Director / Senior Director of Compliance
Company Overview
ID.me is the next-generation digital identity wallet that simplifies how individuals securely prove their identity online. Consumers can verify their identity with ID.me once and seamlessly login across websites without having to create a new login and verify their identity again. Over 152 million users experience streamlined login and identity verification with ID.me at 20 federal agencies, 45 state government agencies, and 70+ healthcare organizations. More than 600+ consumer brands use ID.me to verify communities and user segments to honor service and build more authentic relationships. ID.me’s technology meets the federal standards for consumer authentication set by the Commerce Department and is approved as a NIST 800-63-3 IAL2 / AAL2 credential service provider by the Kantara Initiative. ID.me is committed to “No Identity Left Behind” to enable all people to have a secure digital identity. To learn more, visit https://network.id.me/.
About the Role
id.me operates one of the most highly regulated identity verification platforms in the country. Our compliance programs span FedRAMP, NIST 800-63, SOC 2, ISO 27001, IRS Pub 4812, and a growing portfolio of federal and commercial audit obligations.
We're looking for a compliance leader who believes that compliance done right is engineered, not administered. The right person will build automated, continuous, and scalable compliance systems — reducing toil, consolidating controls, and making evidence collection a natural byproduct of the work people already do.
This is a leadership role first. You'll own the full compliance portfolio, build and grow a team, and serve as a trusted partner to Engineering, Product, Legal, and Privacy.
What You'll Own
- Full compliance portfolio: FedRAMP (Moderate), SOC 2 Type II, ISO 27001, IRS Pub 4812, NIST 800-63 Rev 3/Rev 4 (Kantara), and emerging frameworks as they apply.
- People leadership: Build, grow, and lead a compliance team. You are accountable for your team's development, career growth, and well-being — not just their output.
- Automation strategy: Drive control consolidation and evidence automation. Reduce the total number of operated controls. Leverage AI and tooling to eliminate repetitive manual work.
- Cross-functional partnership: Serve as the compliance interface to Engineering, Product, Legal, and Privacy. Build trust through partnership, clear communication, and pragmatic risk decisions.
- Audit management: Maintain continuous audit readiness across all programs. Own assessor relationships and agency engagements.
- Risk integration: Partner with the Risk team to feed compliance findings into a unified cyber risk register — one evaluation loop, not fragmented reviews.
What We're Looking For
Must Have
People-first leadership. You have built and grown compliance teams. You hold regular 1:1s, create career development plans, and invest in making your people better. You delegate effectively and build systems where knowledge is shared, documented, and survives individual absence.
Communication clarity. You give crisp, direct answers to strategic questions. You write clearly. You adjust your communication to your audience — board members, engineers, auditors, PMs — without losing precision.
Partnership orientation. Engineering and Product are your customers. You default to "how do we make this work safely?" and when you say no, you explain why in terms the other person values and offer an alternative path. You build relationships proactively.
Automation conviction. You believe compliance should be engineered. You champion tooling that automates evidence collection, continuous monitoring, and control validation. You think more like an engineering director than a traditional compliance director — systems, leverage, elimination of toil.
Self-directing execution. You operate with minimal management. You identify what needs to happen, build a plan, execute it, and communicate upward proactively — your leadership always knows where things stand without having to ask.
Audit management experience. You have led or been deeply involved in external audits — managing assessor relationships, preparing evidence packages, coordinating across teams to maintain readiness. The specific frameworks matter less than the rigor and judgment you bring to the process.
AI fluency. You are comfortable using AI tools in your daily work and see them as force multipliers for compliance operations. We use Claude, Gemini, and custom integrations extensively. You will be expected to embrace and champion AI-augmented compliance workflows.
