Head of Information Security - Theona

About us

Theona is a platform for building and deploying AI agents that take real actions across a company's tools and data. As those agents move into production, governing what they can access and do becomes mission-critical, and that is what this role owns. We are a fast-moving team shipping quickly.

About the role

This is our first security leader. You own security end-to-end: strategy, how we govern what our agents can do, and the trust we earn from enterprise customers. At this stage it is a player-coach role: you set direction and ship the controls yourself today, and build the team as we grow.

What you will do

• Own how we govern what our agents can do: what they can access, the trust boundaries between an agent and the systems it touches, how OAuth tokens and credentials are scoped, and multi-tenant isolation. You set both the policy and the controls. This is what lets customers run agents on sensitive systems, and what carries us through enterprise security review.
• Own our security strategy and posture across the platform and its cloud infrastructure, and decide where to invest first.
• Be our security face to customers: own the trust center, lead enterprise security reviews, and turn what buyers ask for into our roadmap.
• Build the security function as we grow. For now, you are hands-on and ship the work yourself. Keep our SOC 2 and GDPR programs on track as they mature.

What we are looking for

• 6+ years in security, including owning a security program end-to-end, not only contributing to one. Deep into how modern systems grant and scope access: identity, OAuth, secrets, cloud security, and multi-tenant isolation.
• Technical enough to set architecture and review controls yourself, and still get hands-on.
• Genuinely interested in agent and AI security: how agents are scoped, what they are trusted to do, and where the trust boundaries sit.
• Fluent in talking to engineers, auditors, and enterprise security buyers, and able to own a customer security review without help. 
• Comfortable building from a near-blank slate as the only security person in the room.

Nice to have

• Hands-on agent or LLM security: agent authorization scoping, tool-call trust boundaries, prompt and output risk.
• Experience taking SOC 2, ISO 27001, or GDPR through to audit.
• Multi-tenant SaaS isolation, and experience standing up a customer trust center.
• Familiarity with the agent-governance landscape (EU AI Act, NIST AI RMF, ISO 42001).

What We Offer

• Contractor agreement with a US-registered legal entity.
• 100% remote — work from anywhere in the world.
• Competitive salary in USD + stock options based on contribution and strong performance.
• Opportunity to join a funded startup as an early employee, with equity and long-term upside potential.
• Wide field for growth — with the flexibility to contribute to the product and influence its direction from an early stage.