Role Definition
| Field | Value |
|---|---|
| Job Title | AI Security Engineer |
| Seniority Level | Mid-level |
| Primary Function | Secures AI/ML systems across the lifecycle: threat-models LLMs and ML pipelines, red-teams models for adversarial vulnerabilities (prompt injection, data poisoning, model extraction), designs security architecture for AI deployments, develops AI-specific security policies and governance frameworks, and responds to AI-specific incidents. Sits at the intersection of cybersecurity, machine learning, and software engineering. |
| What This Role Is NOT | NOT a traditional security engineer who happens to use AI tools. NOT an ML engineer focused on model performance. NOT a GRC analyst writing AI policy without technical depth. NOT a SOC analyst monitoring AI-generated alerts. |
| Typical Experience | 3-7 years. Typically 2-4 years in security or ML engineering plus 1-3 years in AI-specific security. Relevant certs: CISSP, OSCP, plus ML/AI training. OWASP Top 10 for LLMs fluency expected. |
Seniority note: Junior (0-2 years) would score lower on Goal-Setting (2 instead of 3) and shift toward Yellow — less novel research, more execution of established playbooks. Senior/Principal (8+ years) would score even deeper Green with more strategic weight and higher barrier protection.
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital, desk-based. All work occurs in terminals, model environments, and cloud consoles. |
| Deep Interpersonal Connection | 1 | Some stakeholder communication — explaining AI risk to leadership, collaborating with ML teams on secure deployment. But the core value is technical, not relational. |
| Goal-Setting & Moral Judgment | 3 | Decides what is safe to deploy, defines acceptable AI risk, creates security policy for systems with no precedent. Every AI system presents a novel attack surface. No standardised playbook exists for most AI threats — this engineer writes them. |
| Protective Total | 4/9 | |
| AI Growth Correlation | 2 | Every company deploying AI needs AI security. Recursive dependency: you cannot fully automate securing AI with AI because the attack surface IS AI. More AI = more demand. |
Quick screen result: Protective 4 + Correlation 2 = Likely Green Zone (Accelerated). Proceed to confirm.
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Research novel AI attack vectors (prompt injection, adversarial ML, model poisoning, training data extraction) | 25% | 1 | 0.25 | NOT INVOLVED | Genuine novelty — no precedent exists for most emerging AI attack techniques. Requires creative adversarial thinking against systems that evolve monthly. AI cannot research attacks against itself that have not yet been conceived. |
| Design security architecture for AI/ML systems | 20% | 2 | 0.40 | AUGMENTATION | AI assists with reference patterns, but each deployment is unique. The engineer must understand the specific ML pipeline, data flows, trust boundaries, and business context to make architecture decisions. AI drafts; the human decides. |
| Red-team AI models (adversarial testing, jailbreaking, prompt injection campaigns) | 20% | 2 | 0.40 | AUGMENTATION | Tools like Mindgard, Promptfoo, and Garak automate known attack patterns, but creative adversarial testing against novel models requires human ingenuity. When GPT-5 launched Jan 2026, human red teams jailbroke it within 24 hours — automated tools had not. |
| Develop AI security policies and governance frameworks | 15% | 2 | 0.30 | AUGMENTATION | AI can draft policy templates, but defining "should we deploy this model?" requires ethical judgment, regulatory interpretation (EU AI Act Article 14, NIST AI RMF), and organisational context. The human owns the decision. |
| Audit AI systems for vulnerabilities and compliance | 10% | 3 | 0.30 | AUGMENTATION | AI handles scanning and evidence gathering, but interpreting findings in context of novel AI architectures and determining remediation priority requires human judgment. The structured portions are increasingly automatable, but the interpretation layer remains human. |
| Incident response for AI-specific breaches (model theft, training data poisoning, adversarial exploitation) | 10% | 2 | 0.20 | AUGMENTATION | AI assists with log correlation and anomaly detection, but AI-specific IR (determining if a model was poisoned, assessing adversarial impact, forensics on ML pipelines) is novel territory with no automated playbooks. |
| Total | 100% | 1.85 |
Task Resistance Score: 6.00 - 1.85 = 4.15/5.0
Displacement/Augmentation split: 0% displacement, 75% augmentation, 25% not involved.
