Senior IAM Engineer

Kestra Holdings offers industry-leading wealth management platforms for independent wealth management professionals nationwide. Kestra is dedicated to empowering independent financial professionals—including traditional and hybrid RIAs—to grow their businesses and deliver exceptional client service. We combine advanced business management technology with personalized consulting to provide unmatched scale, efficiency, and support. Our advisor-focused culture is built on innovation and advocacy, enabling advisors to offer comprehensive securities and investment advisory solutions to their clients.

Lead with Purpose. Partner with Impact.

We are seeking a Sr. IAM Engineer with deep experience assessing current state, designing target-state architectures, and implementing/maturing Role-Based (RBAC) and Attribute-Based (ABAC) access models at enterprise scale. This leader will serve as the SailPoint technical expert, engineering policy, integration, and governance processes that meet financial-services compliance expectations. The role partners with enterprise architects, risk/compliance, platform teams, and app owners to operationalize identity as a control across SaaS, on-prem, and cloud.

What you’ll Do:

• Define RBAC/ABAC standards, pattern libraries, and guardrails; author architecture decision records (ADRs).
• Drive role engineering (role discovery, consolidation, birthright access, SoD matrices) and ABAC policy design (attribute inventory, policy enforcement integration).
• Maintain the IGA reference architecture spanning SailPoint, Okta, directories (AD/LDAP), HR/ERP, and cloud providers.
• Partner with AppSec and platform teams to externalize authorization using federation and standardized protocols (SAML 2.0, OIDC, OAuth 2.0; SCIM for provisioning).
• Configure sources/authorities, connectors, aggregation & correlation rules, identity profiles, entitlement catalogs, lifecycle policies, workflows, access request, and certification campaigns in SailPoint; implement Okta connector patterns.
• Build monitoring/health checks, metrics, and dashboards for access governance KPIs; automate evidence collection.
• Define policies/standards for access control, attribute quality, identity proofing, certification cadence, and exception handling; ensure alignment with enterprise risk appetite.
• Support audits and regulatory examinations with defensible evidence, including certification results, SoD analyses, and access recertification trails.
• Mentor engineers and analysts; partner with business/application owners to onboard apps at scale under governance; establish repeatable app-onboarding playbooks (federation provisioning role modeling).
• SailPoint (IdentityIQ Engineer/Architect or Identity Security Cloud) and/or Okta certifications; experience integrating SailPoint with Okta via connectors/APIs.
• Cloud IAM concepts (Azure AD/Entra ID, AWS IAM), and experience mapping ABAC to cloud entitlements/metadata.
• Financial-services experience with audit/regulatory expectations (e.g., access certification cadence, evidence, SoD rigor).
  
  

What You Bring:

• 8 years in IAM with 5 years leading RBAC/ABAC design and enterprise deployment; demonstrable delivery of role mining/engineering and attribute-driven authorization.
• Hands-on SailPoint expertise (IdentityIQ or Identity Security Cloud/IdentityNow) across connectors, lifecycle automation, certifications, SoD, policy, and analytics; Okta SSO/MFA and federation patterns.
• Strong command of federated identity protocols and provisioning standards (SAML 2.0, OIDC, OAuth 2.0, SCIM).
• Working knowledge of directory services (AD/LDAP), identity data modeling, and integration architectures; familiarity with crypto & tokenization fundamentals for identity.
• Experience establishing access governance processes (access reviews, recertifications, SoD, exception management) consistent with industry best practices.
• Proficiency in at least one scripting language (e.g., Beanshell/Java for IIQ, Python/PowerShell for automation), and SQL for identity analytics.
  
  

Internal Application Policy:

Internal applicants must be in good standing and have a minimum of 1 year of service with Kestra. Internal applicants must also have a minimum of 1 year service in current role unless approved by EVP.

Benefits to support you:

• Competitive pay and benefits with a large employer (over 1600 employees nationwide)
• 401(k), health insurance, and a competitive benefits package
• Work in a supportive, collaborative environment committed to professional excellence
• Help clients navigate meaningful financial decisions with confidence
• Opportunities for training, development, and long-term growth within the firm
• Tuition reimbursement for qualified expenses
  
  

Kestra Values:

Our Mission is Powering Financial Independence, enabling the growth and success of investing clients and the advisors who serve them. We do that by living our values: Serve, Make it Happen, and One team.

Explore Life at Kestra

Kestra Holdings Website: https://www.kestrafinancial.com/

Careers Portal: https://jobs.dayforcehcm.com/en-US/kestra/KESTRACAREERSITE

LinkedIn: https://www.linkedin.com/company/kestra-financial

Apply Today

Lead with purpose. Apply now and help shape the future of Kestra.

Disclosure By applying to a job at Kestra Financial, Inc., you are agreeing to the following statements:

• You acknowledge that if hired, Kestra Financial, Inc. may, obtain and use background information concerning your credit, character, general reputation, personal characteristics, work habits, performance and experience for evaluation for your potential employment.
• It is the policy of Kestra Financial to ensure equal employment opportunity without discrimination or harassment on the basis of race, color, religion, sex, sexual orientation, gender, identity or expression, age, disability, marital status, citizenship, national origin, genetic information, or any other characteristic protected by law. Kestra Financial prohibits any such discrimination or harassment.