Sr. IAM Analyst - Risk and Compliance

About The Position

Requirements

• 5+ years of progressively responsible experience in Identity and Access Management, Information Security, or IT Risk & Compliance, preferably in a large, regulated healthcare or academic medical environment
• Demonstrated experience supporting audits, regulatory inquiries, and control remediation efforts related to IAM
• Advanced expertise in IAM governance, risk, and compliance, including identity lifecycle controls, access governance, privileged access management, and authentication and authorization models.
• Strong working knowledge of healthcare regulatory and security frameworks, including HIPAA and NIST-based control models, and the ability to map requirements to technical IAM controls.
• Hands-on experience assessing and governing IAM controls within enterprise IAM platforms (e.g., IGA, access management, PAM, directory services).
• Ability to apply risk-based and analytical thinking to identify control gaps, prioritize remediation, and drive measurable improvements.
• Strong written and verbal communication skills, with the ability to clearly articulate IAM risk and compliance concepts to technical teams, auditors, and non-technical stakeholders.
• Proven ability to lead complex initiatives, manage competing priorities, and deliver outcomes in a matrixed enterprise environment.
• Strong judgment and decision-making skills, with demonstrated ability to evaluate trade-offs and recommend solutions that align with MGB’s risk tolerance and

Nice To Haves

• Relevant certifications such as CISSP, CISA, CRISC , or IAM platform certifications (e.g., Saviynt, Okta, CyberArk) – Preferred

Responsibilities

• IAM Risk & Control Management Own and maintain IAM-related controls mapped to frameworks such as NIST 800-53, NIST CSF, HIPAA Security Rule, and Mass General Brigham security policies
• Partner with IAM Engineering and Operations teams to ensure controls are properly designed, implemented, and operating effectively
• Identify IAM control gaps, assess risk, and drive remediation plans with clear owners and timelines
• Evaluate IAM processes for alignment with least privilege, separation of duties, and zero trust principles
• Metrics, Reporting & Continuous Improvement Define and report IAM risk and compliance KPIs, such as: Certification completion and exception rates Orphaned and dormant account trends Privileged access violations Access request SLA adherence
• Use data to identify trends, emerging risks, and opportunities for automation or control enhancement
• Contribute to continuous improvement of IAM governance processes and tooling
• Audit & Compliance Support Act as the primary IAM point of contact for: Internal audits External audits Regulatory inquiries
• Prepare audit evidence, narratives, and walkthroughs for IAM controls including: User lifecycle management Access requests and approvals Access certifications Privileged access management Authentication and authorization controls
• Track audit findings, manage remediation efforts, and validate closure
• Access Governance & Certification Oversight Provide risk and compliance oversight for access certification campaigns (manager, application owner, privileged access)
• Define and enforce certification standards, review quality thresholds, and escalation criteria
• Analyze certification results to identify systemic risk, role sprawl, or control weaknesses
• Policy, Standards & Procedures Develop and maintain IAM-related: Policies Standards Procedures Control documentation
• Ensure policies are actionable, enforceable, and aligned with technical implementations
• Support annual policy reviews and exception management processes
• Cross-Functional Collaboration Collaborate closely with: IAM Engineering and Operations Information Security Operations and Program Governance Privacy and Legal teams Internal Audit Application and Infrastructure owners
• Serve as a trusted advisor on IAM risk topics to technical and non-technical stakeholders