Senior IAM Security Engineer

As a Senior IAM Security Engineer, you will design and operate identity lifecycle, authentication, authorization, and privileged access controls. You will enable secure workforce and application identities across cloud and on-prem, enforcing least privilege and strong assurance. Bring design and architecture expertise to continue maturity and technology innovation across the IAM space. This role partners closely with Infrastructure and Application teams to ensure consistent identity controls across the enterprise. Your responsibilities: Design and maintain IAM security architecture: directory services, federation, SSO (SAML/OIDC), MFA, conditional access, device trust. Implement identity lifecycle automation (joiner/mover/leaver), birthright roles, and SCIM-based provisioning/deprovisioning. Define RBAC/ABAC models; perform access reviews, role mining, and segregation‑of‑duties analyses. Integrate identity governance platforms (where applicable) with HRIS/ERP and downstream applications. Engineer privileged access management (PAM) solutions (Examples: CyberArk/BeyondTrust) including JIT elevation and session recording. Secure service and machine identities, secrets, and certificates; enforce rotation and attestation. Develop identity security monitoring and anomaly detection (e.g., Identity Protection, risk‑based access); integrate with SIEM/XDR for response. Support Zero Trust identity strategy, including strong authentication, device trust, and continuous access evaluation. Support compliance audits (where applicable) with access certification evidence and control narratives. Troubleshoot complex federation and authorization issues; provide tier‑3 support and root‑cause analysis. Document standards, patterns, and runbooks; advise application teams on secure integration. Essential skills and experience: Bachelor’s degree in Information Security/Computer Science or equivalent experience. 7–10 years in IAM engineering/architecture with enterprise platforms (Entra ID/Azure AD, Okta, Ping, SailPoint). Strong understanding of authentication/authorization protocols (SAML, OIDC/OAuth2, Kerberos, LDAP, SCIM). Experience with PAM, certificate/secrets management, and identity analytics. Certifications: Microsoft Certified: Identity and Access Administrator (SC‑300), Okta Certified Administrator/Professional, CISSP or CIAM. Good to have: Experience with just‑in‑time access, just‑enough‑access, attribute‑based access control, and modern device trust models. Experience working in a co‑managed environment with SOC/MDR providers. Certifications: CCSP, Certified in Governance, Risk and Compliance (as relevant), SailPoint Certified. Physical requirements and working conditions (with or without reasonable accommodation): Remote eligible; minimal travel. On‑call rotation for major incidents. Other considerations: May participate in on‑call rotations for critical identity incidents. Location: Remote US Compensation and Benefits: The starting salary range for this role is $140,000‑$200,000, with additional earning potential commensurate with experience. Bonus target is 15% of annual base (MIP). All team members are incentive eligible based on contributions, company performance, and individual results achieved. We offer a comprehensive benefits package, including: Medical, Dental and Vision Coverage Health and Dependent Savings Accounts Life and Disability Programs Voluntary Benefit Programs Company Sponsored Wellness Programs Retirement Savings with Company Match Team Member and Family Assistance Program (EAP) Paid Time Off and Paid Holidays Employee Recognition Program with Rewards (RAVE) EEO Commitment: At Ardent Mills, everyone matters and everyone has a voice. We are committed to providing an environment of mutual respect where equal opportunities are available to all applicants and team members and the decisions will be based on merit, competence, performance, and business needs. We are proud to be an equal opportunity employer. We do not discriminate on the basis of race, color, religion, creed, national origin, ancestry, marital status, sex, sexual orientation, gender identity or expression, physical or mental disability, pregnancy, genetic information, veteran status, age, political affiliation, or any other non‑merit characteristic protected by law or not. Together, celebrating our differences, we make Ardent Mills. Recruitment Fraud Disclaimer: At Ardent Mills, the security of our employees and candidates is a priority. We will never request sensitive information such as your bank account information, social security number, or other non‑publicly available information during the application and interview process. If someone asks you for sensitive information, we strongly advise that you assume that individual is not affiliated with Ardent Mills. Use only official email addresses such as first.last.talent@ardentmills.com or first.last@ardentmills.com Our open job opportunities and descriptions can be found at ardentmillscareers.com #J-18808-Ljbffr