Own ITGC design and operation across enterprise applications — including logical access, change management, SDLC, computer operations, and segregation of duties (So. D). Lead the 1st-line control environment for in-scope enterprise applications, partnering with application owners and engineering leads to embed controls into operational workflows rather than bolting them on. Drive So. D strategy across ERP, HRIS, and CRM — including role design reviews, conflict remediation, mitigating control design, and ongoing monitoring tooling (e.g., Pathlock, SailPoint, Saviynt, native role analyzers). Manage the audit lifecycle as the primary 1st-line liaison with Internal Audit, External Audit, and the SOX PMO — walkthroughs, evidence collection, deficiency remediation, and management responses. Build AI-native continuous controls monitoring — including LLM-based evidence review, agentic control testing, and automated anomaly surveillance — to eliminate manual evidence collection, shift controls left, and surface exceptions in near real time. Treat AI agents as control operators with the same evidence and validation expectations as human operators. Own the controls posture for Gusto's internal AI and automation portfolio. Partner with AI-builder teams across the company (Finance & Biz. Ops, GRC, Engineering) to review internal AI use cases, classify by risk category, and ensure controls, evidence trails, and validation travel with the build — not bolted on after launch. Be the senior 1st-line owner for "do our internal AI builds meet our control standards? Lead access governance including provisioning/deprovisioning workflows, periodic user access reviews (UA - Rs), privileged access management, and integration with the IGA platform. Govern application change management for in-scope systems — approvals, segregation between developers and production, emergency change handling, and release evidence. Mature the controls program by leading rationalization initiatives, control consolidation, and the adoption of automated/preventive controls over manual/detective ones. Partner cross-functionally with Security/ GRC, Legal, Finance/ Accounting, People Operations, and Revenue Operations to ensure controls support — rather than impede — the business. Here’s what we're looking for: 10 years of experience in IT controls, audit, or enterprise applications governance, with a strong hands-on background operating in the 1st line of defense as a control owner across NetSuite, Workday, and/or Salesforce. Deep expertise in SOX 404, COSO, COBIT, and ITGC frameworks, including segregation of duties (So. D) design and remediation across ERP, HRIS, and CRM environments. Proven track record leading external audit engagements (Big 4 or equivalent) as the management-side owner, with public company or IPO readiness experience preferred. Demonstrated experience building and deploying AI-augmented controls work including agents, LLM-based reviewers, or automated anomaly detection, with the ability to design controls both for and with AI systems. Strong judgment on AI risk, including model risk, prompt injection, output validation, and audit trail design, with hands-on familiarity with agentic tooling such as Claude Code, MCPs, or LLM-based evidence pipelines. Excellent communicator who can translate complex control concepts for executives, auditors, and engineers, with experience in continuous controls monitoring (CCM) and data-driven assurance approaches. Relevant certifications (CISA, CISSP, CIA, CPA, or equivalent) and familiarity with adjacent frameworks including SOC 1/2, ISO 27001, NIST CSF, and PCI DSS are a plus. Our cash compensation amount for this role is targeted at $175,000-$195,000 /yr in Denver & most remote locations, and $205,000-$225,000 /yr for San Francisco, Seattle & New York. Final offer amounts are determined by multiple factors, including candidate experience and expertise, and may vary from the amounts listed above. Gusto has physical office spaces in Denver, San Francisco, and New York City. Employees who are based in those locations will be expected to work from the office on designated days approximately 2-3 days per week (or more depending on role). The same office expectations apply to all Symmetry roles, Gusto's subsidiary, whose physical office is in Scottsdale. Note: The San Francisco office expectations encompass both the San Francisco and San Jose metro areas. When approved to work from a location other than a Gusto office, a secure, reliable, and consistent internet connection is required. This includes non-office days for hybrid employees.