Manager of Identity & Access Management
full-time
principal
Posted 16 hours ago
Apply Now
Stand out: build a proof-of-work pitch →
Free GitHub-based preview. Direct apply stays one click away.
Get weekly job alerts like this →Hiring for this role?
AI Market Demand Pack · $29 one-time
Compare this role's skills with the full AI hiring market. Get ranked demand, salary bands, leading companies, public source URLs, and a decision brief.
About this role
OUR MISSION
Reflection is a research lab making intelligence open and accessible for everyone to use, customize, and build on. We build open models that let anyone control their intelligence and help shape the future of AI. Our mission: make intelligence open and accessible to all.
ROLE OVERVIEW
The Head of Identity and Access Management is responsible for architecting, building, and operating Reflection’s identity infrastructure — the foundational security layer in an environment where the perimeter is entirely identity-based and the threat model includes sophisticated, highly motivated nation-state actors targeting intellectual property, training pipelines, and model weights. This leader will design and operate a bleeding-edge, zero-trust identity architecture that treats identity as software, eliminates static credentials, and protects Reflection’s researchers and massive-scale compute environments without introducing friction.
This is not a traditional enterprise IAM or Active Directory management role. The ideal candidate is a security architect and software engineer in equal measure — capable of mandating hardware-backed phishing-resistant authentication globally, building just-in-time credentialing systems for GPU cluster access, and engineering dynamic, context-aware authorization pipelines that hold up against the most advanced adversary techniques. They bring first-principles cryptographic depth, cloud-native mastery, and the software engineering capability to build custom tooling where commercial solutions fall short.
This is a high-stakes, high-visibility role at the center of Reflection’s security posture. Success requires the ability to build identity infrastructure that is simultaneously state-of-the-art in its security guarantees and genuinely developer-friendly in its design — because at Reflection, security that slows down a researcher is security that has failed.
WHAT YOU'LL DO
Next-Generation IAM Architecture
- Design and implement a resilient, cloud-native identity architecture leveraging modern IdPs (Okta, OIDC/OAuth 2.0 federations) unified with edge-enforced zero-trust access networks (Cloudflare Access, Tailscale / WireGuard topologies).
- Architect and continuously evolve the organization’s identity boundary with a first-principles approach — replacing legacy constructs with modern, cryptographically-grounded alternatives at every layer.
- Own the full identity lifecycle architecture across corporate, production, and research environments, ensuring consistency, auditability, and resilience across all access surfaces.
Phishing-Resistant Zero Trust
- Mandate and enforce hardware-backed authentication (YubiKeys/WebAuthn) globally across all corporate, production, and research endpoints.
- Eliminate SMS, TOTP, and legacy MFA bypass vectors — driving the organization to a posture where phishing-resistant authentication is the only path.
- Design and operate zero-trust access controls that enforce least-privilege dynamically, incorporating device posture, user context, and behavioral signals into access decisions.
Privileged Access Management & Compute Security
- Build short-lived, just-in-time credentialing systems for engineering and research access to massive GPU clusters across AWS, GCP, and OCI environments.
- Replace SSH keys and long-lived credentials with ephemeral, short-lived certificate-based access via tools like Teleport or HashiCorp Boundary.
- Design and enforce privileged access workflows that give researchers and engineers the access they need — instantly, securely, and with full audit trail — without creating persistent attack surface.
Workload & Machine Identity
- Architect SPIFFE/SPIRE or cloud-native cryptographic identity frameworks for service-to-service communication across the full workload landscape.
- Ensure machine accounts, training jobs, and CI/CD pipelines use dynamic, short-lived tokens rather than long-lived secrets — eliminating static credential exposure as an attack vector.
- Maintain and evolve workload identity infrastructure as the compute environment scales, ensuring machine identity remains cryptographically sound and operationally reliable at scale.
Policy as Code & Developer Integration
- Treat authorization policies as code using Open Policy Agent (OPA)/Rego, Cedar, or equivalent frameworks — with full version control, testing, and deployment pipelines.
- Integrate policy evaluation directly into developer workflows and infrastructure deployment pipelines, ensuring authorization is enforced at build time as well as runtime.
- Partner with engineering teams to design access models that make the secure path the path of least resistance — eliminating the developer friction that causes security to be circumvented.
Automation, Lifecycle Management & Detection
- Build automated provisioning and deprovisioning workflows via SCIM and API-first tooling, ensuring identity lifec
Similar Jobs
Related searches:
Get jobs like this delivered weekly
Free AI jobs newsletter. No spam.