Senior Identity and Access Management (IAM) Engineer

Staff System Engineer I -Saviynt IGA, IAM, Azure AD, Entra ID

Scope:

• We are seeking an experienced and technically deep Staff Security Engineer to lead Blue Yonder's Identity & Access Management engineering program.
• This role serves as the technical owner of the Saviynt IGA implementation—Blue Yonder's most strategically critical security program—while also setting the architecture direction for a wider IAM portfolio spanning privileged access management (Delinea), MFA enforcement, Entra ID/Active Directory, and identity governance policy.

What you will be doing:

• Serve as the technical lead for the Saviynt IGA implementation, owning architecture decisions across all integration workstreams: Workday HCM (joiner/mover/leaver), Active Directory provisioning (~6,000 groups), Salesforce (Apttus/CPQ), Workday Strategic Sourcing, ShareWorks, and MS Dynamics (scoping in progress)
• Design and implement the full identity lifecycle in Saviynt: joiner provisioning, role assignment, mover workflows, leaver deprovisioning, and account reconciliation
• Lead access review campaign configuration in Saviynt: Role Owner Campaigns, User Access Management Campaigns, manager and role-owner certification workflows, and vacation delegation handling
• Own the Saviynt–Azure AD/Entra ID SSO integration and API authentication architecture for downstream app connectivity
• Drive integration with cross-functional ITG teams to resolve sandbox/dev environment dependencies, connector configuration, and environment refresh protocols
• Define and own the IGA program's testing strategy: establish test case standards, manage test data generation, and coordinate test execution coverage across sprints—including identifying and onboarding engineering resources to fill testing gapsEnsure all IGA implementation work meets SOX audit requirements: accurate test case documentation, clean sprint closure, and evidentiary output aligned to Internal Audit expectations
• Set the technical direction for Blue Yonder's IAM architecture across IGA (Saviynt), PAM (Delinea), MFA Everywhere, Conditional Access, and AD/Entra ID
• Design the identity-edge Zero Trust model, replacing VPN-centric access with an identity-first architecture built on Entra ID Conditional Access, Saviynt governance, and Delinea privileged access controls
• Define and maintain the IAM technical roadmap in partnership with the Identity Security manager, translating business and compliance requirements into sequenced engineering deliverables
• Evaluate and guide the consolidation of identity tools around Microsoft E5 (Entra ID, Defender for Identity) and drive rationalization of legacy identity infrastructure
• Architect JIT provisioning capabilities to address access governance gaps, including Blue Yonder personnel with direct admin accounts in customer environments
• Lead M&A IGA design work, establishing a scalable onboarding pattern for acquired entities that integrates into the core Saviynt/AD stackC
• Own the technical controls and evidentiary artifacts that support SOX access review attestation, SOD enforcement, and QAR (Quarterly Access Review) campaigns
• Collaborate directly with Internal Audit to ensure the IGA program's access governance outputs satisfy audit requirements
• Design and implement Segregation of Duties (SOD) rule sets in Saviynt, with clear conflict detection, exception handling, and compensating controls
• Support ISO 42001 AI governance requirements as they intersect with identity tooling and access controls for AI systems
• Ensure access governance controls for SOX-in-scope applications (Salesforce/Apttus, Workday HCM, Workday Strategic Sourcing, ShareWorks, AD) are complete, documented, and auditor-ready ahead of the October 30, 2026 go-live commitment
• Own the technical response to the JSOX deprovisioning deficiency: partner with HR on termination workflow timing, removal of back-end manager approval bottlenecks, and implementation of timely leaver deprovisioning controls that satisfy JSOX requirement
• Serve as the senior technical mentor on the Identity Security team, upleveling engineers on Saviynt platform depth, IAM architecture patterns, and compliance-grade delivery standards
• Establish technical standards for IGA engineering: test case quality, sprint closure criteria, test data generation, and peer review norm
• Act as the technical interface with Saviynt Professional Services, GuidePoint (PAM managed services), and Microsoft (Entra ID/Defender), ensuring vendor deliverables meet Blue Yonder's architecture and compliance requirements
• Contribute to the Security AI Agents program by identifying identity-adjacent automation opportunities (e.g., Saviynt, Delinea, Entra ID MCP integrations)

What we are looking for:

• 8+ years of experience in Identity & Access Management, Identity Security Engineering, or Security Engineering roles with demonstrated delivery of enterprise IAM programs
• Deep, hands-on Saviynt implementation experience: connector configuration, role management, access request workflows, access review campaigns, and Workday/AD/Salesforce integrations in production environments
• Expert-level knowledge of Active Directory and Entra ID (Azure AD) architecture: OU design, group policy, conditional access policies, Entra ID application registrations, and hybrid identity (AD Connect/cloud sync)
• Strong understanding of identity lifecycle management (joiner/mover/leaver), SOD enforcement, access certification, and access governance frameworks in SOX-regulated or similarly audited environments
• Experience designing and delivering IGA programs under SOX, PCI-DSS, ISO 27001, or SOC 2 compliance obligations, with direct engagement with internal or external audit functions
• Working knowledge of Privileged Access Management platforms (Delinea, CyberArk, or equivalent) and experience integrating PAM with IGA governance workflows
• Proficiency in identity automation and scripting (PowerShell, Python) for provisioning workflows, access review automation, and API-based integrations between identity platforms
• Demonstrated ability to operate at Staff/Principal IC level: setting technical direction, influencing cross-functional teams without direct authority, and driving complex programs through ambiguity
• Experience with ERP/CRM IGA connector integration, particularly MS Dynamics or Salesforce, including RBAC analysis, SOD rule configuration, and audit-readiness documentation
• Hands-on experience with Microsoft E5 identity and security suite: Entra ID P2, Defender for Identity, Microsoft Entra Permissions Management (CIEM), and Entra ID Governance
• Experience with PAM platforms in managed services or co-delivery models, particularly in post-migration hardening and roadmap planning scenarios
• Familiarity with JIT (Just-in-Time) provisioning patterns and implementation in enterprise IGA platforms
• Experience with M&A identity integration: designing onboarding patterns for acquired entities into an existing IGA/AD/PAM stack
• Exposure to AI governance requirements (ISO 42001, EU AI Act) as they apply to identity tooling, access controls for AI systems, or AI-assisted identity workflows
• Experience integrating identity platforms with MCP (Model Context Protocol) or similar agentic automation frameworks
• Relevant certifications: Saviynt Certified Professional, Microsoft Certified: Identity and Access Administrator (SC-300), CISSP, or equivalent

Our Values

If you want to know the heart of a company, take a look at their values. Ours unite us. They are what drive our success – and the success of our customers. Does your heart beat like ours? Find out here: Core Values

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.

Experience Level

Senior Level