OpenAI· Product Policy· San Francisco
Product Policy, Cyber Policy Manager
Comp$261K – $290K
Classified Tasks (13)
Automate 0%Augment 85%Human-Only 15%
Augment (11)
AI assists, human decides
Develop, implement, enforce, and communicate product policies governing the use of OpenAI services (e.g., ChatGPT, Codex, GPTs, OpenAI API).
leadership
Define policy frameworks that enable legitimate cybersecurity work while reducing the risk of product misuse.
analytical
Guide evaluation, launch, and governance of product capabilities relevant to cybersecurity.
leadership
Translate complex cyber risk into practical product policy, implementation standards, enforcement guidance, and launch decisions.
analytical
Provide cyber policy advice to technical and product teams based on model capabilities, product architecture, abuse pathways, defensive security use cases, and cybersecurity team needs.
communication
Evaluate cyber-relevant product launches and model capabilities for their support of legitimate security work and potential for misuse by malicious actors.
analytical
Translate cyber threat risk into clear product requirements, launch guidance, enforcement standards, user-facing policy, and internal implementation guidance.
operational
Develop operationalizable standards, enforcement protocols, and escalation paths for cyber abuse scenarios (including vulnerability exploitation, credential abuse, social engineering, malware enablement, phishing, data exfiltration, and misuse of security automation).
operational
Build scalable policy frameworks for dual-use cyber capabilities and define boundaries between beneficial security research, defensive operations, and harmful cyber activity.
leadership
Enable defenders to use OpenAI tools effectively while setting clear boundaries against malicious cyber activity.
technical
Convert technical risk into durable rules, standards, processes, and decisions.
operational
Human-Only (2)
Requires human judgment
Partner with safety, security, product, engineering, research, legal, operations, communications, and global affairs teams to make principled, timely decisions about cyber risk in high-ambiguity situations.
leadership
Align diverse teams and stakeholders around cyber policy decisions in fast-moving, ambiguous environments.
leadership
Job description
Product Policy, Cyber Policy Manager | OpenAI Careers ## Product Policy, Cyber Policy Manager Product Policy - San Francisco Apply now(opens in a new window) **About the Team** The Product Policy team develops, implements, enforces, and communicates the policies that govern use of OpenAI’s services, including ChatGPT, Codex, GPTs, and the OpenAI API. This cyber-focused role will help define how OpenAI enables legitimate cybersecurity work while reducing the risk that our products are misused for cyber abuse. This role sits at the intersection of AI capability, cybersecurity practice, and abuse prevention: helping defenders use OpenAI’s tools effectively while setting clear boundaries against malicious cyber activity. **About the Role** As a Product Policy Manager specializing in Cyber, you will combine cyber and policy expertise to guide how OpenAI evaluates, launches, and governs capabilities relevant to cybersecurity. You will work closely with product, engineering, research, safety, security, legal, operations, and go-to-market teams to translate complex cyber risk into practical product policy, implementation standards, enforcement guidance, and launch decisions. The role requires understanding both sides of the cyber equation: how defenders investigate, detect, triage, and respond to threats, and how malicious actors may attempt to misuse AI systems for vulnerability exploitation, social engineering, malware enablement, credential abuse, or other harmful activity. Strong candidates may bring depth in one or more cyber domains, such as attacker tradecraft, vulnerability discovery, malware analysis, phishing and credential abuse, identity and access risks, incident response, detection engineering, secure development, threat intelligence, abuse investigations, or security tooling — along with the ability to reason across adjacent areas. You do not need to have held a formal policy title, but you should have experience turning technical risk into durable rules, standards, processes, or decisions, and very strong communications skills. As OpenAI continues to grow, this role will help align diverse teams and stakeholders while operating in a fast-moving, ambiguous environment. This role is based in San Francisco, CA. We use a hybrid work model of 3 days in the office per week and offer relocation assistance to new employees. **In this role, you will:** * Provide cyber policy advice to technical and product teams based on a deep understanding of model capabilities, product architecture, abuse pathways, defensive security use cases, and the practical needs of cybersecurity teams. * Evaluate cyber-relevant product launches and model capabilities, including how they may support legitimate security work and how they could be misused by malicious or irresponsible actors. * Translate cyber threat risk into clear product requirements, launch guidance, enforcement standards, user-facing policy, and internal implementation guidance. * Develop operationalizable standards, enforcement protocols, and escalation paths for cyber abuse scenarios, including vulnerability exploitation, credential abuse, social engineering, malware enablement, phishing, data exfiltration, and misuse of security automation. * Partner with safety, security, product, engineering, research, legal, operations, communications, and global affairs teams to make principled, timely decisions about cyber risk in high-ambiguity situations. * Help build scalable policy frameworks for dual-use cyber capabilities, including where to draw boundaries between beneficial security research, defensive operations, and harmful cyber activity. **You might thrive in this role if you:** * Have 5+ years of experience, or equivalent depth, in one or more of the following areas: cybersecurity, security engineering, threat intelligence, incident response, abuse investigations, detection engineering, product policy, cyber policy, trust and s