Product Policy, Cyber Policy Manager

About the Role

As a Product Policy Manager specializing in Cyber, you will combine cyber and policy expertise to guide how OpenAI evaluates, launches, and governs capabilities relevant to cybersecurity. You will work closely with product, engineering, research, safety, security, legal, operations, and go-to-market teams to translate complex cyber risk into practical product policy, implementation standards, enforcement guidance, and launch decisions.

The role requires understanding both sides of the cyber equation: how defenders investigate, detect, triage, and respond to threats, and how malicious actors may attempt to misuse AI systems for vulnerability exploitation, social engineering, malware enablement, credential abuse, or other harmful activity. Strong candidates may bring depth in one or more cyber domains, such as attacker tradecraft, vulnerability discovery, malware analysis, phishing and credential abuse, identity and access risks, incident response, detection engineering, secure development, threat intelligence, abuse investigations, or security tooling — along with the ability to reason across adjacent areas. You do not need to have held a formal policy title, but you should have experience turning technical risk into durable rules, standards, processes, or decisions, and very strong communications skills.

As OpenAI continues to grow, this role will help align diverse teams and stakeholders while operating in a fast-moving, ambiguous environment.

This role is based in San Francisco, CA. We use a hybrid work model of 3 days in the office per week and offer relocation assistance to new employees.

In this role, you will

• Provide cyber policy advice to technical and product teams based on a deep understanding of model capabilities, product architecture, abuse pathways, defensive security use cases, and the practical needs of cybersecurity teams.
• Evaluate cyber-relevant product launches and model capabilities, including how they may support legitimate security work and how they could be misused by malicious or irresponsible actors.
• Translate cyber threat risk into clear product requirements, launch guidance, enforcement standards, user-facing policy, and internal implementation guidance.
• Develop operationalizable standards, enforcement protocols, and escalation paths for cyber abuse scenarios, including vulnerability exploitation, credential abuse, social engineering, malware enablement, phishing, data exfiltration, and misuse of security automation.
• Partner with safety, security, product, engineering, research, legal, operations, communications, and global affairs teams to make principled, timely decisions about cyber risk in high-ambiguity situations.
• Help build scalable policy frameworks for dual-use cyber capabilities, including where to draw boundaries between beneficial security research, defensive operations, and harmful cyber activity.

You might thrive in this role if you

• Have 5+ years of experience, or equivalent depth, in one or more of the following areas: cybersecurity, security engineering, threat intelligence, incident response, abuse investigations, detection engineering, product policy, cyber policy, trust and safety, or a closely related field.
• Bring strong technical fluency in one or more cyber domains, such as vulnerability management, malware analysis, threat intelligence, incident response, phishing and credential abuse, detection engineering, secure software development, cloud security, identity and access management, or security automation.
• Understand the modern cyber threat environment, including how sophisticated and opportunistic actors operate, how defenders detect and respond, and where AI can create both meaningful defensive value and misuse risk.
• Can evaluate dual-use cyber capabilities with nuance, distinguishing between legitimate security research, authorized defensive activity, risky automation, and malicious or abusive behavior.
• Communicate clearly with product managers, engineers, researchers, executives, security practitioners, and policy stakeholders, and enjoy turning ambiguous technical risk into practical decisions, requirements, and guidance.
• Are comfortable building new policy frameworks, processes, and decision criteria in ambiguous or fast-moving areas.
• Use data, threat intelligence, user feedback, and operational signals to improve policy quality, measure effectiveness, and identify emerging risks.
• Care deeply about enabling beneficial cybersecurity work while preventing abuse.