Lead IAM Specialist - Remote Contract

About The Position

Requirements

• 10+ years of experience in IAM, cloud security, or identity engineering roles with demonstrated progression.
• Proficiency with CSPM tooling, specifically Wiz, for inventory, reporting, and compliance evidence collection.
• Deep expertise in AWS multi-account governance: Organizations, Landing Zones, SCPs, and IAM least-privilege design patterns.
• Proven experience leading zero trust initiatives including JIT/JEA provisioning, CIEM platforms, OAuth/OIDC, and service mesh identity.
• Hands-on experience with policy-as-code tooling and embedding IAM guardrails into IaC (Terraform / CloudFormation) and CI/CD pipelines.
• Experience securing microservices architectures (Python, Go) in async and event-driven environments across AWS, Azure, and GCP.
• Strong command of network and data security controls: segmentation, KMS/encryption, cloud-native logging, and detection.
• Proficiency in metadata tagging strategies, service access pattern development, and credential vault management.
• Strong documentation, process development, and communication skills with the ability to influence cross-functional teams.

Nice To Haves

• Relevant cloud security certifications: AWS Security Specialty, CCSP, CISSP, or equivalent Azure/GCP security certifications.
• Experience implementing and managing enterprise-scale cloud infrastructure security programs.
• Familiarity with identity governance and administration (IGA) platforms and PAM solutions.
• Experience with service mesh technologies (Istio, Envoy) for service-to-service authentication.
• Strong project management skills with experience leading cross-functional security initiatives.

Responsibilities

• Design and enforce IAM least-privilege models across AWS Organizations, Landing Zones, and Service Control Policies (SCPs), with parity controls extended to Azure and GCP.
• Lead zero trust initiatives end-to-end: verify-explicitly policies, Just-in-Time (JIT) / Just-Enough-Access (JEA) provisioning, CIEM integration, and identity platform governance.
• Define and maintain approved access patterns for services and users, aligned to predefined roles (Reader, Contributor, Administrator) and documented as policy-as-code.
• Implement and govern OAuth/OIDC flows, service mesh identity controls, and federated identity across cloud and on-prem environments.
• Maintain a comprehensive inventory of all approved AWS and Azure services, cataloging IAM resources and differentiating between control plane (roles, policies) and data plane (user/key/role/policy/group) resources.
• Manage credentials for local data plane resources in vaults; ensure resource policies are applied consistently across services.
• Utilize Wiz (CSPM) for cloud asset inventory, compliance reporting, evidence collection, and correlation to AWS/Azure/GCP documentation.
• Identify and govern external dependencies including secrets, keys, and cross-account policies.
• Develop a comprehensive metadata tagging strategy mapped to application service lines (ASL), environments, and repository associations.
• Design and build reusable IAM modules for each service access pattern, published to the service registry with consistent enforcement of naming conventions, metadata, and parameters.
• Customize module policies to accommodate unique use cases while maintaining governance guardrails.
• Establish methods to correlate modules with service resource policies and user roles/policies.
• Embed IAM guardrails and policy-as-code controls natively into IaC templates (Terraform, CloudFormation) and CI/CD pipelines for secure-by-default provisioning.
• Develop methodologies and criteria for pre-approved service registry modules deployable via pipelines vs. those requiring manual review.
• Define and enforce controls pertinent to IAM and cloud security standards across all services; implement a shift-left strategy to proactively address IAM cloud operations.
• Guide and contribute to secure microservices development in Python and Go on AWS, Azure, and GCP, including async and event-driven architectures.
• Establish secure coding standards and review processes for service identity, inter-service authentication, and least-privilege service accounts.
• Oversee network and data security controls: segmentation, KMS/encryption strategies, and cloud-native logging and detection pipelines.
• Document IAM configurations for pipelines, repositories, and all cloud services; develop and maintain IAM SDLC documentation.
• Formulate request and approval processes for new IAM modules, including pre-approval pipeline design and approval authority definition.
• Document manual review procedures and escalation paths for non-standard access patterns.
• Develop a comprehensive IAM Cloud program strategy, defining its functions, roadmap, and maturity model.
• Provide recommendations on team structure, roles, skillsets, and resourcing needs across Service Desk, Global Command Center, Cloud Operations, and Cloud Engineering.
• Mentor and guide junior IAM engineers; act as the subject matter expert and escalation point for complex identity and access challenges.

Benefits

• This is a high-impact, senior individual contributor and leadership role at the intersection of cloud security architecture, identity engineering, and platform governance.
• You will have the opportunity to shape our enterprise IAM strategy from the ground up, influence how identity is embedded into every cloud workload, and build a best-in-class program that scales with our growth.