Manager of Identity & Access Management
Role Overview
The Head of Identity and Access Management is responsible for architecting, building, and operating Reflection’s identity infrastructure — the foundational security layer in an environment where the perimeter is entirely identity-based and the threat model includes sophisticated, highly motivated nation-state actors targeting intellectual property, training pipelines, and model weights.
What You'll Do
Next-Generation IAM Architecture Design and implement a resilient, cloud-native identity architecture leveraging modern IdPs (Okta, OIDC/OAuth 2.0 federations) unified with edge-enforced zero-trust access networks (Cloudflare Access, Tailscale / WireGuard topologies).
Architect and continuously evolve the organization’s identity boundary with a first-principles approach — replacing legacy constructs with modern, cryptographically-grounded alternatives at every layer.
Own the full identity lifecycle architecture across corporate, production, and research environments, ensuring consistency, auditability, and resilience across all access surfaces.
Phishing-Resistant Zero Trust Mandate and enforce hardware-backed authentication (YubiKeys/WebAuthn) globally across all corporate, production, and research endpoints.
Eliminate SMS, TOTP, and legacy MFA bypass vectors — driving the organization to a posture where phishing-resistant authentication is the only path.
Design and operate zero-trust access controls that enforce least-privilege dynamically, incorporating device posture, user context, and behavioral signals into access decisions.
Privileged Access Management & Compute Security Build short-lived, just-in-time credentialing systems for engineering and research access to massive GPU clusters across AWS, GCP, and OCI environments.
Replace SSH keys and long-lived credentials with ephemeral, short-lived certificate-based access via tools like Teleport or HashiCorp Boundary.
Design and enforce privileged access workflows that give researchers and engineers the access they need — instantly, securely, and with full audit trail — without creating persistent attack surface.
Workload & Machine Identity Architect SPIFFE/SPIRE or cloud-native cryptographic identity frameworks for service-to-service communication across the full workload landscape.
Ensure machine accounts, training jobs, and CI/CD pipelines use dynamic, short-lived tokens rather than long-lived secrets — eliminating static credential exposure as an attack vector.
Maintain and evolve workload identity infrastructure as the compute environment scales, ensuring machine identity remains cryptographically sound and operationally reliable at scale.
Policy as Code & Developer Integration Treat authorization policies as code using Open Policy Agent (OPA)/Rego, Cedar, or equivalent frameworks — with full version control, testing, and deployment pipelines.
Integrate policy evaluation directly into developer workflows and infrastructure deployment pipelines, ensuring authorization is enforced at build time as well as runtime.
Partner with engineering teams to design access models that make the secure path the path of least resistance — eliminating the developer friction that causes security to be circumvented.
Automation, Lifecycle Management & Detection Build automated provisioning and deprovisioning workflows via SCIM and API-first tooling, ensuring identity lifecycle events are handled with speed, accuracy, and full audit trail.
Partner with Detection Engineering to instrument identity telemetry and build detection logic targeting anomalous authentication flows, session hijacking attempts, and nation-state adversary tactics.
Continuously improve automation coverage across the identity stack, reducing manual toil and eliminating the human error surface in identity operations.
What We're Looking For
Experience & Background: 15+ years of dedicated experience in identity security, security architecture, or infrastructure engineering within high-growth startups, hyperscale cloud environments, or elite security teams.
Demonstrated track record of architecting and operating modern, zero-trust identity infrastructure at scale — including hardware-backed authentication, JIT credentialing, and workload identity systems.
Hands-on experience securing IAM boundaries across major cloud providers (AWS, GCP) and containerized environments, including Kubernetes identity federation and IAM roles for service accounts.
Prior experience partnering with detection and response teams to instrument identity telemetry and build adversary-focused detection logic targeting identity-layer attack techniques.
Skills & Capabilities
Deep, first-principles understanding of OAuth 2.0, OIDC, SAML, WebAuthn / FIDO2, and PKI — able to reason from cryptographic fundamentals, not just implement vendor tooling.
Strong software engineering capability — able to write clean, maintainable code (Go, Python, or Rust) to build custom tooling, API integrations, and automation where commercial solutions fall short.
Proficiency in Infrastructure as Code (Terraform, Pulumi) for defining and managing identity constructs programmatically.
Clear, working knowledge of advanced adversary techniques targeting identity, including session token theft, OAuth consent abuse, device registration hijacking, and Golden SAML vectors.
Demonstrated ability to design identity systems that balance rigorous security guarantees with developer-friendly operational experience — treating usability as a security property, not a trade-off.
Mindset & Approach
Developer and researcher obsessed — genuinely believes that security is broken if it impedes a researcher’s ability to train a model, and designs systems where the secure path is also the easiest path.
Bleeding-edge pragmatist — keeps current with the latest developments in the identity and security ecosystem, preferring modern open-source and developer-first tooling over legacy enterprise security suites.
Resilient and threat-aware — understands that Reflection is a high-value target and constructs identity boundaries with the explicit assumption that individual components will be compromised, designing for resilience rather than relying on perimeter integrity.
Builder at heart — energized by the challenge of engineering identity infrastructure from scratch in an environment where the stakes are existential and the technical bar is genuinely high.
Mission-aligned — understands the unique identity security responsibilities of a frontier AI company and approaches the work with the depth of expertise and seriousness of purpose it demands.
We Offer
Top-tier compensation: Salary and equity structured to recognize and retain our talent globally.
Stock options: Everyone who joins and contributes to Reflection's success gets to share in the upside through stock options.
Health & wellness: Comprehensive medical, dental, vision, and life, with an annual wellness allowance.
Meals: Lunch and dinner are provided in the office daily.
Life & family: 22 weeks paid parental leave for all new birthing and non-birthing parents, including adoptive and surrogate journeys.
Vacation days: Unlimited paid time off in the U.S. and 30 days in the U.K.
Sponsorship support: We sponsor visas to help exceptional talent join our team and support long-term immigration pathways where applicable.
Team building: We have regular off-sites, happy hours, and team celebrations.
Export Control Notice
This position may require access to technology or source code subject to the U.S. Export Administration Regulations. Any offer of employment for this role may be conditioned on the Company's ability to provide the candidate with access to such technology or source code in compliance with applicable U.S. export control laws, which may require the Company to seek government authorization.