Job Description
At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world. Purpose We are seeking a strategic and results-oriented Senior Director to lead the Digital Legal Office’s (DLO) AI risk management program and serve as the DLO’s enterprise coordination point with the Cyber team on security risks that intersect with AI and privacy. This leader will join our data governance, privacy, cybersecurity, and artificial intelligence team (the “Digital Legal Office”) within the Legal department and will be accountable for scaling the DLO’s existing GRC program to fully encompass AI risk disciplines —defining the AI risk taxonomy, control library, and domain-specific content that integrates into the team’s established governance processes, risk management lifecycle, and ServiceNow tooling—while ensuring the DLO’s risk frameworks incorporate appropriate oversight of relevant cybersecurity controls through structured coordination with the Cyber team. This role requires technical fluency in security concepts to effectively collaborate closely with Cybersecurity GRC functions and ensure security control attestations, threat intelligence, and cyber risk outputs are properly reflected in the DLO’s risk posture. The ideal candidate is a tried program leader with hands-on experience standing up, maturing, and scaling AI risk management programs within supervised enterprises. They will be responsible for the AI risk management lifecycle end-to-end—from risk identification, measurement, and supervising through control design, policy implementation, and executive reporting—and will build the multi-functional relationships and enterprise influence needed to sustain the program at scale. Strong candidates will bring complementary privacy risk management experience and solid understanding of cybersecurity risk frameworks (e.g., NIST CSF) to ensure a cohesive, cross-domain approach across the DLO’s areas of oversight. They will influence senior leadership, represent Lilly’s AI governance posture externally, and model Team Lilly behaviors—Include, Innovate, Accelerate, Deliver—in every interaction. Responsibilities Strategic Leadership & Governance: Lead the strategic direction for AI risk management within the DLO’s GRC program, defining the multi-year roadmap, maturity targets, and investment priorities needed to keep pace with Lilly’s expanding AI portfolio and evolving regulatory landscape. Scale the DLO’s existing GRC processes and governance model—including the DLO Risk Board, risk management lifecycle, and control framework—to fully encompass AI risk disciplines and integrate coordinated oversight of cybersecurity risk dependencies, ensuring alignment with Lilly’s enterprise risk appetite. Present the DLO’s AI and digital risk posture to senior leadership and executive collaborators on a recurring cadence, translating sophisticated risk landscapes into actionable insights that advise enterprise decision-making. Represent the DLO and Lilly’s AI governance posture in external forums, industry working groups, and regulatory engagements, building Lilly’s reputation as a leader in responsible AI governance. Champion a culture of responsible AI across the enterprise and develop multi-functional collaboration and constructive challenge. AI Policy Development & Governance: Drive the creation, adoption, and continuous improvement of Lilly’s AI governance policies and standards, grounded in the NIST AI RMF Govern function and aligned with the EU AI Act’s risk-classification requirements and other relevant laws and regulations. Update and lead the enterprise rollout of AI-specific policies covering model risk, algorithmic fairness, clarity, and accountability—ensuring they are operationalized across business units, not just documented. Extend the DLO’s existing GRC framework to address the full AI lifecycle (design, development, deployment, monitoring, decommission), defining or updating the AI-specific policies, controls, and governance requirements that complement the established privacy and data governance program. Supervise and analyze emerging AI regulations, enforcement actions, and industry standards (e.g., NIST AI RMF updates, EU AI Act implementing guidance, ISO/IEC 42001, OECD AI Principles) to proactively update policies and frameworks