Job Overview:

We are seeking an experienced Identity and Access Management (IAM) Architect with a strong AI and agent-integration focus to lead the design, proof-of-concept (POC), and hands-on implementation of identity patterns for AI workloads, conversational agents, and AI platform integrations across the enterprise. The ideal candidate combines deep IAM architecture expertise with practical engineering skills—building POCs, configuring OAuth/OIDC flows, and partnering directly with AI engineering teams to secure agent runtimes, tool access, and human-in-the-loop experiences.

This role owns IAM architecture for AI use cases, including delegated and service-to-service access, API gateway/BFF token flows, scoped credentials, and governance alignment. You will design and validate OAuth/OIDC patterns (Auth Code + PKCE, OBO, token exchange, client credentials) across identity providers (PingOne AIC, Entra ID), gateways, and agent platforms. The AI IAM Architect partners across AI/platform engineering, IAM, security, and enterprise architecture to define reusable, secure, and production-ready identity standards for agents.

Key Responsibilities:

• Discover AI/agent identity requirements across users, services, runtimes, tools, and APIs.

• Assess existing SSO, MFA, federation, and API authorization models; identify gaps in delegation, token lifecycle, scopes, secrets, and auditability.

• Design enterprise IAM patterns (user context propagation, delegation chains, BFF sessions, least-privilege access) and OAuth/OIDC client models.

• Define standards for securing agent tools, data access, and cross-domain integrations; align to zero trust and regulatory controls.

• Produce architecture artifacts (CAD/HLD/PSS) and reference implementations.

• Lead and build IAM POCs (end-to-end flows, token exchange, gateway enforcement, delegated agent access).

• Configure/test identity flows; troubleshoot tokens, scopes, and integrations.

• Implement or guide IAM integrations across gateways, BFFs, agent orchestration, and observability.

• Transition validated patterns to IAM engineering for production rollout.

• Define agent identity lifecycle (registration, credential rotation, revocation, environment separation).

• Integrate IAM across AI platform components; support CI/CD and IaC for IAM configurations.

• Establish patterns for human-in-the-loop controls, break-glass access, and rate limiting.

• Maintain documentation, decision records, diagrams, and runbooks.

• Deliver POC summaries, evaluations, and implementation guidance; communicate risks and dependencies.

• Ensure regulatory compliance; partner on threat modeling and controls (secrets, PAM, audit evidence).

• Serve as IAM SME for AI initiatives; mentor engineers.

• Deliver production-ready IAM patterns and reduce identity risk across AI workloads.

Requirements:

• 10+ years in IAM, security architecture, or platform engineering with significant IAM scope.

• 2+ years building IAM POCs and troubleshooting OAuth 2.0 / OIDC flows (Auth Code + PKCE, refresh tokens, client credentials, token exchange, OBO).

• 2+ years with PingOne AIC and/or Microsoft Entra ID.

Core Competencies:

• Hands-on experience designing identity for APIs, microservices, and BFF architectures.

• Experience integrating IAM with API gateways, AI/ML platforms, and modern application stacks.

• Strong knowledge of SAML, OAuth, OIDC, JWT, scopes, and authorization patterns.

• Familiarity with agent/tool identity models and secure integration patterns.

• Ability to translate AI requirements into secure identity designs; strong communication skills.

Preferences:

• Experience delivering AI/ML agents or copilots to production.

• Experience with SailPoint, CyberArk/Delinea, or Auth0/CIAM.

• Knowledge of AI-aware API gateways (e.g., Kong).

• Experience with IAM modernization or M&A programs.

• Relevant certifications (CISSP, CCSP, Entra, Ping, SailPoint, AWS).

• Familiarity with zero trust and identity threat detection.

Pay Range: