×
Register Here to Apply for Jobs or Post Jobs. X

Manager of Identity & Access Management

Job in San Francisco, San Francisco County, California, 94102, USA
Listing for: Reflection AI
Full Time position
Listed on 2026-07-17
Job specializations:
  • IT/Tech
    Cybersecurity, Systems Engineer
Job Description & How to Apply Below

Head Of Identity And Access Management

The Head Of Identity And Access Management Is Responsible For Architecting, Building, And Operating Reflection's Identity Infrastructure — The Foundational Security Layer In An Environment Where The Perimeter Is Entirely Identity-Based And The Threat Model Includes Sophisticated, Highly Motivated Nation-State Actors Targeting Intellectual Property, Training Pipelines, And Model Weights. This Leader Will Design And Operate A Bleeding-Edge, Zero-Trust Identity Architecture That Treats Identity As Software, Eliminates Static Credentials, And Protects Reflection's Researchers And Massive-Scale Compute Environments Without Introducing Friction.

This Is Not A Traditional Enterprise IAM Or Active Directory Management Role. The Ideal Candidate Is A Security Architect And Software Engineer In Equal Measure — Capable Of Mandating Hardware-Backed Phishing-Resistant Authentication Globally, Building Just-In-Time Credentialing Systems For GPU Cluster Access, And Engineering Dynamic, Context-Aware Authorization Pipelines That Hold Up Against The Most Advanced Adversary Techniques. They Bring First-Principles Cryptographic Depth, Cloud-Native Mastery, And The Software Engineering Capability To Build Custom Tooling Where Commercial Solutions Fall Short.

This Is A High-Stakes, High-Visibility Role At The Center Of Reflection's Security Posture. Success Requires The Ability To Build Identity Infrastructure That Is Simultaneously State-Of-The-Art In Its Security Guarantees And Genuinely Developer-Friendly In Its Design — Because At Reflection, Security That Slows Down A Researcher Is Security That Has Failed.

What You'll Do

Next-Generation IAM Architecture

  • Design And Implement A Resilient, Cloud-Native Identity Architecture Leveraging Modern IdPs (Okta, OIDC/OAuth 2.0 Federations) Unified With Edge-Enforced Zero-Trust Access Networks (Cloudflare Access, Tailscale / Wireguard Topologies).
  • Architect And Continuously Evolve The Organization's Identity Boundary With A First-Principles Approach — Replacing Legacy Constructs With Modern, Cryptographically-Grounded Alternatives At Every Layer.
  • Own The Full Identity Lifecycle Architecture Across Corporate, Production, And Research Environments, Ensuring Consistency, Auditability, And Resilience Across All Access Surfaces.

Phishing-Resistant Zero Trust

  • Mandate And Enforce Hardware-Backed Authentication (Yubikeys/Webauthn) Globally Across All Corporate, Production, And Research Endpoints.
  • Eliminate Sms, Totp, And Legacy Mfa Bypass Vectors — Driving The Organization To A Posture Where Phishing-Resistant Authentication Is The Only Path.
  • Design And Operate Zero-Trust Access Controls That Enforce Least-Privilege Dynamically, Incorporating Device Posture, User Context, And Behavioral Signals Into Access Decisions.

Privileged Access Management & Compute Security

  • Build Short-Lived, Just-In-Time Credentialing Systems For Engineering And Research Access To Massive Gpu Clusters Across Aws, Gcp, And Oci Environments.
  • Replace Ssh Keys And Long-Lived Credentials With Ephemeral, Short-Lived Certificate-Based Access Via Tools Like Teleport Or Hashicorp Boundary.
  • Design And Enforce Privileged Access Workflows That Give Researchers And Engineers The Access They Need — Instantly, Securely, And With Full Audit Trail — Without Creating Persistent Attack Surface.

Workload & Machine Identity

  • Architect Spiffe/Spire Or Cloud-Native Cryptographic Identity Frameworks For Service-To-Service Communication Across The Full Workload Landscape.
  • Ensure Machine Accounts, Training Jobs, And Ci/Cd Pipelines Use Dynamic, Short-Lived Tokens Rather Than Long-Lived Secrets — Eliminating Static Credential Exposure As An Attack Vector.
  • Maintain And Evolve Workload Identity Infrastructure As The Compute Environment Scales, Ensuring Machine Identity Remains Cryptographically Sound And Operationally Reliable At Scale.

Policy As Code & Developer Integration

  • Treat Authorization Policies As Code Using Open Policy Agent (Opa)/Rego, Cedar, Or Equivalent Frameworks — With Full Version Control, Testing, And Deployment Pipelines.
  • Integrate Policy Evaluation Directly Into Developer Workflows And…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary