Identity Access Manager (IAM) Engineer

PEAK6•Chicago, IL

1d•$104,000 - $130,000•Hybrid

About The Position

You will own the identity layer that everything else depends on. That means making sure the right people have the right access at the right time, and that attackers cannot abuse credentials, tokens, or access paths to move through our environment. You will harden admin accounts, automate the joiner/mover/leaver lifecycle, clean up risky OAuth grants, and build the evidence trails that prove identity controls are working. You will partner closely with our US and Budapest teams to reduce account takeover risk and keep privileged access tight across PEAK6 and its portfolio companies. PEAK6 operates across financial services, broker-dealer, insurance, and technology sectors. The identity controls you build directly support regulatory obligations including the GLBA Safeguards Rule, SEC Regulation S-P, and SEC cybersecurity risk management requirements, so your work has real stakes and visibility.

Requirements

5+ years in identity and access management, with hands-on depth in Okta (or a comparable identity provider), Google Workspace admin, and OAuth/SAML/OIDC.
Designing or operating joiner/mover/leaver workflows, ideally with evidence trails and measurable SLA tracking.
Comfort auditing grants, scoping restrictions, and distinguishing legitimate from risky delegated access in Google Workspace or Microsoft 365 environments.
Familiarity with break-glass patterns, MFA enforcement policies, and admin account separation; experience with an enterprise password/secrets manager (we use 1Password).
Route findings, exceptions, and lifecycle tasks to tickets naturally and keep them clean.
Able to write concise runbooks, explain access decisions to non-technical stakeholders, and produce audit-ready evidence.
Operate with high autonomy, surface blockers early, and do not wait to be handed a playbook.
Willingness to participate in shared after-hours response to identity-related security alerts.

Nice To Haves

Okta Certified Professional or Administrator
GIAC GISF, GCIH
CompTIA Security+
Google Workspace Administrator
AWS Security Specialty or GCP Professional Cloud Security Engineer where cloud IAM is in scope.

Responsibilities

Harden privileged access: deploy and validate phishing-resistant MFA for admin accounts (FIDO2/WebAuthn hardware keys or equivalent), maintain break-glass account procedures and test them on a defined cadence, and enforce least-privilege baselines across cloud and SaaS environments.
Own OAuth hygiene: audit and clean up risky or overprivileged OAuth grants across Google Workspace and connected SaaS platforms; define and enforce a restriction baseline that blocks high-risk scopes without breaking legitimate workflows.
Build and operate JML automation: design and implement joiner, mover, and leaver workflows with evidence trails; drive leaver access revocation to a consistent sub-24-hour SLA and mover access delivery within defined SLAs.
Apply risk-based access controls: define and implement stronger authentication and higher-scrutiny monitoring for risk cohorts (executives, finance, and IT admins) in partnership with the identity platform owners.
Maintain continuous IAM visibility: build and sustain reporting that makes access posture visible (stale accounts, standing privilege, risky grants, and JML exceptions) and route findings to owners with Jira-tracked SLAs.
Partner on identity-adjacent controls: coordinate with the Cloud/Platform team on cloud IAM policy, admin MFA enforcement, and least-privilege baselines across AWS and GCP environments.
Document and prove outcomes: maintain runbooks, process documentation, and evidence records that support audit inquiries, access certifications, and executive reporting.