Senior Security Architect, Cloud Authentication and Authorization

About The Position

Requirements

• 8+ years experience in cybersecurity, security architecture, cloud security, IAM, application security, product security, platform security, infrastructure security, or security engineering for distributed systems.
• Extensive knowledge in cloud authentication, authorization, IAM, workload identity, agent identity, non-human identity, or identity architecture, combined with hands-on experience in developing, managing, deploying, or assuming direct responsibility for authentic security controls.
• Bachelor’s degree in Engineering, Cybersecurity, Data Engineering, or a related technical field, or equivalent experience.
• Proficiency in authentication and authorization protocols and frameworks, such as OIDC, OAuth 2.0, SAML, federation, delegation, token exchange, token scope, issuer and audience boundaries, consent, mTLS, certificate-backed identity, prioritized access, and associated technologies.
• Direct involvement in handling workload and agent identities, covering attestation processes, Zero Trust Architecture concepts, short-lived credentials, and temporary identities.
• Experience developing authorization boundaries for distributed systems, including fine-grained authorization patterns, control points, prioritized delegation, model/data/tool access controls, sensitive-action approval, and execution boundaries.
• Proficiency with identity and certificate lifecycle management, including enrollment, provisioning, scope definition, prioritized issuance, renewal, rotation, revocation, expiration, auditability, deprovisioning, lifecycle automation, and awareness of crypto-agility and post-quantum cryptography implications.
• Hands-on understanding of AI security risks combined with adequate proficiency in AI-enabled systems to assess timely injection, data exfiltration, unsafe tool use, overbroad authorization, and loss of human accountability.
• Strong foundational cybersecurity judgment, including threat modeling, architecture review, risk analysis, practical mitigation development, clear communication of assumptions, partner-team alignment, and follow-through through implementation, verification, documentation, and closure.

Nice To Haves

• Experience crafting or adopting workload identity systems such as SPIFFE/SPIRE, workload identity federation, service mesh identity, policy engines, or attestation-backed identity provisioning.
• Extensive knowledge of autonomous agent identity, delegated authority, token exchange, prioritized credentials with limited scope, certificate-backed identities, identity-aware policy controls, or ownership models for human, workload, service, and agent identities.
• Experience crafting controls for AI agent tool use, such as per-tool authorization, policy controls points, approval gates, egress restrictions, connector-scoped credentials, or emergency disablement of compromised agents.
• Background with crafting security architecture for enterprise connectors, AI assistants, tool integrations, automation systems, sensitive-action approvals, or cross-system authorization boundaries.
• Experience reducing or eliminating static credentials through workload identity, short-lived credentials, certificate lifecycle improvements, auditable service identity, or automated revocation and rotation.

Responsibilities

• Outline the security architecture strategy for cloud authentication, authorization, workload identity, and agent identity across NVIDIA cloud platforms, AI-enabled systems, enterprise connectors, services, and automation.
• Outline processes for establishing, linking, authorizing, delegating, auditing, and retiring human, workload, service, and autonomous agent identities, including attestation-supported identity issuance and certificate-based or temporary credentials.
• Develop authorization and delegation frameworks for AI agents and enterprise connectors, encompassing consent, token exchange, prioritized authority, sensitive-action approval, revocation, and protections against confused-deputy behavior.
• Lead architecture reviews and threat modeling for high-risk identity and access flows, turning ambiguous scenarios into practical controls that engineering teams can build and verify.
• Establish identity lifecycle, telemetry, and emergency-disablement patterns for token issuance, policy decisions, privilege elevation, tool invocation, data access, credential rotation, grant revocation, and compromised or untrusted identities.
• Convert emerging AI security risks into authentication, authorization, audit, and execution-boundary requirements.
• Partner with identity, cloud, platform, application, AI security, governance, detection, and incident response teams to align architecture decisions with risk strategy and operational reality.
• Build reusable architecture patterns, decision records, exception criteria, and implementation mentorship, staying engaged through adoption, validation, and residual-risk closure.

Benefits

• equity
• benefits