Identity and Access Management Leader

About The Position

Requirements

• Experience: 5–8+ years in IAM across at least two subdomains (IAM/SSO/MFA, IGA, PAM/PIM/EPM, machine identity) with enterprise delivery experience.
• Education: Bachelor’s in Computer Science, Information Security, or related field (or equivalent experience). Master’s/MBA preferred.
• Technical Expertise: Deep knowledge of Entra ID/Entra ID Governance, Okta, Ping, SiteMinder/OAM; SailPoint or Saviynt; CyberArk/BeyondTrust/Delinea EPM; Azure Key Vault, managed identity, AKS workload identity federation; protocols (OIDC/OAuth2/SAML, SCIM); policy and automation (Conditional Access, PIM, IaC, CI/CD). Development of scripts using tools like powershell/python/javascript/Logic Apps/Power Automate/Flow/Automation Accounts utilizing APIs including Graph API/Rest/SOAP/XML.
• Solution Design and Implementation Experience: Proven ability to craft secure, scalable architectures, patterns, and reference implementations with clear trade‑off analyses and decision logs. Hands‑on guidance of build teams; integration with HRIS/AD/LDAP/SaaS; migration from legacy WAM to modern identity; non‑functional requirements (HA/DR/scale) and observability/KQL.
• Problem-Solving & Communication: Structured thinking, root‑cause analysis, and optioning (good‑better‑best) aligned to risk and business value. Clear written and verbal communication from engineering to executive levels; workshop facilitation; executive‑ready materials.
• Industry Knowledge: Understanding of sector‑specific constraints (e.g., healthcare payer, financial services, public sector, etc) and auditor expectations.
• Client-Facing Skills: History of successful client engagements, stakeholder alignment, and outcome‑based delivery.
• Demonstrated Passion: Continuous learning, community contribution, and awareness of emerging identity trends (e.g., passkeys, external identities, identity threat detection).

Nice To Haves

• Certifications (highly desirable): Microsoft SC‑100, SC‑300, AZ‑500; Okta Professional/Consultant; Ping; SailPoint Architect/Engineer; Saviynt; CyberArk Defender/Sentry; BeyondTrust/Delinea; HashiCorp Terraform Associate; AZ‑104/AZ‑305.

Responsibilities

• Solution Design: Lead the definition of target‑state IAM architectures (OAuth2/OIDC/SAML, Conditional Access, FIDO2/Passkeys, B2B/B2C/External ID, RBAC/ABAC), IGA operating models (birthright access, lifecycle workflows, access reviews, role mining/SoD), PAM/PIM/EPM patterns (vaulting, JIT/JEA, session management, break‑glass), and machine identity strategies (managed identity, AKS federation, certificate lifecycle, secret rotation). Ensure solutions are scalable, repeatable, secure, and aligned to industry best practices and Zero Trust.
• Client Engagement: Facilitate discovery and architecture workshops; assess current state and risks; advise executives on roadmap options and operating model implications (helpdesk, audit, NOC/SOC). Communicate complex issues with structured narratives and clear recommendations.
• Implementation: Guide the conversion of architecture into secure designs and implementation plans; collaborate with Technical Specialists to configure policies, connectors, and automation (Terraform/Bicep, PowerShell/Python, Graph API, CI/CD). Oversee integration, testing, cutover, and rollback strategies.
• Compliance & Risk Management: Align identity controls to regulatory and security frameworks (e.g., NIST 800‑53/63, ISO 27001, SOC 2, HIPAA/HITRUST, PCI‑DSS, SOX, FedRAMP, NYDFS 23 NYCRR 500). Define controls for privileged access, least privilege, strong auth, and auditability; partner with risk/audit to close findings.
• Technical Leadership: Serve as design authority; mentor engineers; run design reviews and threat modeling; establish non‑functional requirements (availability, resiliency/DR, performance, observability).
• Documentation & Reporting: Produce architecture diagrams, patterns, decision records, security requirements, test/acceptance criteria, and runbooks. Provide status, risk/issue tracking, and outcome reporting.
• Continuous Improvement: Conduct post‑implementation reviews; tune Conditional Access/PIM/EPM policies, provisioning performance, and cert/secret rotations; codify reusable modules.
• Practice Development: Support pursuits (SoW scope, assumptions, pricing guardrails), demos/POCs, and market presence through presentations and publications. Supports innovation thru asset development that supports acceleration of value.