AI IAM Architect
LPL Financial · Tempe, AZ · 2 wk ago
Art & Creative$153k–$256k/yrFull-time
Job Overview
We are seeking an experienced Identity and Access Management (IAM) Architect with a strong AI and agent-integration focus to lead the design, proof-of-concept (POC), and hands-on implementation of identity patterns for AI workloads, conversational agents, and AI platform integrations across the enterprise.
Key Responsibilities
- Discover AI/agent identity requirements across users, services, runtimes, tools, and APIs.
- Assess existing SSO, MFA, federation, and API authorization models; identify gaps in delegation, token lifecycle, scopes, secrets, and auditability.
- Design enterprise IAM patterns (user context propagation, delegation chains, BFF sessions, least-privilege access) and OAuth/OIDC client models.
- Define standards for securing agent tools, data access, and cross-domain integrations; align to zero trust and regulatory controls.
- Produce architecture artifacts (CAD/HLD/PSS) and reference implementations.
- Lead and build IAM POCs (end-to-end flows, token exchange, gateway enforcement, delegated agent access).
- Configure/test identity flows; troubleshoot tokens, scopes, and integrations.
- Implement or guide IAM integrations across gateways, BFFs, agent orchestration, and observability.
- Transition validated patterns to IAM engineering for production rollout.
- Define agent identity lifecycle (registration, credential rotation, revocation, environment separation).
- Integrate IAM across AI platform components; support CI/CD and IaC for IAM configurations.
- Establish patterns for human-in-the-loop controls, break-glass access, and rate limiting.
- Maintain documentation, decision records, diagrams, and runbooks.
- Deliver POC summaries, evaluations, and implementation guidance; communicate risks and dependencies.
- Ensure regulatory compliance; partner on threat modeling and controls (secrets, PAM, audit evidence).
- Serve as IAM SME for AI initiatives; mentor engineers.
- Deliver production-ready IAM patterns and reduce identity risk across AI workloads.
Requirements
- 10+ years in IAM, security architecture, or platform engineering with significant IAM scope.
- 2+ years building IAM POCs and troubleshooting OAuth 2.0 / OIDC flows (Auth Code + PKCE, refresh tokens, client credentials, token exchange, OBO).
- 2+ years with PingOne AIC and/or Microsoft Entra ID.
Core Competencies
- Hands-on experience designing identity for APIs, microservices, and BFF architectures.
- Experience integrating IAM with API gateways, AI/ML platforms, and modern application stacks.
- Strong knowledge of SAML, OAuth, OIDC, JWT, scopes, and authorization patterns.
- Familiarity with agent/tool identity models and secure integration patterns.
- Ability to translate AI requirements into secure identity designs; strong communication skills.
Preferences
- Experience delivering AI/ML agents or copilots to production.
- Experience with SailPoint, CyberArk/Delinea, or Auth0/CIAM.
- Knowledge of AI-aware API gateways (e.g., Kong).
- Experience with IAM modernization or M&A programs.
- Relevant certifications (CISSP, CCSP, Entra, Ping, SailPoint, AWS).
- Familiarity with zero trust and identity threat detection.