IAM Architect

Who We Are

Xtensys is a rapidly growing managed service provider delivering innovative technology solutions to health systems, beginning in New York and expanding nationwide. Owned by two industry leaders with a strong focus on advancing rural and community healthcare, Xtensys is executing several major initiatives and scaling quickly. With a team of more than 500 professionals, we are building a people-centered culture rooted in collaboration, innovation, and strategic thinking.

We are seeking an experienced IAM Architect to support our continued growth and commitment to deliver exceptional client outcomes.

Why Join Us?

• MissionDriven Work: You are the "bridge" ensuring technology serves health systems and their patients when they need it most.
• Autonomy & Ownership: We trust you. You’ll lead projects, define success, and manage complexities with total support.
• A Culture of Innovation: Have a fresh perspective? We want it. We encourage risktaking and continuous improvement.
• Continuous Growth: We fuel your "restless curiosity" with opportunities to expand your skillset and mentor others.
  
  

The Role:

Your Mission: The IAM Architect is a senior technical lead responsible for designing, documenting, and driving the maturation of identity and access management capabilities across the Xtensys environment and its customers. This is not a purely advisory role. The right candidate will own the current state, define the future state, and build the steppingstones between them, producing deliverables that are equally credible to a CISO and a systems administrator.

This role requires a high degree of independent judgment and self-direction. The IAM Architect is expected to proactively identify process gaps, access anomalies, governance risks, and operational inefficiencies without waiting to be directed. When something is wrong or could be improved, the expectation is that you investigate it, document your findings, and bring a recommendation, not just an observation. The IAM Manager should be learning about problems and proposed solutions together, not assigning discovery work.

The role operates across two horizons simultaneously. In the near term, the Architect will optimize existing tooling, including ManageEngine ADManager Plus, to reduce manual lifecycle work and improve governance controls while the organization evaluates a next-generation IGA platform (SailPoint IdentityNow, pending budget approval). In the longer term, the Architect will lead the design and phased implementation of that platform, including Epic EMR provisioning, enterprise RBAC, and access certification programs.

This role may mentor or provide technical direction to junior IAM team members but does not carry formal supervisory responsibility at this time.

What You’ll Do Day-to-Day:Proactive Governance and Anomaly Detection:

• Continuously monitor identity systems, access patterns, lifecycle workflows, and audit logs for anomalies, policy violations, and process gaps without waiting for issues to be escalated.
• Independently investigate anomalies, document root cause findings, and implement or recommend corrective actions with minimal direction.
• Establish and maintain proactive monitoring practices including stale account detection, orphaned access identification, offboarding compliance tracking, and privilege creep analysis.
• Maintain a standing risk and improvement register for the IAM program, selfupdating it as new findings are identified and tracking items through resolution.
  
  

Current State Assessment and Documentation:

• Assess, document, and baseline all primary IAM workflows including Joiner, Mover, Leaver, Leave of Absence, and Reactivation processes across all Xtensysmanaged domains.
• Identify and document manual process steps, tooling gaps, compliance exposure, and quality control risks in existing workflows.
• Maintain living documentation of the IAM environment including architecture diagrams, process flows, and system integration maps.
  
  

IAM Program Strategy and Roadmap:

• Develop and maintain a multihorizon IAM program roadmap that addresses current state gaps, defines measurable future state outcomes, and accounts for budget contingencies and platform decisions.
• Produce executivefacing program summaries, status reports, and governance updates suitable for CTO and CISO audiences.
• Evaluate emerging IAM platforms and technologies against organizational requirements and present structured vendor recommendations to IAM leadership.
  