Strong Preference
- Experience with FedRAMP (Moderate or High), NIST 800-53, or equivalent federal compliance frameworks
- Experience building or significantly improving compliance automation (evidence pipelines, GRC platform integrations, continuous monitoring)
- Familiarity with GRC platforms (LogicGate, Drata, Vanta, or similar) as a power user
- Experience managing 3PAO and external assessor relationships
- Experience operating in a growth-stage or mid-stage tech company where you had to build, not just maintain
Nice to Have
- CISA, CISSP, CRISC, CISM, or similar certifications
- Experience with Kantara / NIST 800-63 identity assurance frameworks
- SOC 2 Type II or ISO 27001 program ownership
What Success Looks Like
First 90 days:
- You know every active compliance program, its current state, and its next milestone.
- You've had 1:1s with every team member and have a written development plan for each.
- You've met your key cross-functional partners (ProdSec, SecOps, IT, Legal, Privacy, Engineering VPs) and they describe you as easy to work with.
- You've identified the top 3 manual processes that should be automated and have a plan to address them.
First 6 months:
- At least one major evidence collection workflow is automated end-to-end.
- Total operated controls are reduced (consolidated, not just documented differently).
- Your team can cover for each other on PTO without disruption — no single points of failure.
- External audit partners describe working with id.me as improved.
- Engineering teams proactively engage compliance early in project planning — not as a last-minute gate.
First year:
- Compliance is a byproduct of operational work, not a parallel bureaucracy.
- Continuous monitoring runs without manual intervention for the majority of controls.
- You've built strategic relationships with key regulatory bodies and industry peers.
- Your team's velocity is measurably higher than when you started — with evidence to show it.
About the Environment
- AI-first culture. Our security org uses AI tools daily — from compliance automation to incident triage to security assessments. The CISO's goal: make it safe for everyone in the company to use every feature of any company-provisioned AI tool for any task. You'll be part of making that real.
- Practical over procedural. Compliance decisions are grounded in real risk, not checkbox culture. When something must be restricted, we prefer technical enforcement over policy documents.
- One team. Security at id.me operates as a single organization — SecOps, ProdSec, GRC, IT, and Physical Security collaborate daily. We value leaders who invest in cross-functional relationships and operate transparently.
The annual base salary listed does not include a company bonus, incentive for sales roles, equity and benefits which will be determined based on experience, skills, education, relevant training, geographic location and role.
ID.me offers comprehensive medical, dental, vision, health savings account, flexible spending accounts (medical, limited purpose, dependent care, commuter benefit accounts), basic and voluntary life and AD&D insurance, 401(k) with company match, parental leave, ability to participate in unlimited paid time off subject to the terms and conditions of the PTO policy, including 8 company wide holidays, short and long-term disability insurance, accident and critical illness insurance, referral bonus policy, employee assistance program, pet insurance, travel assistant program, wellbeing and childcare discounts, benefit advocates, and a learning and development benefit.
The above represents the anticipated total rewards package for this job requisition. Final offers may vary from the amount listed based on qualifications, professional experiences, skills, education, relevant training, geographic location, and other job related factors.
ID.me is a full-time, in-office culture. Unless a specific job description explicitly states otherwise, all roles are on-site five days per week at one of our offices in McLean, VA; Mountain View, CA; New York City, NY; or Tampa, FL. Certain roles — such as field-based sales or other remote-by-design positions — may have different work arrangements as noted in their individual postings.
ID.me maintains a work environment free from discrimination, where employees are treated with dignity and respect. All ID.me employees share in the responsibility for fulfilling our commitment to equal employment opportunity. ID.me does not discriminate against any employee or applicant on the basis of age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. ID.me adheres to these principles in all aspects of employment, including recruitment, hiring, training, compensation, promotion, benefits, social and recreational programs, and discipline. In addition, ID.me's policy is to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations and ordinances where a particular employee works. Upon request we will provide you with more information about such accommodations.
Please review our Privacy Policy, including our CCPA policy, at id.me/privacy. If you provide ID.me with any personally identifiable information you confirm that you have read and agree to be bound by the terms and conditions set out in our Privacy Policy.
ID.me participates in E-Verify.