secure-by-design patterns from the ground up. A successful candidate will combine strategic thinking with hands-on technical depth across AI/ML architectures, data protection, IAM architecture, and emerging threats. They will advise stakeholders on methods and practices that achieve business outcomes while reducing risk, and will champion standards, architectural patterns, and governance that strengthen the security and trustworthiness of Xcel’s AI footprint and IAM program. This role is part of the larger security architecture organization and will collaborate with peers as well as technology and business teams. 

Essential Responsibilities 

• AI & IAM Security Architecture: Design security reference architectures and guardrails for AI/ML and generative AI solutions and for enterprise IAM capabilities, including authentication, authorization, privileged access, identity governance, and secure integration patterns. 

• AI & IAM Security Governance: Define and maintain control baselines and guardrails for AI-enabled platforms and enterprise IAM (e.g., model inventory, risk tiering, approval gates; identity standards, access reviews, and privileged access requirements) and ensure compliance drift is detected and addressed. 

• Threat Modeling & Risk Analysis: Conduct threat modeling and risk assessments for AI use cases (e.g., prompt injection, data leakage, model inversion/extraction, supply-chain risks) and provide advisory services to programs and operations. 

• Secure AI Engineering Practices: Partner with product and engineering teams to embed security requirements into the AI lifecycle (data sourcing, training/fine-tuning, evaluation, deployment, monitoring, and retirement). 

• Regulation, Privacy, and Compliance: Ensure AI solutions and IAM controls align with applicable regulatory expectations and internal policies (e.g., privacy, critical infrastructure requirements), including controls for sensitive data used in AI workflows. 
   

Minimum Requirements (Senior Security Architect) – $112,200 - 159,400:   

• Minimum of 8 years’ experience in IT including 5 years’ direct experience in IT engineering and cyber security.  

• Demonstrated verbal/written communication and presentation skills. 

• Demonstrated experience collaborating with internal stakeholders, 3rd parties, and management. 

• Ability to influence without direct authority. 

• Experience with technology implementation projects for enterprise-scale organizations.   
   

Minimum Requirements (Principal Security Architect) – $129,000 – 183,200: 

• 5 years of experience in systems architecture or systems engineering.  

• 10 years of experience in Information Security. 

• 3 years of experience designing complex systems. 

• 3 years of experience with systems integration and engineering. 

• Strong oral and written communication skills. 

• Must be able to understand and respond to clients' business needs. 

• Demonstrated experience collaborating with internal employees, third parties, and management to develop solutions and ensure stakeholder buy-in.  

• Ability to influence without direct authority.  

• Preferred: Information Security experience in the electric utility industry. 

• Preferred: Experience with technology implementation projects for enterprise-scale organizations. 
   

Preferred Requirements  

• Hands-on experience with AI models and solutions (including generative AI/LLMs), such as model selection/integration, training or fine-tuning, retrieval-augmented generation (RAG), inference services, and model monitoring/operations in a production environment. 

• Strong understanding of AI security threats and mitigations (e.g., prompt injection, insecure tool/function calling, data leakage, jailbreaks, model inversion/extraction, poisoning, and supply-chain risks). 

• Experience with enterprise IAM patterns and controls (e.g., SSO/federation, OAuth2/OIDC, RBAC/ABAC, conditional access, managed identities/service principals, and PAM), applied across enterprise applications and cloud platforms; experience applying these patterns to AI/ML platforms and data services is a plus. 

• Experience with IAM architecture and/or operations, such as identity governance (IGA), access reviews and attestations, role engineering, conditional access, and privileged access management (PAM). 

• Knowledge of relevant regulations and compliance requirements such as NERC-CIP, TSA, and SOX, plus emerging AI/privacy and IAM-related regulatory expectations as applicable. 

• Experience partnering with product, data, platform, and MLOps/DevOps teams to deliver secure AI solutions and to implement IAM controls (e.g., least privilege access, service identity, and privileged access workflows). 