  

Identity Lifecycle Management:

• Design, implement, and optimize Joiner, Mover, and Leaver workflows across onpremises Active Directory, Microsoft Entra ID, and integrated SaaS platforms.
• Reduce manual lifecycle work in the current ManageEngine ADManager Plus environment through targeted workflow automation, role template optimization, and Jira integration improvements.
• Design and implement WorkdaytoIGA Platform integration for lifecycle event triggering, attribute mapping, and manager synchronization.
• Define and enforce offboarding standards including crossdomain account disablement, Epic access revocation, and privileged account closure within defined SLAs.
  
  

IGA Platform Implementation (SailPoint IdentityNow):

• Lead the design and phased implementation of SailPoint IdentityNow pending budget approval, including connector configuration, lifecycle workflow build, and role model design.
• Manage Epic EMP and SER integration within the IGA platform, coordinating with Epic Security and clinical informatics teams.
• Design and implement access certification campaigns, attestation workflows, and governance reporting within the IGA platform.
• Develop and execute a migration plan transitioning lifecycle workflows from ManageEngine ADManager Plus to SailPoint.
  
  

Identity Governance and Access Control:

• Design and implement enterprise RBAC models across Active Directory, Entra ID, and clinical systems, with particular attention to Epic security role correlation.
• Conduct and support periodic access reviews, recertifications, and audit evidence collection across all managed identity systems.
• Develop and enforce IAM policies covering account standards, naming conventions, attribute requirements, and lifecycle SLAs.
• Partner with cybersecurity and compliance teams to ensure IAM controls satisfy HIPAA, NIST 80053, and organizational audit requirements.
  
  

Technical Operations and Escalation:

• Serve as the senior technical escalation point for identityrelated service tickets, provisioning failures, and access disputes.
• Monitor IAM infrastructure for performance, availability, and security anomalies; proactively identify and remediate issues.
  
  

Who You Are & What You’ll Bring:Proven Track Record:

• 8 years of handson IAM experience with a combination of design, implementation, and operational ownership of enterprise identity systems.
• Demonstrated experience producing current state assessments, IAM program roadmaps, and executivefacing communications for senior leadership audiences.
• Experience designing and managing Joiner, Mover, Leaver workflows in complex multidomain or postmerger environments.
• Experience with WorkdaytoActive Directory integration including HRdriven provisioning, attribute mapping, and lifecycle synchronization.
• Experience implementing or operating in a healthcare or regulated industry environment with HIPAA compliance obligations.
  
  

Preferred Skills & Experience:

• SailPoint IdentityNow implementation experience including connector development, lifecycle workflow configuration, role model design, and access certification campaigns.
• Familiarity with Epic EMR identity and access workflows, including EMP record management, SER provider records, security template design, and provisioning integration with an IGA platform.
• Experience designing IAM programs in postmerger or multientity environments with multiple Active Directory domains and distinct identity namespaces.
  
  

Certifications:

• SailPoint Certified IdentityNow Engineer or equivalent IGA platform certification preferred.
• Microsoft Identity and Access Administrator (SC300) or equivalent Entra ID certification preferred.
  
  

Technical Savvy:

• Deep expertise with Microsoft Active Directory and Microsoft Entra ID (Azure AD) including hybrid identity, Conditional Access, and delegated administration.
• Strong PowerShell scripting capability for lifecycle automation, audit log analysis, group membership management, and reporting.
• Proficiency with ManageEngine ADManager Plus including rolebased templates, delegated workflows, and provisioning automation.
• Experience with SAML, OAuth 2.0, OIDC, SCIM, and LDAP protocols in enterprise integration contexts.
• Working knowledge of Jira for service ticket workflow management and IAM request routing.
• Familiarity with BeyondTrust and SecureLink for privileged and thirdparty access management.
  
  

Work Schedule & Additional Requirements:

• Oncall support may be required approximately once every six weeks to assist with escalations and provide afterhours support as needed.
• Occasional travel (5% or less) may be required for team meetings and collaboration.
  
  

Physical Readiness:

• Sedentary work requiring exertion of up to 10 pounds of force occasionally. The role involves sitting most of the time, with occasional walking and standing as needed.