Sr. Staff Technology Controls Architecture & Assurance Lead

Archer is building the future of urban air mobility — and the integrity of that mission depends on a security posture that is not just defensible, but demonstrable. As we scale our defense programs, certify aircraft with the FAA, and expand our enterprise footprint, the stakes of a control failure or compliance gap are measured in mission impact, not just audit findings. At Archer, information security is woven into the aircraft certification process itself — making this role uniquely consequential in ways that go well beyond a traditional enterprise GRC function.

Archer is seeking a Senior Staff Technology Controls & Assurance Lead to serve as a cornerstone of our GRC function, reporting to the Sr. Director of Governance, Risk & Compliance. In this high-visibility role, you will own IS policy development, internal controls governance, risk quantification, and engagement with internal and external audit bodies. You are the person who makes our risk posture legible — to our board, to our auditors, to DoD assessors, and to our own engineering teams.

This is not a checkbox compliance role. We expect you to operate with the intellectual rigor of a risk analyst, the communication precision of an executive advisor, and the technical depth to understand what our controls actually do. You will bring both qualitative judgment and quantitative discipline to the risk function — building data-driven KRIs, leveraging AI and analytics to surface themes and outliers, and translating signal into action across the organization.

What You Will Own

IS POLICY & CONTROLS DEVELOPMENT

Lead the development, maintenance, and lifecycle governance of Archer's Information Security policy library, standards, and control frameworks. Ensure policies are grounded in applicable regulatory obligations — NIST SP 800-171, CMMC Level 2, NIST SP 800-161 C-SCRM, DFARS, ITAR — and translated into implementable control requirements that engineering and operations teams can execute against.

ISSUE MANAGEMENT & RISK MITIGATION GOVERNANCE

Own the enterprise IS Issue Management process from identification through closure — establishing severity thresholds, SLA frameworks, escalation paths, and executive reporting cadences. Govern risk acceptance, exception management, and Plan of Action & Milestones (POA&M) processes. Ensure that open risk items receive time-bound, accountable remediation ownership, and that residual risk is clearly communicated to leadership.

CONTROL SELF-ASSESSMENTS (CSAS)

Design and execute Archer's internal Control Self-Assessment program — developing testing procedures, coordinating with control owners across engineering, IT, finance, and legal, and producing structured findings that drive control improvement. Maintain ongoing awareness of control effectiveness between formal audit cycles to prevent surprise gaps.

INTERNAL & EXTERNAL AUDIT MANAGEMENT

Serve as the primary IS liaison for internal audit, external financial auditors, and government compliance assessors — including CMMC C3PAO assessments and DCSA reviews. Manage evidence collection, artifact packaging, auditor communications, and findings remediation tracking. Translate auditor requests into efficient, well-organized responses that demonstrate the maturity and rigor of Archer's control environment.

SOX ITGC COMPLIANCE

Own Archer's SOX IT General Controls program — coordinating with external auditors, managing ITGC scoping, and ensuring that change management, access controls, and IT operations controls meet the standards required to support a public-company financial reporting environment. Partner with Finance and Internal Audit to maintain SOX readiness year-round.

QUANTITATIVE RISK ANALYSIS & KRI DEVELOPMENT

Build and maintain a meaningful set of Key Risk Indicators (KRIs) that go beyond checkbox coverage metrics to reflect actual risk exposure trends. Apply quantitative risk analysis techniques — including probabilistic modeling and loss magnitude estimation — to prioritize remediation investment and communicate risk in financial terms to executive and board audiences. Leverage AI-assisted analytics and data science techniques to identify themes, concentrations, and anomalies across risk data that qualitative review alone would miss.

REGULATORY COMPLIANCE & DEFENSE PROGRAM OBLIGATIONS

Maintain deep working knowledge of DFARS 252.204-7012, ITAR Part 120-130, CMMC Level 2 practices, and evolving DoD cybersecurity requirements. Advise program teams on data handling, access control, and CUI safeguarding obligations. Ensure Archer's compliance posture is continuously calibrated against new regulatory guidance and remains audit-ready for government assessments supporting active defense contracts.

FAA INFORMATION SECURITY & AIRCRAFT CERTIFICATION SUPPORT

Partner with Archer's engineering, avionics, and certification teams to ensure that IS controls and governance processes align with FAA Aircraft Systems Information Security/Protection (ASISP) requirements throughout the type certification lifecycle. Support the application of airworthiness security standards — including RTCA DO-326A, DO-356A, and DO-355A — as the FAA applies Special Conditions and Means of Compliance to Archer's aircraft systems. Assess how intentional unauthorized electronic interactions (IUEI) and enterprise IS risk could propagate into aircraft safety domains, and maintain awareness of evolving FAA rulemaking that will shape Archer's certification obligations as we approach type certificate milestones.

