engineering
Posted 4 weeks agoPrincipal Cloud IAM Engineer
at Workday
Usa.va.reston, United StatesRemote
Responsibilities
- Build the future of Cybersecurity at Workday by applying innovative technology to a customer-centric platform! The Workday Enterprise Security team safeguards Workday's vital data, infrastructure, and applications through authority, technical solutions, and risk mitigation across all enterprise systems, concentrating on security architecture, engineering, and infrastructure.
Requirements
- We’re obsessed with making hard work pay off, for our people, our customers, and the world around us. As a Fortune 500 company and a leading AI platform for managing people, money, and agents, we’re shaping the future of work so teams can reach their potential and focus on what matters most.
- About the Role Workday's identity surface is large, distributed, and growing spanning multi-account AWS environments, enterprise SaaS, a global workforce, and an expanding set of AI-driven workloads.
- The scope spans human and non-human identity, cloud authorization, federation, secrets management, and the emerging challenge of securing AI agents in production — where the patterns don't fully exist yet and you'll be helping to define them.
- experience in cloud security or IAM, with at least 3 years in a senior or architect-level role with clear ownership of strategy and technical direction.
- Proven AWS IAM foundations SCPs, IAM Identity Center, ABAC, multi-account Organizations architecture, and secrets management at scale via AWS Secrets Manager or equivalent vault solutions.
- GCP familiarity is advantageous but not required. Demonstrated Okta
- experience at enterprise scale SSO, adaptive MFA, SCIM provisioning, lifecycle management, and AWS environment integration.
- Deep familiarity with federation protocols SAML, OIDC, and OAuth2 applied and debugged across complex, heterogeneous environments.
- Infrastructure-as-code fluency with Terraform, and a clear understanding of how identity controls integrate into and are enforced through CI/CD pipelines.
- Hands-on engagement with AI and agentic identity is required.
- This means working knowledge of NHI lifecycle management, service-to-service trust models, and least-privilege design for workloads that assume IAM roles, call external APIs, and chain actions across services.
- Familiarity with AI security tooling such as identity-aware proxies, agent observability platforms, or LLM access governance is a strong differentiator.