Principal Cloud IAM Engineer

Workday•Reston, VA

18h•Hybrid

About The Position

Workday's Cybersecurity & Trust organization exists to inspire confidence and trust in Workday. We safeguard the personal information of 60+ million people and the financial information of some of the largest companies in the world. Cybersecurity is woven into the fabric of Workday and is core to everything we do. We nurture a security-first mentality and believe that moving with speed and velocity is enabled by building security into the foundation. Build the future of Cybersecurity at Workday by applying innovative technology to a customer-centric platform! The Workday Enterprise Security team safeguards Workday's vital data, infrastructure, and applications through authority, technical solutions, and risk mitigation across all enterprise systems, concentrating on security architecture, engineering, and infrastructure. We select, engineer, and lead a robust suite of technical controls to actively prevent, detect, and respond to threats. Ultimately, Enterprise Security acts as the central line of defense, proactively leading security posture, ensuring operational resilience, and maintaining customer trust in Workday's dedication to security excellence. Within Enterprise Security, the Enterprise Identity team is where identity meets impact. We own and evolve the Identity and Access Management systems that serve as Workday's first and most critical line of defense governing who gets access, to what, and why. From zero-trust architecture and privileged access governance to identity lifecycle automation and federation at scale, we operate across one of the most complex enterprise environments in cloud software. As a Principal IAM Engineer here, you'll architect bold solutions, challenge assumptions, and drive decisions that protect Workday at its core. If you're energized by hard problems at the intersection of identity, security, and engineering excellence, this is where you belong. Workday's identity surface is large, distributed, and growing spanning multi-account AWS environments, enterprise SaaS, a global workforce, and an expanding set of AI-driven workloads. Identity is no longer a support function; it's a core security boundary and an enabler of how we build and ship products. We're looking for a Principal Identity and Access Management Architect to own the strategy, design, and long-term direction of our IAM program. This is not an operational role. You'll set the patterns other engineers build against, make the architectural calls that shape how we scale, and work directly with engineering, security, and Risk leadership to drive alignment across the organization. The scope spans human and non-human identity, cloud authorization, federation, secrets management, and the emerging challenge of securing AI agents in production — where the patterns don't fully exist yet and you'll be helping to define them. This role sits at the intersection of deep technical ownership and cross-functional influence. You'll be expected to lead without always having direct authority, mentor engineers who are earlier in their IAM journey, and bring a risk-informed perspective that translates threat exposure into pragmatic architectural decisions — not checkbox compliance. If you're the kind of engineer who gets ahead of problems before they scale, builds with the next three years in mind, and can hold a technical vision across a complex enterprise environment — this is the role.

Requirements

10+ years of experience in cloud security or IAM, with at least 3 years in a senior or architect-level role with clear ownership of strategy and technical direction.
Proven AWS IAM foundations SCPs, IAM Identity Center, ABAC, multi-account Organizations architecture, and secrets management at scale via AWS Secrets Manager or equivalent vault solutions.
Demonstrated Okta experience at enterprise scale SSO, adaptive MFA, SCIM provisioning, lifecycle management, and AWS environment integration.
Deep familiarity with federation protocols SAML, OIDC, and OAuth2 applied and debugged across complex, heterogeneous environments.
Infrastructure-as-code fluency with Terraform, and a clear understanding of how identity controls integrate into and are enforced through CI/CD pipelines.
Hands-on engagement with AI and agentic identity is required. This means working knowledge of NHI lifecycle management, service-to-service trust models, and least-privilege design for workloads that assume IAM roles, call external APIs, and chain actions across services.
Zero Trust applied in practice identity-aware perimeters, conditional access policies, and workload-level controls implemented in production environments.
Proven ability to drive technical alignment across engineering, security, and business stakeholders without relying on positional authority.
Comfortable mentoring and leveling up less senior engineers takes the time to transfer context, not just deliver outcomes.
A risk mitigation mindset: you understand threat exposure well enough to make pragmatic architectural trade-offs, engage credibly with Risk and GRC teams, and push back when a proposed control creates engineering friction without meaningfully reducing risk.

Nice To Haves

GCP familiarity is advantageous but not required.
Familiarity with AI security tooling such as identity-aware proxies, agent observability platforms, or LLM access governance is a strong differentiator.
AWS Certified Security Specialty and a signal of structured cloud depth.

Responsibilities

Architect bold solutions, challenge assumptions, and drive decisions that protect Workday at its core.
Own the strategy, design, and long-term direction of our IAM program.
Set the patterns other engineers build against.
Make the architectural calls that shape how we scale.
Work directly with engineering, security, and Risk leadership to drive alignment across the organization.
Lead without always having direct authority.
Mentor engineers who are earlier in their IAM journey.
Bring a risk-informed perspective that translates threat exposure into pragmatic architectural decisions.
Get ahead of problems before they scale.
Build with the next three years in mind.
Hold a technical vision across a complex enterprise environment.