Manager of Identity & Access Management
Listed on 2026-07-18
-
IT/Tech
Cybersecurity, Information Security, Systems Engineer
Our Mission
Reflection is a research lab making intelligence open and accessible for everyone to use, customize, and build on. We build open models that let anyone control their intelligence and help shape the future of AI. Our mission: make intelligence open and accessible to all.
Role OverviewThe Head of Identity and Access Management is responsible for architecting, building, and operating Reflection’s identity infrastructure — the foundational security layer in an environment where the perimeter is entirely identity-based and the threat model includes sophisticated, highly motivated nation-state actors targeting intellectual property, training pipelines, and model weights. This leader will design and operate a bleeding-edge, zero-trust identity architecture that treats identity as software, eliminates static credentials, and protects Reflection’s researchers and massive-scale compute environments without introducing friction.
This is not a traditional enterprise IAM or Active Directory management role. The ideal candidate is a security architect and software engineer in equal measure — capable of mandating hardware-backed phishing-resistant authentication globally, building just-in-time credentialing systems for GPU cluster access, and engineering dynamic, context-aware authorization pipelines that hold up against the most advanced adversary techniques. They bring first-principles cryptographic depth, cloud-native mastery, and the software engineering capability to build custom tooling where commercial solutions fall short.
This is a high-stakes, high-visibility role at the center of Reflection’s security posture. Success requires the ability to build identity infrastructure that is simultaneously state-of-the-art in its security guarantees and genuinely developer-friendly in its design — because at Reflection, security that slows down a researcher is security that has failed.
What You’ll DoNext-Generation IAM Architecture
Design and implement a resilient, cloud-native identity architecture leveraging modern IdPs (Okta, OIDC/OAuth 2.0 federations) unified with edge-enforced zero-trust access networks (Cloudflare Access, Tailscale / Wire Guard topologies).
Architect and continuously evolve the organization’s identity boundary with a first-principles approach — replacing legacy constructs with modern, cryptographically-grounded alternatives at every layer.
Own the full identity lifecycle architecture across corporate, production, and research environments, ensuring consistency, auditability, and resilience across all access surfaces.
Phishing-Resistant Zero Trust
Mandate and enforce hardware-backed authentication (Yubi Keys/Web Authn) globally across all corporate, production, and research endpoints.
Eliminate SMS, TOTP, and legacy MFA bypass vectors — driving the organization to a posture where phishing-resistant authentication is the only path.
Design and operate zero-trust access controls that enforce least-privilege dynamically, incorporating device posture, user context, and behavioral signals into access decisions.
Privileged Access Management & Compute Security
Build short-lived, just-in-time credentialing systems for engineering and research access to massive GPU clusters across AWS, GCP, and OCI environments.
Replace SSH keys and long-lived credentials with ephermeral, short-lived certificate-based access via tools like Teleport or Hashi Corp Boundary.
Design and enforce privileged access workflows that give researchers and engineers the access they need — instantly, securely, and with full audit trail — without creating persistent attack surface.
Workload & Machine Identity
Architect SPIFFE/SPIRE or cloud-native cryptographic identity frameworks for service-to-service communication across the full workload landscape.
Ensure machine accounts, training jobs, and CI/CD pipelines use dynamic, short-lived tokens rather than long-lived secrets — eliminating static credential exposure as an attack vector.
Maintain and evolve workload identity infrastructure as the compute environment scales, ensuring machine identity remains cryptographically sound and operationally reliable at scale.
Policy as Code &…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).