Associate Director of Identity and Access Management

About NY Creates

NY Creates serves as a bridge for advanced electronics, leading projects that advance R&D in emerging technologies, and generates the jobs of tomorrow. NY Creates also runs some of the most advanced facilities in the world, boasts more than 3,000 industry experts and faculty, and manages public and private investments of more than $25 billion—placing it at the global epicenter of high‑tech innovation and commercialization.

The Associate Director of Identity and Access Management is the authoritative architect and operational owner of the enterprise‑wide identity fabric at NY Creates (NYC), responsible for the end‑to‑end design, implementation, hardening, integration, and lifecycle governance of hybrid identity systems encompassing on‑premises Active Directory (AD), Microsoft Entra  (Azure AD), and a mature Identity Governance & Administration (IGA) platform. This role drives the strategic convergence of authentication, authorization, privileged access, and compliance workflows across research labs, semiconductor clean rooms, HPC clusters, cloud workloads (AWS, Azure, GCP), OT/ICS environments, and federated partner ecosystems.

With elite engineering depth in Kerberos, LDAP, OAuth 2.0/OIDC, SCIM provisioning, zero‑trust policy enforcement, and IGA rule engines, the Associate Director of Identity and Access Management translates regulatory mandates (NIST 800‑171, CMMC 2.0) and business requirements into scalable, automated identity controls while eliminating orphan accounts, enforcing least privilege, and enabling seamless just‑in‑time (JIT) access. The incumbent operates with forensic rigor during privilege escalations, automates at enterprise scale, mentors identity engineers, and serves as the final escalation for all authentication or entitlement anomalies.

• Own the full Microsoft identity stack: on‑premises Active Directory (multi‑forest/domain, ADFS, AD CS), Entra  (Conditional Access, Identity Protection, PIM), and Entra  synchronization with health monitoring and failover.
• Design and deploy enterprise IGA solution (SailPoint Identity
  
  IQ/Identity Now, Saviynt, One Identity, or Microsoft Identity Manager); implement birthright provisioning, access request portals, certification campaigns, and role‑based access control (RBAC/ABAC).
• Engineer zero‑trust authentication flows: passwordless (FIDO2, Windows Hello for Business), MFA (push, TOTP, certificate), and SSO federation (SAML 2.0, WS‑Fed) for 100+ SaaS, custom, and legacy applications.
• Build and enforce privileged access management (PAM): JIT elevation via Entra , Cyber Ark, Beyond Trust, or Hashi Corp Vault; session recording, keystroke auditing, and credential rotation for service accounts and admin jump boxes.
• Automate SCIM/REST provisioning connectors to HRIS (Workday, UKG), CMDB, cloud platforms, and research tools; maintain 99.99% sync SLA with error‑handling and rollback.
• Develop and operationalize identity risk analytics: UEBA via Entra  Protection, risky sign‑in suppression, impossible travel detection, and anomalous token issuance.
• Lead annual access certification campaigns; design segregation‑of‑duties (SoD) matrices for finance, research IP, and fab operations; remediate violations with automated deprovisioning.
• Integrate IAM with SOAR for automated incident response: isolate compromised identities, force MFA reset, and quarantine devices via Intune/Endpoint Manager.
• Produce executive dashboards (Power BI, Entra ) on identity hygiene metrics: orphan accounts, stale privileges, MFA adoption, and certification completion; support CMMC, NIST 800‑171, and audit evidence.
• Conduct red‑team validated privilege escalation exercises; harden GPOs, LDAP signing, Kerberos armoring, and Entra  consent policies.
• Author and enforce identity policies, standards, and procedures aligned to NIST 800‑63B, NIST 800‑53 AC/IA families, CIS AD benchmarks, and CMMC 2.0 IA.L2‑3.5.x controls.
• Train and mentor Tier 1/2 analysts on AD forensics, Entra , and IGA workflow design; develop internal IAM certification path.
• Represent NYC in SUNY IAM working groups, Microsoft EAP programs, and CISA Identity…