Senior IAM Engineer

Role Summary

What You’ll Do (Core Responsibilities)

Architect and Automate Identity Foundations

• Design and maintain secure-by-default IAM architectures across Azure AD / Entra ID, AWS IAM, and hybrid enterprise systems.
• Develop paved road templates for access control patterns (e.g., federated access, role assumption, service accounts, workload identity).
• Automate provisioning and deprovisioning pipelines using identity APIs, SCIM, and workflow orchestration tools (e.g., SailPoint, Okta Workflows, Azure Automation, or Terraform).
• Implement policy-as-code for IAM guardrails (e.g., least-privilege enforcement, conditional access, MFA requirements, privilege expiration).

Access Control, Federation, and Governance

• Engineer federated identity solutions for users, applications, and partners using SAML, OIDC, and OAuth2.
• Manage conditional access policies, adaptive authentication, and passwordless strategies to balance security with user experience.
• Define and enforce least privilege for human and machine identities across AWS, Azure, and SaaS platforms.
• Integrate IAM governance with enterprise GRC systems to ensure traceability and audit readiness.
• Partner with AppSec and Cloud teams to secure authn/z boundaries across applications, APIs, and services.

Privileged Access Management (PAM)

• Implement and maintain privileged access vaulting and session control using platforms like CyberArk, BeyondTrust, Delinea, or Azure PIM.
• Automate just-in-time elevation for administrative roles and enforce time-bound access approvals.
• Continuously monitor and remediate excessive privileges across cloud and on-prem accounts.
• Integrate PAM telemetry with SIEM/SOAR for threat detection and behavioral analytics.

Lifecycle and Risk Management

• Automate joiner/mover/leaver processes and identity lifecycle events through API-driven workflows and HR system integrations.
• Conduct periodic access reviews and certifications; deliver evidence for SOC2, PCI, and ISO audits.
• Develop and maintain dashboards for leading indicators (automated provisioning rate, MFA coverage, stale accounts) and lagging indicators (MTTR for access removal, orphaned identities, failed recertifications).
• Prioritize remediation through risk scoring (criticality × exposure × privilege depth) and ensure compliance with internal SLAs.

Detection and Response Integration

• Collaborate with Security Operations to define identity-related detections (impossible travel, lateral movement, privilege abuse).
• Correlate identity events with endpoint and cloud telemetry to identify compromised accounts.
• Assist in incident response for identity-based breaches, credential theft, and access abuse.

Minimum Qualifications

• 5+ years of experience in Identity and Access Management engineering, including multi-cloud and hybrid enterprise environments.
• Strong knowledge of Azure AD / Entra ID, AWS IAM, and SAML / OIDC / OAuth2 / SCIM protocols.
• Proficiency with identity automation using PowerShell, Python, Terraform, or APIs.
• Experience with PAM platforms (CyberArk, BeyondTrust, or Azure PIM) and IGA tools (SailPoint, Saviynt, or Okta).
• Familiarity with conditional access, MFA enforcement, and passwordless authentication in large-scale environments.
• Understanding of zero trust architecture, least privilege design, and role-based access control (RBAC)principles.
• Proven ability to interpret business access needs and translate them into secure, scalable IAM solutions.

Preferred Qualifications

• Exposure to NIST 800-63, CIS Controls, Zero Trust Maturity Model, and NIST CSF.
• Experience integrating IAM data with SIEM (e.g. Sentinel) and SOAR workflows.
• Relevant certifications such as CISSP, CISM, Azure Security Engineer Associate, AWS Security – Specialty, or Okta Certified Professional.

Behavioral Competencies

• Enablement first: You design access patterns that simplify compliance and make the secure option the default.
• Automation mindset: You codify identity logic and guardrails, reducing manual effort and human error.
• System thinker: You see identity as the connective tissue between applications, infrastructure, and users.
• Risk translator: You clearly articulate the business impact of over-privilege and authentication weaknesses.