Vendor Security Program Manager

About The Team

The Vendor Security team at OpenAI is integral to ensuring our technology benefits humanity safely and securely. We provide robust security assurances and compliance frameworks across our technology, people, and products. Our mission centers on building global trust in our offerings, operating technically and operationally to proactively mitigate risks alongside security and engineering teams. We prioritize impact, foster innovation, and uphold a culture of continuous compliance and security awareness.

About The Role

As a Vendor Security Program Manager at OpenAI, you will be pivotal in safeguarding our organization from external risks originating from suppliers, vendors, partners, and hardware manufacturers. Your responsibilities include executing comprehensive security assessments, developing a robust program for global supply chain and vendor risk management, and spearheading security initiatives across all third-party relationships. This role demands an analytical, detail-oriented, and proactive individual capable of translating complex security evaluations into clear, actionable strategies.

You are expected to bring a strong perspective on risk, not just identifying and documenting vendor and supply-chain vulnerabilities, but also guiding the company in making informed trade-offs between speed, scale, and security. Exceptional organizational skills, effective cross-functional communication, and a deep commitment to operational excellence within a dynamic environment are essential.

This role may be based out of one of our US offices (San Francisco, Seattle, NYC, or DC) and operates under a hybrid work model of three days in the office per week. Relocation assistance is offered to new employees.

In This Role, You Will

• Serve as the primary Security interface for vendor-related matters across the organization.
• Own vendor security risk decisions and escalation paths, including explicit documentation of risk acceptance, mitigation plans, and executive-level trade-offs.
• Conduct deep, evidence-based security assessments of third parties, reviewing architectures, configurations, controls, logs, and operational practices to validate real-world security posture.
• Assess and manage security risk across a diverse vendor landscape, including SaaS providers, cloud partners, hardware manufacturers, chip suppliers, and other strategic third parties.
• Develop, build, and continuously enhance the vendor security program and supply chain risk management function at OpenAI.
• Develop, propose, and implement effective controls to mitigate identified vendor risks.
• Build and maintain collaborative partnerships with internal stakeholders like Infrastructure Security, Product, Engineering, Legal, Procurement, and Threat Intelligence.
• Streamline and automate vendor and supply chain security processes to boost efficiency and reduce manual overhead.

You Might Thrive In This Role If You Have

• Proven experience conducting third-party or supply chain security assessments, including building and scaling a vendor management security program.
• An in-depth understanding of information security principles and controls (data protection, access management, proactive/reactive security, application security).
• Comfort operating in ambiguity, with the ability to form defensible security opinions under pressure or with incomplete information.
• Strong technical and analytical skills, with a demonstrated ability to identify and assess risks from external incidents and industry breaches.
• Familiarity with workflow optimization tools such as Zip and OneTrust.
• A passion for integrating new AI technologies into your solutions.
• Exceptional verbal and written communication skills to clearly articulate complex security concepts to diverse audiences.
• A proactive mindset and desire to own and drive security initiatives in a fast-paced environment.
• Knowledge of key security frameworks and standards such as ISO-27001, NIST 800-53, SOC 2, and understanding of regulatory requirements like the Trade Agreement Act (TAA).

Key skills/competency

• Vendor Security
• Supply Chain Risk Management
• Security Assessments
• Risk Mitigation
• Information Security Principles
• Compliance Frameworks
• Stakeholder Collaboration
• Process Automation
• Technical Analysis
• Security Standards (ISO-27001, NIST 800-53, SOC 2)