Senior IAM Engineer

Kestra Holdings offers industry-leading wealth management platforms for independent wealth management professionals nationwide. Kestra is dedicated to empowering independent financial professionals-including traditional and hybrid RIAs-to grow their businesses and deliver exceptional client service. We combine advanced business management technology with personalized consulting to provide unmatched scale, efficiency, and support. Our advisor-focused culture is built on innovation and advocacy, enabling advisors to offer comprehensive securities and investment advisory solutions to their clients.

Lead with Purpose. Partner with Impact.

We are seeking a Sr. IAM Engineer with deep experience assessing current state, designing target-state architectures, and implementing/maturing Role-Based (RBAC) and Attribute-Based (ABAC) access models at enterprise scale. This leader will serve as the SailPoint technical expert, engineering policy, integration, and governance processes that meet financial-services compliance expectations. The role partners with enterprise architects, risk/compliance, platform teams, and app owners to operationalize identity as a control across SaaS, on-prem, and cloud.

What you'll Do:

• Define RBAC/ABAC standards, pattern libraries, and guardrails; author architecture decision records (ADRs).

• Drive role engineering (role discovery, consolidation, birthright access, SoD matrices) and ABAC policy design (attribute inventory, policy enforcement integration).

• Maintain the IGA reference architecture spanning SailPoint, Okta, directories (AD/LDAP), HR/ERP, and cloud providers.

• Partner with App Sec and platform teams to externalize authorization using federation and standardized protocols (SAML 2.0, OIDC, OAuth 2.0; SCIM for provisioning).

• Configure sources/authorities, connectors, aggregation & correlation rules, identity profiles, entitlement catalogs, lifecycle policies, workflows, access request, and certification campaigns in SailPoint; implement Okta connector patterns.

• Build monitoring/health checks, metrics, and dashboards for access governance KPIs; automate evidence collection.

• Define policies/standards for access control, attribute quality, identity proofing, certification cadence, and exception handling; ensure alignment with enterprise risk appetite.

• Support audits and regulatory examinations with defensible evidence, including certification results, SoD analyses, and access recertification trails.

• Mentor engineers and analysts; partner with business/application owners to onboard apps at scale under governance; establish repeatable app-onboarding playbooks (federation + provisioning + role modeling).
• SailPoint (Identity
  
  IQ Engineer/Architect or Identity Security Cloud) and/or Okta certifications; experience integrating SailPoint with Okta via connectors/APIs.
• Cloud IAM concepts (Azure AD/Entra , AWS IAM), and experience mapping ABAC to cloud entitlements/metadata.
• Financial-services experience with audit/regulatory expectations (e.g., access certification cadence, evidence, SoD rigor).

What You Bring:

• 8+ years in IAM with 5+ years leading RBAC/ABAC design and enterprise deployment; demonstrable delivery of role mining/engineering and attribute-driven authorization.
• Hands-on SailPoint expertise (Identity
  
  IQ or Identity Security Cloud/Identity Now) across connectors, lifecycle automation, certifications, SoD, policy, and analytics;
  Okta SSO/MFA and federation patterns.
• Strong command of federated identity protocols and provisioning standards (SAML 2.0, OIDC, OAuth 2.0, SCIM).
• Working knowledge of directory services (AD/LDAP), identity data modeling, and integration architectures; familiarity with crypto & tokenization fundamentals for identity.
• Experience establishing access governance processes (access reviews, recertifications, SoD, exception management) consistent with industry best practices.
• Proficiency in at least one scripting language (e.g., Beanshell/Java for IIQ, Python/Power Shell for automation), and SQL for identity analytics.

Internal Application Policy:

Internal applicants must be in good standing and have a minimum of 1 year of service with Kestra. Internal applicants must also have a minimum of 1 year service in current role unless approved by EVP.

Benefits to support you:

• Competitive pay and benefits with a large employer (over 1600 employees nationwide)
• 401(k), health insurance, and a competitive benefits package
• Work in a supportive, collaborative environment committed to professional excellence
• Help clients navigate meaningful financial decisions with confidence
• Opportunities for training, development, and long-term growth within the firm
• Tuition reimbursement for qualified expenses

Kestra Values:
Our Mission is Powering Financial Independence, enabling the growth and success of investing clients and the advisors who serve them. We do that by living our values:
Serve, Make it Happen, and One team.

Explore Life at Kestra

Kestra Holdings Website:

Careers Portal:

Linked In:

Apply Today

Lead with purpose.…