Manager of Identity & Access Management
Listed on 2026-07-17
-
IT/Tech
Cybersecurity, Systems Engineer
Head Of Identity And Access Management
The Head Of Identity And Access Management Is Responsible For Architecting, Building, And Operating Reflection's Identity Infrastructure — The Foundational Security Layer In An Environment Where The Perimeter Is Entirely Identity-Based And The Threat Model Includes Sophisticated, Highly Motivated Nation-State Actors Targeting Intellectual Property, Training Pipelines, And Model Weights. This Leader Will Design And Operate A Bleeding-Edge, Zero-Trust Identity Architecture That Treats Identity As Software, Eliminates Static Credentials, And Protects Reflection's Researchers And Massive-Scale Compute Environments Without Introducing Friction.
This Is Not A Traditional Enterprise IAM Or Active Directory Management Role. The Ideal Candidate Is A Security Architect And Software Engineer In Equal Measure — Capable Of Mandating Hardware-Backed Phishing-Resistant Authentication Globally, Building Just-In-Time Credentialing Systems For GPU Cluster Access, And Engineering Dynamic, Context-Aware Authorization Pipelines That Hold Up Against The Most Advanced Adversary Techniques. They Bring First-Principles Cryptographic Depth, Cloud-Native Mastery, And The Software Engineering Capability To Build Custom Tooling Where Commercial Solutions Fall Short.
This Is A High-Stakes, High-Visibility Role At The Center Of Reflection's Security Posture. Success Requires The Ability To Build Identity Infrastructure That Is Simultaneously State-Of-The-Art In Its Security Guarantees And Genuinely Developer-Friendly In Its Design — Because At Reflection, Security That Slows Down A Researcher Is Security That Has Failed.
What You'll DoNext-Generation IAM Architecture
- Design And Implement A Resilient, Cloud-Native Identity Architecture Leveraging Modern IdPs (Okta, OIDC/OAuth 2.0 Federations) Unified With Edge-Enforced Zero-Trust Access Networks (Cloudflare Access, Tailscale / Wireguard Topologies).
- Architect And Continuously Evolve The Organization's Identity Boundary With A First-Principles Approach — Replacing Legacy Constructs With Modern, Cryptographically-Grounded Alternatives At Every Layer.
- Own The Full Identity Lifecycle Architecture Across Corporate, Production, And Research Environments, Ensuring Consistency, Auditability, And Resilience Across All Access Surfaces.
Phishing-Resistant Zero Trust
- Mandate And Enforce Hardware-Backed Authentication (Yubikeys/Webauthn) Globally Across All Corporate, Production, And Research Endpoints.
- Eliminate Sms, Totp, And Legacy Mfa Bypass Vectors — Driving The Organization To A Posture Where Phishing-Resistant Authentication Is The Only Path.
- Design And Operate Zero-Trust Access Controls That Enforce Least-Privilege Dynamically, Incorporating Device Posture, User Context, And Behavioral Signals Into Access Decisions.
Privileged Access Management & Compute Security
- Build Short-Lived, Just-In-Time Credentialing Systems For Engineering And Research Access To Massive Gpu Clusters Across Aws, Gcp, And Oci Environments.
- Replace Ssh Keys And Long-Lived Credentials With Ephemeral, Short-Lived Certificate-Based Access Via Tools Like Teleport Or Hashicorp Boundary.
- Design And Enforce Privileged Access Workflows That Give Researchers And Engineers The Access They Need — Instantly, Securely, And With Full Audit Trail — Without Creating Persistent Attack Surface.
Workload & Machine Identity
- Architect Spiffe/Spire Or Cloud-Native Cryptographic Identity Frameworks For Service-To-Service Communication Across The Full Workload Landscape.
- Ensure Machine Accounts, Training Jobs, And Ci/Cd Pipelines Use Dynamic, Short-Lived Tokens Rather Than Long-Lived Secrets — Eliminating Static Credential Exposure As An Attack Vector.
- Maintain And Evolve Workload Identity Infrastructure As The Compute Environment Scales, Ensuring Machine Identity Remains Cryptographically Sound And Operationally Reliable At Scale.
Policy As Code & Developer Integration
- Treat Authorization Policies As Code Using Open Policy Agent (Opa)/Rego, Cedar, Or Equivalent Frameworks — With Full Version Control, Testing, And Deployment Pipelines.
- Integrate Policy Evaluation Directly Into Developer Workflows And…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).