Principal Identity And Access Management Architect

Workday's identity surface is large, distributed, and growing spanning multi-account AWS environments, enterprise SaaS, a global workforce, and an expanding set of AI-driven workloads. Identity is no longer a support function; it's a core security boundary and an enabler of how we build and ship products.

We're looking for a Principal Identity and Access Management Architect to own the strategy, design, and long-term direction of our IAM program. This is not an operational role. You'll set the patterns other engineers build against, make the architectural calls that shape how we scale, and work directly with engineering, security, and Risk leadership to drive alignment across the organization.

The scope spans human and non-human identity, cloud authorization, federation, secrets management, and the emerging challenge of securing AI agents in production where the patterns don't fully exist yet and you'll be helping to define them.

This role sits at the intersection of deep technical ownership and cross-functional influence. You'll be expected to lead without always having direct authority, mentor engineers who are earlier in their IAM journey, and bring a risk-informed perspective that translates threat exposure into pragmatic architectural decisions not checkbox compliance.

If you're the kind of engineer who gets ahead of problems before they scale, builds with the next three years in mind, and can hold a technical vision across a complex enterprise environment this is the role.

Basic Qualifications

• 10+ years of experience in cloud security or IAM, with at least 3 years in a senior or architect-level role with clear ownership of strategy and technical direction.
• Proven AWS IAM foundations SCPs, IAM Identity Center, ABAC, multi-account Organizations architecture, and secrets management at scale via AWS Secrets Manager or equivalent vault solutions. GCP familiarity is advantageous but not required.
• Demonstrated Okta experience at enterprise scale SSO, adaptive MFA, SCIM provisioning, lifecycle management, and AWS environment integration.
• Deep familiarity with federation protocols SAML, OIDC, and OAuth2 applied and debugged across complex, heterogeneous environments.
• Infrastructure-as-code fluency with Terraform, and a clear understanding of how identity controls integrate into and are enforced through CI/CD pipelines.
• Hands-on engagement with AI and agentic identity is required. This means working knowledge of NHI lifecycle management, service-to-service trust models, and least-privilege design for workloads that assume IAM roles, call external APIs, and chain actions across services. Familiarity with AI security tooling such as identity-aware proxies, agent observability platforms, or LLM access governance is a strong differentiator. You don't need to have solved this at scale; you do need to be actively working in this space.
• Zero Trust applied in practice identity-aware perimeters, conditional access policies, and workload-level controls implemented in production environments.
• Proven ability to drive technical alignment across engineering, security, and business stakeholders without relying on positional authority. Comfortable mentoring and leveling up less senior engineers takes the time to transfer context, not just deliver outcomes.

Other Qualifications

• A risk mitigation mindset: you understand threat exposure well enough to make pragmatic architectural trade-offs, engage credibly with Risk and GRC teams, and push back when a proposed control creates engineering friction without meaningfully reducing risk.
• Secrets Management experience
• AWS Certified Security Specialty and a signal of structured cloud depth.