Reinstatement check (Acemoglu): Yes — AI creates substantial new tasks for this role that did not exist 3 years ago: prompt injection testing, LLM guardrail design, AI supply chain security, model watermarking, adversarial robustness benchmarking, AI red team coordination, EU AI Act conformity assessment. This role is not transforming — it is being created. The task portfolio expands with every new AI capability.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 2 | U.S. AI engineer postings rose 143% YoY in 2025 (Onward Search). LinkedIn ranked AI engineering the #1 fastest-growing job title in the U.S. for 2026. QA.com reports a 299% YoY increase in AI engineer vacancies. AI security specifically called out as a top emerging specialisation by Practical DevSecOps, with dedicated roles at every major tech company. Security postings broadly hit 66,800 in 2025, up 124% YoY (Robert Half). |
| Company Actions | 2 | Every major tech company (Google, Microsoft, OpenAI, Anthropic, Meta, Amazon) actively building AI security teams. New dedicated teams and roles that did not exist 2 years ago: AI Red Team (Microsoft, Google DeepMind), Prompt Security (startups like Prompt Security, Lakera, Robust Intelligence). No evidence of any company cutting AI security roles. The opposite: acute talent shortage. |
| Wage Trends | 2 | Glassdoor reports average AI Security Engineer salary of $182,810/year in the U.S. Specialised roles (AI LLM security) projected at $200K-$280K+ (Practical DevSecOps). Mid-level AI engineering salaries jumped 9.2% in 2025 alone (MRJ Recruitment). Ravio reports a 12% AI salary premium across the board. This represents 20-40% above standard cybersecurity roles, driven by rare skill intersection (AI + security). |
| AI Tool Maturity | 1 | Automated red-teaming tools exist (Mindgard, Promptfoo, Garak, Microsoft PyRIT) and assist with known attack patterns. But they test for known vulnerabilities, not novel ones. Prompt injection remains a fundamental unsolved problem —"no perfect solution exists" (EC-Council). When GPT-5 launched, automated defences failed within hours against human red teams. Tools augment engineers; they do not replace the creative adversarial work or architectural judgment. |
| Expert Consensus | 2 | Universal agreement across industry. ISC2 2025 Workforce Study: AI is a top-5 cybersecurity skill, expected to become #1 in-demand skill. NIST AI RMF and EU AI Act (Aug 2026 enforcement for high-risk systems) codify the need for human-led AI security. Palo Alto Networks HBR prediction: AI security is a defining challenge for 2026. 4.5M unfilled cybersecurity jobs globally, with AI security the most acute shortage. |
| Total | 9 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 1 | No formal licensing, but EU AI Act (enforceable Aug 2026) mandates human oversight for high-risk AI systems with penalties up to 35M EUR/7% global revenue. NIST AI RMF requires documented human-in-the-loop for AI risk management. These regulations create structural demand for human security engineers. |
| Physical Presence | 0 | Fully remote capable. |
| Union/Collective Bargaining | 0 | Tech sector, at-will employment. |
| Liability/Accountability | 2 | If an AI system causes harm due to a security failure — biased outputs, data leaks, adversarial manipulation — someone is accountable. Boards, regulators, and insurers demand a human who signed off on "this AI is safe to deploy." AI has no legal personhood. This is structural, not a technology gap. |
| Cultural/Ethical | 2 | Strong resistance to "AI securing AI" without human oversight. The recursive trust problem: who validates the validator? Organisations, regulators, and the public demand human judgment in security decisions about AI systems. The trust deficit is structural. |
| Total | 5/10 |
AI Growth Correlation Check
Confirmed at 2. This is the defining characteristic of the role. The recursive dependency is direct and compounding:
- Every AI deployment creates a new attack surface that needs securing.
- Novel AI attacks (prompt injection, training data poisoning, model extraction) require creative human adversarial thinking — not pattern-matching.
- Regulators (EU AI Act, NIST AI RMF) mandate human accountability for AI security decisions.
- The "who watches the watchers?" problem has no AI solution — you cannot trust AI to certify itself as safe.