• Familiarity with AI governance and risk management practices (e.g., model inventory, documentation, human oversight, third-party model/vendor risk). 

OT-focused Security Architect 
 

Position Summary 

The security architect ensures that Xcel’s technology services are designed and delivered securely across both Information Technology (IT) and Operational Technology (OT) environments. This role emphasizes security for industrial and critical infrastructure facilities such as electric substations, gas compressor stations, and generation sites. This is an opportunity to partner with operations and engineering teams to define practical security approaches that protect reliability and safety while enabling business outcomes. A successful candidate will bring hands-on experience in roles such as controls engineering, field technician/field operations, or industrial control system (ICS) design or operations, along with strong security architecture skills. They will advise stakeholders on security methods and practices, champion best practices and standards that reduce risk across Xcel’s footprint, and collaborate with peers across security, technology, and business teams. 
 

Essential Responsibilities 

• OT/ICS Security Architecture: Work with the business to define security patterns and reference architectures for industrial control environments (e.g., SCADA, DCS, PLC/HMI). 

• Network Segmentation & Remote Access: Define and govern segmentation (zones/conduits), secure remote access, and monitoring strategies for OT networks and vendor/contractor connectivity. 

• Governance & Standards: Develop security control baselines, hardening standards, and exception processes for OT assets and supporting infrastructure; ensure compliance drift is managed. 

• Operational Collaboration: Partner with controls engineering, field technicians, plant operations, and maintenance teams to implement security improvements that work in real-world operating environments. 

• Incident Readiness: Improve detection and response for OT environments, including logging/telemetry requirements, playbooks, and tabletop exercises with operations. 

• Documentation and Reusability: Create products such as use cases and implementation patterns. 

• Regulation and Compliance: Ensure adherence to regulatory frameworks such as NERC CIP and TSA Security Directive 2, including applicability to OT facilities and supporting IT/cloud services where used. 
   

Minimum Requirements (Senior Security Architect) – comp range:  $112,200 - 159,400 

• Minimum of 8 years’ experience in IT including 5 years’ direct experience in IT engineering and cyber security.  

• Demonstrated verbal/written communication and presentation skills. 

• Demonstrated experience collaborating with internal stakeholders, 3rd parties, and management. 

• Ability to influence without direct authority. 

• Experience with technology implementation projects for enterprise-scale organizations.   
   

Minimum Requirements (Principal Security Architect) – comp range:  $129,000 – 183,200 

• 5 years of experience in systems architecture or systems engineering.  

• 10 years of experience in Information Security. 

• 3 years of experience designing complex systems. 

• 3 years of experience with systems integration and engineering. 

• Strong oral and written communication skills. 

• Must be able to understand and respond to clients' business needs. 

• Demonstrated experience collaborating with internal employees, third parties, and management to develop solutions and ensure stakeholder buy-in.  

• Ability to influence without direct authority.  

• Preferred: Information Security experience in the electric utility industry. 

• Preferred: Experience with technology implementation projects for enterprise-scale organizations. 

Preferred Requirements 

• 5+ years of experience in security architecture, cybersecurity engineering, or control systems engineering, including work that interfaces with industrial/OT environments. 

• Hands-on experience with OT/ICS technologies and environments (e.g., SCADA, PLC/HMI, DCS) and the operational constraints of critical infrastructure. 

• Knowledge of network segmentation concepts and secure remote access patterns for OT/vendor connectivity. 

• Experience with OT security frameworks and guidance (e.g., IEC 62443, NIST SP 800-82) and applying them pragmatically in operating environments. 

• Experience working with vendors/contractors supporting industrial equipment and control systems, including secure access and support models. 

• Certifications such as GICSP, CISSP, CCSP, CCSK, or AWS Certified Security. 

• Knowledge of relevant regulations and compliance requirements such as NERC CIP, TSA, and 10 CFR 810.