Senior Analyst - Data & AI Risk

About Sysco LABS

Sysco LABS is the Global In-House Center of Sysco Corporation (NYSE: SYY), the world’s largest foodservice company. Sysco ranks 56th in the Fortune 500 list and is the global leader in the trillion-dollar foodservice industry.

Sysco employs over 75,000 associates, has 337 smart distribution facilities worldwide, and over 14,000 IoT-enabled trucks serving 730,000 customer locations. For fiscal year 2025 that ended June 29, 2025, the company generated sales of more than $81.4 billion.

Sysco LABS Sri Lanka delivers the technology that powers Sysco’s end-to-end operations. Everything we do at Sysco LABS supports Sysco’s Purpose of “Connecting the world to share food and care for one another”, and our work directly impacts millions of food consumers in a trillion-dollar, global industry.

For more information visit: www.syscolabs.lk

Job Summary:

Responsible for executing the organization's standardized risk assessment program across data and AI systems, ensuring that risks are identified, controls are assigned and tracked, and compliance posture is measurable and continuously improving. Brings deep familiarity with leading AI and data risk frameworks—including NIST AI RMF, OWASP, and the EU AI Act—to operationalize governance controls and drive accountability across the organization. Relies on the Data Analyst for catalog coverage and quality metrics, and on the Data & Records Management Engineer for records compliance evidence, to validate that foundational data governance controls are functioning effectively and reflected in risk and compliance reporting.

Duties and Responsibilities:

• Execute Standardized Risk Assessments: Use model risk expertise (Critical) to conduct structured, repeatable risk assessments for data assets, AI models, and AI-enabled systems using established frameworks including NIST AI RMF, OWASP Top 10 for LLMs, and EU AI Act risk classification criteria. Document findings, risk ratings, and recommended controls in a consistent, auditable manner that supports executive reporting and regulatory inquiry.

• Assign and Track Controls: Maintain a control library mapped to relevant frameworks and risk categories. Assign appropriate controls to identified risks, coordinate with control owners to confirm implementation status, and track controls through to verified remediation and closure.

• Measure and Report Compliance: Design and maintain risk and compliance metrics and dashboards that track program status across data and AI governance activities. Produce regular reporting for governance leadership and key stakeholders, including trend analysis, risk heat maps, and gap identification to support data-driven program decisions.

• Drive Remediation Accountability: Manage open risk findings and remediation plans, establishing clear ownership, timelines, and escalation paths. Ensure timely resolution of findings in alignment with organizational risk tolerance and regulatory deadlines.

• Support AI System Inventory and Risk Classification: Partner with technical teams to build and maintain a current, comprehensive inventory of AI models and applications. Apply risk-based classification criteria in alignment with EU AI Act tiering requirements and organizational policy, ensuring high-risk systems receive appropriate governance attention.

• Collaborate with Governance Operations Peers: Work closely with the Data Analyst to confirm that data catalog coverage, asset classification, and data quality metrics meet minimum control thresholds required for AI and data risk compliance. Leverage structured compliance outputs from the Data & Records Management Engineer to verify that records retention and data lifecycle controls are operating and documentable. Translate these operational inputs into risk evidence that supports audit readiness and compliance attestation.

• Maintain Framework Currency: Monitor regulatory developments, emerging standards, and enforcement trends related to AI governance, data privacy, and cybersecurity. Update internal frameworks, control mappings, and assessment templates to ensure the program remains defensible, current, and aligned with evolving obligations.

• Contribute to Training and Awareness: Support the development of risk and compliance training materials for data owners, stewards, and AI development teams, ensuring stakeholders understand their obligations, the controls they are responsible for, and how their work connects to the organization's overall governance posture.

Qualifications:

• Education Required: Bachelor's degree from an accredited institution in Information Systems, Risk Management, Computer Science, Law, or a related field. A graduate degree or professional certification such as CISM, CDPSE, or AIGP is a meaningful plus.

• Experience Required: Three (3) or more years of experience in data governance, AI governance, technology risk management, or a related compliance-focused discipline.

• Demonstrated experience conducting structured risk assessments and managing control frameworks in a technology or data-intensive environment.

• Practical working knowledge of NIST AI Risk Management Framework (AI RMF), OWASP (including Top 10 for LLMs), and the EU AI Act risk classification system.

• Experience building and maintaining risk and compliance metrics, dashboards, or scorecards used by leadership audiences.

Technical Skills and Abilities: 

• Risk Framework Proficiency: Deep familiarity with NIST AI RMF, OWASP Top 10 for LLMs, and the EU AI Act, including the ability to apply these frameworks in practical assessment scenarios and cross-map controls across multiple standards. 
• Metrics and Reporting: Strong skills in designing, calculating, and presenting risk and compliance metrics. Proficiency in tools such as Excel, BI platforms (e.g., Looker, Power BI, Tableau), or GRC platforms to maintain and communicate governance dashboards. 
• GRC and Risk Tooling: Experience with Governance, Risk, and Compliance platforms for managing assessments, control tracking, and remediation workflows. Familiarity with AI-specific risk tooling is a plus.
• Analytical and Structured Thinking: Ability to synthesize complex technical, legal, and operational information into clear risk ratings, prioritized control recommendations, and executive-ready reporting.
• Cross-Functional Communication: Strong written and verbal communication skills with the ability to translate technical risk concepts into accessible language for legal, compliance, and business leadership audiences. 
• Data Governance Fundamentals: Working knowledge of data cataloging, metadata management, data quality, and records management concepts sufficient to evaluate control effectiveness and collaborate meaningfully with the Data Analyst and Data & Records Management Engineer.

Benefits

• US dollar-linked compensation
• Performance-based annual bonus
• Recognition and rewards programs
• Agile Benefits – special allowances for Health, Wellness & Academic purposes
• Paid birthday leave
• Team engagement allowance
• Comprehensive health & life insurance cover (extendable to parents and in-laws)
• Overseas travel opportunities and client environment exposure
• Hybrid work arrangement