Automation Compliance Engineer Intern, IT Compliance (Summer 2026)

• Design and implement workflow‑based control automation for Regulatory Standards (e.g., ISO, PCI) and SOX 404 ITGCs, using:
  • Explicit start-action-evidence-end flows.
  • Triggers from tickets, change‑management systems, HR events, or IAM changes.
  • Delivered via tools such as n8n, Camunda, Azure Logic Apps, or custom MCP‑style servers.
• Build and operate MCP‑style or MCP‑compatible servers that expose:
  • Tools: RESTful endpoints for trigger evidence collection, run access review, validate change ticket, etc..
  • Resources: Standardized data sources (logs, IAM, ticket data) formatted for AI agents or workflow engines.
  • Auth patterns: API keys, bearer tokens, OAuth2, or OIDC‑style flows that can be consumed by agents or external tools.
• Engineer API‑first automation:
  • Write scripts and connectors (Python, Node.js, Bash, etc.) that call, compose, and orchestrate APIs from:
    • IAM, IdP, PAM, HRIS, ticketing, cloud IAM, and logging platforms, etc.
    • GRC platforms (e.g., ServiceNow, 6clicks, or similar) via REST APIs.
  • Implement:
    • Authentication and authorization (API keys, Bearer, OAuth2, JWT, Basic, MTLS).
    • Pagination, retry with backoff, rate‑limiting, and safe error handling.
    • Idempotency and safe state transitions for audit‑critical operations.
• Translate ISO 27001 controls and SOX 404 ITGCs into automated workflows:
  • Example pattern:
    • Trigger: new user join or role change in IAM.
    • Action: call APIs to validate entitlements, cross‑check against SoD, and emit evidence to a GRC tool.
    • Outcome: workflow‑generated record for ISO 27001 access control and SOX logical‑access control.
  • Maintain one source of truth for control logic (code / config) and use workflow IDs as control‑evidence bindings.
• Design AI‑agent‑ready interfaces:
  • Expose structured, MCP‑style endpoints or OpenAPI specs so that LLM agents or workflow tools can call concrete tools (e.g., get latest access review for System X, run change‑ticket‑completeness check).
  • Handle dynamic policy enforcement: short‑lived tokens, context‑aware access, and audit logging for each AI or agent call.
• Integrate with data platforms and SIEM/logging:
  • Use logs, change tickets, and identity events as workflow inputs.
  • Build automated tests for control effectiveness (e.g., if a production change is not approved, fire an alert and record as control failure) linked to ISO / SOX control IDs.
• Maintain audit‑ready workflow artifacts:
  • Log all workflow steps, including timestamps, input, user/agent context, and outputs.
  • Ensure workflow outputs are machinable (JSON, structured logs) and can be replayed or reasoned over by auditors or AI agents.

• Students currently pursuing Bachelor's degree in computer science, computer engineering or related disciplines.
• Strong understanding of authorization and authentication:
  • API keys, Bearer tokens, OAuth2 (client, JWT, PKCE), Basic Auth, MTLS, and OIDC‑style flows.
  • Hands‑on experience implementing these in Python, Node.js, or Go (or similar).
• Deep practical experience with:
  • RESTful APIs: understanding of HTTP methods, status codes, pagination, rate‑limiting, and idempotency.
  • API clients: writing or using libraries that handle auth, retries, and error handling for large datasets.
• Experience building or integrating with:
  • Workflow / orchestration tools (n8n, Airflow, Logic Apps, Camunda, etc.) or MCP‑style servers / Model Context Protocol‑compatible tooling.
  • GRC platforms via APIs (e.g., ServiceNow, 6clicks, or similar).
• Familiarity with:
  • ISO 27001 (especially Annex A controls related to access management, change control, and operations).
  • SOX 404 ITGCs (logical access, change management, computer operations, data integrity).
• Full-time interns preferred
• Part-time interns who can commit at least 3 working days a week are also welcome to apply

Preferred Qualifications:

• OpenAPI / Swagger to MCP‑style tool generation (e.g., converting production APIs into MCP servers or AI‑agent tools).
• Experience with MCP servers or similar control‑plane architectures that expose tools, resources, and prompts for AI agents.
• Background in security automation, CI/CD, or DevSecOps (number of tools: n8n, Terraform, Ansible, Docker, logging pipelines).
• Prior involvement in SOX 404 audits and ISO 27001 certification projects, with a focus on how to automate evidence collection rather than manual spreadsheets.