Principal IAM Engineer

Job Description – Principal IAM Engineer (Active Directory & BeyondTrust)

Role Overview

The Principal IAM Engineer is a senior, hands-on technical authority responsible for end-to-end engineering ownership, design decisions, and technical governance of enterprise Identity and Access Management (IAM) platforms, with deep expertise in Active Directory (AD) and BeyondTrust (PAM/EPM).

This role acts as the highest-level technical escalation (L4) for IAM engineering, drives architecture standards, and ensures IAM platforms are secure, scalable, resilient, and audit-ready across on-prem, hybrid, and cloud environments.

Key Responsibilities

Active Directory – Principal Engineering Ownership

• Own architecture, design authority, and technical standards for Active Directory.
• Design and govern AD forest/domain architecture, trust models, OU strategies, and delegation.
• Lead Domain Controller lifecycle management including build, hardening, patching, and health.
• Design and approve Group Policy (GPO) strategies aligned with security and compliance.
• Troubleshoot complex replication, DNS, authentication, and Kerberos issues.
• Lead AD modernization and technical debt reduction initiatives.

BeyondTrust – Privileged Access & Endpoint Privilege Engineering

• Act as technical authority for BeyondTrust PAM / EPM platforms.
• Design least-privilege enforcement and endpoint elevation policies.
• Define enterprise privilege use cases, guardrails, and exception handling.
• Ensure auditability and monitoring of privileged access activities.

Architecture, Standards & Governance

• Define IAM engineering standards, reference architectures, and patterns.
• Review and approve high-risk IAM designs and integrations.
• Align IAM platforms to Zero Trust and identity-centric security models.
• Drive roadmap, upgrades, and continuous improvement initiatives.

Operational Excellence

• Serve as L4 escalation point for complex IAM issues.
• Lead root cause analysis for critical incidents.
• Ensure SOPs, runbooks, and design artifacts are maintained.

Mentorship & Technical Leadership

• Mentor IAM engineers and leads through design and technical reviews.
• Act as trusted advisor to security, infrastructure, and application teams.

Required Skills & Experience

• 12+ years of experience in IAM or security engineering.
• Expert-level hands-on experience with Active Directory.
• Strong expertise in BeyondTrust PAM / EPM.
• Advanced PowerShell scripting skills.
• Experience in large, regulated enterprise environments.

Good to Have

• Experience with Microsoft Entra ID / Azure AD.
• Exposure to SailPoint or other IGA platforms.
• Knowledge of ISO 27001, SOX, HITRUST, or SOC 2 environments.
• Zero Trust architecture familiarity.

Role Level Clarification

• Principal-level individual contributor
• Technical authority role (non-people manager)