Company Overview

ID.me is the next-generation digital identity wallet that simplifies how individuals securely prove their identity online. Consumers can verify their identity with ID.me once and seamlessly login across websites without having to create a new login and verify their identity again. Over 152 million users experience streamlined login and identity verification with ID.me at 20 federal agencies, 45 state government agencies, and 70+ healthcare organizations. More than 600+ consumer brands use ID.me to verify communities and user segments to honor service and build more authentic relationships. ID.me’s technology meets the federal standards for consumer authentication set by the Commerce Department and is approved as a NIST 800-63-3 IAL2 / AAL2 credential service provider by the Kantara Initiative. ID.me is committed to “No Identity Left Behind” to enable all people to have a secure digital identity. To learn more, visit https://network.id.me/.

Director / Senior Director of Compliance

Location: Mountain View, CA (on-site) Reports to: VP of GRC / Deputy CISO Department: Security — Governance, Risk, and Compliance

Why This Role Exists

id.me operates one of the most highly regulated identity verification platforms in the country. Our compliance programs span FedRAMP, NIST 800-63 (Rev 3 and Rev 4), SOC 2, ISO 27001, IRS Pub 4812, and a growing portfolio of federal and commercial audit obligations.

We're looking for a compliance leader who believes that compliance done right is a byproduct of well-engineered systems — not a parallel bureaucracy. The right person will transform how compliance operates: from manual evidence gathering and heroic individual effort to automated, continuous, and scalable.

This is not a role for someone who wants to maintain the status quo. If your instinct when a deadline is at risk is to throw more hours at it instead of asking "why isn't this automated?", this isn't the right fit.

What You'll Own

• Full compliance portfolio: FedRAMP (Moderate), SOC 2 Type II, ISO 27001, IRS Pub 4812, NIST 800-63 Rev 3/Rev 4 (Kantara), and emerging frameworks as they apply.
• People leadership: Build, grow, and lead a compliance team. You are accountable for your team's development, career growth, and well-being — not just their output.
• Automation strategy: Drive aggressive control consolidation and evidence automation. Reduce the total number of operated controls. Make evidence collection a byproduct of the work people already do — not a separate exercise.
• Cross-functional partnership: Serve as the compliance interface to Engineering, Product, Legal, and Privacy. Build trust through partnership, not gatekeeping. Your success is measured by how easily teams work WITH compliance, not how thoroughly you block them.
• Audit readiness: Maintain continuous audit readiness across all programs. Manage 3PAO relationships, agency engagements, and external assessors.
• Risk integration: Partner with the Risk team to feed compliance findings into a unified cyber risk register. One evaluation loop — not fragmented reviews from five different teams.

What We're Looking For

Must Have

People-first leadership. You have built and grown compliance teams. You hold regular 1:1s, create career development plans, and invest in making your people better — not just getting work done. You delegate effectively and build systems where knowledge survives individual absence. If you're "too busy" for your team, you're not operating at the right altitude.

Communication clarity. You give crisp, direct answers to strategic questions. "What does success look like in 30 days?" gets a two-sentence answer, not a monologue. You write clearly. You adjust your communication to your audience — board members, engineers, auditors, PMs — without losing precision.

Partnership over gatekeeping. Engineering and Product are your customers, not your adversaries. You default to "how do we make this work safely?" not "this is not allowed." When you say no, you explain why in terms the other person values and offer an alternative path. You build relationships with stakeholders proactively — you don't wait for escalations.

Automation conviction. You believe compliance should be engineered, not administered. You champion tooling that automates evidence collection, continuous monitoring, and control validation. You actively resist the instinct to throw manual labor at deadline pressure. You think more like an engineering director than a traditional compliance director — systems, leverage, elimination of toil.

Self-directing execution. You operate with minimal management. You identify what needs to happen, build a plan, execute it, and communicate upward proactively. You don't wait to be told. You manage up effectively — your leadership always knows where things stand without having to ask.

Strong Preference

• Experience with FedRAMP (Moderate or High), NIST 800-53, or equivalent federal compliance frameworks
• Experience building or significantly improving compliance automation (evidence pipelines, GRC platform integrations, continuous monitoring)
• Familiarity with GRC platforms (LogicGate, Drata, Vanta, or similar) — as a power user who pushes the platform, not just a form-filler
• Comfort with AI/ML tools for compliance workflows (we use Claude, Gemini, and custom MCP integrations extensively)
• Experience operating in a growth-stage or mid-stage tech company where you had to build, not just maintain

Nice to Have

• CISA, CISSP, CRISC, CISM, or similar certifications
• Experience with Kantara / NIST 800-63 identity assurance frameworks
• SOC 2 Type II, ISO 27001 audit management experience
• Prior experience managing 3PAO and external assessor relationships

What Success Looks Like

First 90 days:

• You know every active compliance program, its current state, and its next milestone.
• You've had 1:1s with every team member and have a written development plan for each.
• You've met your key cross-functional partners (ProdSec, SecOps, IT, Legal, Privacy, Engineering VPs) and they describe you as easy to work with.
• You've identified the top 3 manual processes that should be automated and have a plan to address them.

First 6 months:

• At least one major evidence collection workflow is automated end-to-end.
• Total operated controls are reduced (consolidated, not just documented differently).
• Your team can cover for each other on PTO without disruption — no single points of failure.
• External audit partners describe working with id.me as improved.
• Engineering teams proactively engage compliance early in project planning — not as a last-minute gate.

First year:

• Compliance is a byproduct of operational work, not a parallel bureaucracy.
• Continuous monitoring runs without manual intervention for the majority of controls.
• You've built strategic relationships with key regulatory bodies and industry peers.
• Your team's velocity is measurably higher than when you started — with evidence to show it.

About the Environment

• AI-first culture. The CISO's 2026 goal: "It is SAFE for EVERYONE to use every feature of any company-provisioned AI tool for any task." We practice what we preach — our compliance stack uses Claude, custom MCP servers, and automation pipelines extensively. You will be expected to embrace this.
• High risk appetite, low risk tolerance. We move fast and accept risk deliberately. "Because FedRAMP" is not accepted as a justification for blocking the business. If something must be restricted, we enforce it technically — not with policy documents nobody reads.

Base Salary: $230,000–$320,000
Bonus: 20–25%, depending on level
Equity: Competitive

ID.me is a full-time, in-office culture. Unless a specific job description explicitly states otherwise, all roles are on-site five days per week at one of our offices in McLean, VA; Mountain View, CA; New York City, NY; or Tampa, FL. Certain roles — such as field-based sales or other remote-by-design positions — may have different work arrangements as noted in their individual postings.

ID.me maintains a work environment free from discrimination, where employees are treated with dignity and respect. All ID.me employees share in the responsibility for fulfilling our commitment to equal employment opportunity. ID.me does not discriminate against any employee or applicant on the basis of age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. ID.me adheres to these principles in all aspects of employment, including recruitment, hiring, training, compensation, promotion, benefits, social and recreational programs, and discipline. In addition, ID.me's policy is to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations and ordinances where a particular employee works. Upon request we will provide you with more information about such accommodations.

Please review our Privacy Policy, including our CCPA policy, at id.me/privacy. If you provide ID.me with any personally identifiable information you confirm that you have read and agree to be bound by the terms and conditions set out in our Privacy Policy.

ID.me participates in E-Verify.