This qualifies as Green Zone (Accelerated): 2 AI Growth Correlation AND 4.15 Task Resistance Score (Green).
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 4.15/5.0 |
| Evidence Modifier | 1.0 + (9 × 0.04) = 1.36 |
| Barrier Modifier | 1.0 + (5 × 0.02) = 1.10 |
| Growth Modifier | 1.0 + (2 × 0.05) = 1.10 |
Raw: 4.15 × 1.36 × 1.10 × 1.10 = 6.8292
JobZone Score: (6.8292 - 0.54) / 7.93 × 100 = 79.3/100
Zone: GREEN (Green ≥48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 10% |
| AI Growth Correlation | 2 |
| Sub-label | Green (Accelerated) — Growth Correlation = 2 |
Assessor override: None — formula score accepted.
Assessor Commentary
Score vs Reality Check
The zone label is honest and all five signals converge on Green (Accelerated). The 4.15 Task Resistance Score is well above the 3.5 Green threshold. The 9/10 evidence score is among the strongest in the entire project. The Protective Principles at 4/9 would normally suggest Yellow — but the AI Growth Correlation of 2 overrides this because the role exists BECAUSE of AI growth, not despite it. This is one of the most straightforward classifications in the project — no borderline judgment, no barrier dependency, no evidence masking.
What the Numbers Don't Capture
- Supply shortage confound. The surging demand and premium wages are partly driven by an acute talent shortage — the intersection of AI expertise and security expertise is rare. If supply catches up (more university programmes, more cross-training), wage premiums could compress even as demand remains high. The role stays Green, but the $200K+ premium reflects scarcity as much as structural protection.
- Title rotation risk. "AI Security Engineer" may not be the long-term title. As AI security becomes standard practice, the work could absorb into "Security Engineer" or "Platform Security Engineer" the same way "Cloud Security Engineer" absorbed what was once a distinct specialisation. The WORK persists; the distinct title and premium may not.
- Tooling is improving fast. Automated red-teaming tools (Mindgard, Garak, PyRIT) are advancing rapidly. The 10% of task time currently scoring 3 (auditing) will likely expand as tools mature. The role remains Green because the novel research and architectural work that constitutes 90% of the role stays at score 1-2, but the task mix will shift over 3-5 years.
Who Should Worry (and Who Shouldn't)
If you're an AI Security Engineer doing novel adversarial research, designing security architecture for AI deployments, and red-teaming new models — you're in the strongest possible position. Every AI deployment creates more work for you. EU AI Act enforcement in August 2026 adds regulatory demand on top of technical demand. This is the career equivalent of being a cybersecurity professional in 2010.
If you're primarily running automated AI red-teaming tools and triaging their output without deep ML understanding — you're in a weaker position than the label suggests. The tooling layer is where automation will eat into the role first. The engineers who can only operate Garak but can't design a novel adversarial attack or architect security for a multi-agent system will face compression.
The single biggest factor: depth of ML/AI understanding. The $200K+ roles go to engineers who can both break and build AI systems. Surface-level "prompt injection testing" will commoditise; deep adversarial ML research will not.
What This Means
The role in 2028: The AI Security Engineer of 2028 will oversee security for increasingly autonomous AI agents, multi-model architectures, and AI-to-AI interactions. Attack surfaces will expand from individual models to agent ecosystems. Automated red-teaming tools will handle regression testing of known vulnerabilities, freeing engineers to focus on novel threats, architectural security for agentic systems, and regulatory compliance under fully-enforced EU AI Act. Demand will be higher than today.
Survival strategy:
- Master AI-native attack techniques. Prompt injection, training data poisoning, model extraction, adversarial examples. These are the core differentiators no automation replaces.
- Build regulatory fluency. EU AI Act conformity assessment, NIST AI RMF implementation, ISO 42001. August 2026 enforcement creates immediate demand.
- Develop the "T-shape." Deep security expertise with broad ML/AI engineering capability. The $200K+ roles go to engineers who can both break and build AI systems.
Timeline: This role strengthens over the next 5-10+ years. The driver is AI adoption itself — every new AI deployment creates more AI security work. The only scenario where demand declines is if AI adoption declines.
