Job Description

IAM/PAM Engineer

I

We are seeking a highly skilled and security-focused IAM/PAM Engineer to support the Cybersecurity and Enterprise Technology organizations. This role is responsible for safeguarding access to Invoice Cloud's systems, applications, and cloud environments by designing, implementing, and operating scalable Identity and Access Management (IAM) and Privileged Access Management (PAM) controls.

This role builds and maintains the guardrails that ensure the right people and services have the right access to the right resources at the right time. The IAM/PAM Engineer partners closely with IT, Security, Compliance, Infrastructure/Cloud Operations, HR, and application owners to enforce least privilege, strengthen authentication controls, automate identity governance workflows, and produce audit-ready access evidence.

Success in this role means reducing identity-related risk, improving access hygiene, strengthening zero-trust alignment, and enhancing both security and usability across workforce and administrative access environments.

Success Profile:

This role is anchored in our company's core competencies. These competencies reflect the mindsets and behaviors that define success in this role. We outline how each competency translates into real-world actions and outcomes specific to this role.

Results Driven

• Leads Identity Architecture & Access Control Design by designing and administering identity management solutions across hybrid cloud environments, ensuring scalable, secure authentication and authorization patterns — with a primary focus on privileged and non-human identity.
• Partners with IT to strengthen SSO & Authentication Controls (MFA, conditional access, device posture checks), contributing security requirements and control recommendations that drive measurable improvements in coverage and reduced authentication risk.
• Leads Privileged Access Management (PAM) Controls including credential vaulting, just-in-time (JIT) access, least privilege enforcement, and privileged session monitoring to reduce standing administrative risk.
• Leads Non-Human Identity (NHI) Lifecycle & Hygiene — discovering, inventorying, and governing service accounts, secrets, API keys, and machine identities; driving rotation, ownership assignment, and decommissioning of stale credentials.
• Delivers documented 30-, 150-, and 210-day outcomes including improved MFA coverage, reduced privileged-account sprawl, automated de-provisioning, and audit-ready reporting demonstrating improved access hygiene.

Takes Ownership

• Partners with IT on Identity Governance & Joiner/Mover/Leaver (JML) processes, ensuring security control requirements and audit expectations are embedded in provisioning and de-provisioning workflows.
• Conducts structured Entitlement Reviews & Access Drift Remediation, investigating anomalies, resolving privilege creep, and maintaining zero-trust and least-privilege standards across all identities.
• Partners with Security, Compliance, IT, and application owners to define access standards, role models, and evidence requirements that align to regulatory and audit expectations.
• Supports Identity-Related Incident Response by investigating suspicious logins, credential compromise, and privilege misuse events, integrating IAM/PAM telemetry into monitoring and response processes.

Drives Efficiency

• Integrates IAM/PAM Telemetry & Monitoring with security tooling to improve visibility into authentication patterns, privileged activity, and anomalous access behaviors.
• Standardizes IAM/PAM documentation including runbooks, operational procedures, escalation paths, and control evidence to ensure repeatable, audit-ready operations.
• Automates provisioning, access reviews, and reporting workflows using scripting and APIs (e.g., PowerShell, Python, Graph APIs), reducing manual effort and improving timeliness of access management processes.
• Embeds zero-trust and least-privilege principles into architecture reviews and change-management routines, ensuring identity considerations are consistently incorporated into system design decisions.

Innovative

• Applies forward-looking identity security practices to evolve zero-trust alignment, improve user experience, and reduce friction while maintaining strong control enforcement.
• Leverages AI and automation to enhance anomaly detection in authentication patterns, streamline entitlement analysis, and generate actionable insights from identity telemetry.
• Continuously evaluates emerging IAM/PAM technologies, authentication protocols (SAML, OIDC/OAuth2, SCIM), and industry best practices, translating them into scalable, adaptive access-control improvements.

Requirements

• Bachelor's degree in Engineering -Computer Science, IT Security ,or a related field (or equivalent experience)
• 5+ years of experience in IAM, PAM, or identity-focused security/IT engineering roles.
• Experience implementing and operating identity platforms such as Azure AD (Entra ID), Okta, or similar, with the ability to partner effectively across teams that own those platforms.
• Strong understanding of authentication and federation protocols (SAML, OIDC/OAuth2, SCIM) sufficient to evaluate, advise, and threat-model identity integrations.
• Experience implementing privileged access controls such as vaulting, just-in-time access, and least privilege models.
• Hands-on experience automating workflows and integrations using scripting and APIs (e.g., PowerShell, Python, Graph APIs).
• Experience conducting entitlement reviews and partnering on joiner/mover/leaver processes.
• Familiarity with zero-trust architecture principles and identity governance best practices.
• Relevant certifications such as Azure Security Engineer, Okta Professional, or similar credentials preferred.
• High integrity and sound judgment when handling sensitive and confidential information.