EXECUTIVE COMMUNICATION & STAKEHOLDER ENGAGEMENT

Produce crisp, executive-quality risk briefings, board-level dashboards, and audit-ready evidence packages. Communicate complex regulatory and technical risk findings with clarity and precision to non-technical audiences — including the CISO, General Counsel, CFO, and Board Audit Committee. Serve as a trusted advisor to business stakeholders who need to understand their compliance obligations without drowning in framework language.

Technology Stack

Hands-on experience with the following platforms is expected or highly valued:

What You Bring

• 8+ years in information security, with at least 4 years in a GRC, compliance, or IS audit-focused role — ideally spanning both commercial and defense or government-adjacent environments
• Deep, hands-on working knowledge of NIST SP 800-171 / CMMC Level 2, NIST SP 800-161 (C-SCRM), DFARS 252.204-7012, and ITAR — including practical application in an active compliance program, not just familiarity with the frameworks
• Demonstrated experience managing SOX ITGC programs — including scoping, control design, auditor engagement, and year-round readiness in a public or pre-IPO company environment
• Proven track record designing and executing Control Self-Assessment (CSA) programs and managing the full issue lifecycle from identification through risk-accepted closure
• Experience serving as the primary IS point of contact during formal external audits or government compliance assessments — managing evidence, auditor relationships, and findings remediation under deadline pressure
• Ability to build and maintain quantitative risk models and KRIs — translating risk data into business-impact terms and leveraging data analytics or AI tooling to identify risk themes, trends, and outliers at scale
• Exceptional written and verbal communication skills — the ability to produce board-ready risk briefings, distill complex regulatory findings into plain language, and command credibility with both technical engineers and C-suite executives
• U.S. citizenship and eligibility to obtain a DoD Secret security clearance

Nice to Have

• Active DoD Secret or Top Secret/SCI clearance
• Certifications: CISSP, CISM, CRISC, CISA, or CMMC Registered Practitioner (RP) / Certified Professional (CCP)
• Familiarity with FAA Aircraft Systems Information Security/Protection (ASISP) requirements and the RTCA DO-326A / DO-356A / DO-355A airworthiness security standard suite — including how these apply to type certification Special Conditions, continued airworthiness obligations, and IS risk assessment for connected and eVTOL aircraft systems
• Aerospace, aviation, or defense industry experience — including familiarity with FAA certification environments, ITAR/EAR data sharing constraints, and CUI program requirements
• Hands-on experience with quantitative risk analysis methodologies such as FAIR (Factor Analysis of Information Risk) — ability to communicate risk in dollar-denominated, probabilistic terms
• Practical experience applying AI, machine learning, or statistical analysis techniques to GRC datasets — anomaly detection, control testing coverage analysis, risk concentration mapping
• Exposure to FOCI (Foreign Ownership, Control, or Influence) assessments and DCSA facility clearance requirements relevant to a defense contractor environment
• Prior startup or high-growth company experience — comfort operating in ambiguous, low-bureaucracy environments where program infrastructure must be built, not inherited

Please note that this job description is intended to provide a general overview of the position and does not include an exhaustive list of responsibilities and qualifications

At Archer we aim to attract, retain, and motivate talent that possess the skills and leadership necessary to grow our business. We drive a pay-for-performance culture and reward performance that supports the Company’s business strategy. For this position we are targeting a base pay between $207,400 - $259,200. Actual compensation offered will be determined by factors such as job-related knowledge, skills, and experience.

Archer is proud to be an Equal Opportunity employer committed to diversity and inclusivity in the workplace. All aspects of employment are decided on the basis of merit, qualifications, and business needs. We do not discriminate based upon race, color, religion, sex, sexual orientation, age, national origin, disability status, protected veteran status, gender identity or any other characteristic protected by federal, state or local laws.

Archer is committed to working with and providing reasonable accommodations to job applicants with physical or mental disabilities, and those with sincerely held religious beliefs. Applicants who may require reasonable accommodation for any part of the application or hiring process should provide their name and contact information to Archer’s People Team at [email protected]. Reasonable accommodations will be determined on a case-by-case basis.