Principal Identity & Authentication Architect

Key Responsibilities

Strategy & Thought Leadership

• Define and own the target-state identity architecture spanning IAM, privileged access, and non-human identity, with carrier tokenization and just-in-time access at its core.
• Act as the authoritative voice on identity architecture decisions, providing clear direction and strong opinions grounded in deep domain expertise.
• Maintain a current perspective on emerging identity standards and technologies, and apply that insight to shape the Client’s direction.
• Develop use-case enablement patterns and reference architectures that provide a repeatable, scalable bridge between strategic vision and project-level execution. IAM Architecture & Maturity
• Lead the evolution of the SailPoint IGA deployment, defining the target-state identity governance model and a practical path to get there.
• Design a centralised authentication framework to replace the current dispersed model.
• Architect a seamless end-user authentication experience across banking channels, eliminating unnecessary re-authentication touchpoints.
• Design a cloud-native central SDK for standardised project onboarding to the identity platform. Privileged Access & PAM
• Architect the target-state privileged access model, moving away from standing privileges toward just-in-time, token-based access.
• Provide architectural leadership for the CyberArk PSM database access transformation programme, including the migration factory for approximately 1,050 database assets.
• Design controls to reduce lateral movement risk and establish identity-based segmentation principles.
• Define the secrets management strategy across the environment. Non-Human & Cloud Identity
• Develop the non-human identity framework for machine-to-machine authentication and workload identity.
• Establish identity controls across Kubernetes, CI/CD pipelines, and cloud-native workloads.
• Define the identity model for AI agents and autonomous systems as the bank’s AI footprint expands.
• Work with the Entra ID platform and complementary tooling (CyberArk, HashiCorp) to optimise configuration in line with the target architecture.

Governance & Capability Uplift

• Support the remediation of outstanding IDAM audit findings by embedding governance into the architectural vision and delivery roadmap.
• Establish architectural guardrails, standards, and patterns that strengthen the bank’s identity security posture.
• Provide technical direction and mentorship to distributed identity teams, including offshore delivery teams across the Asia-Pacific region.
• Bridge the gap between available CyberArk/SailPoint operational skill sets and the strategic identity architecture vision.

Required Skills & Experience

• Extensive experience (10+ years) in Identity & Access Management architecture and engineering, spanning IAM, PAM, and identity governance.
• Proven expertise in token-based authentication architectures (OAuth 2.0, OIDC, carrier tokenisation concepts) and just-in-time access models.
• Strong experience with Microsoft Entra ID (Azure AD) as a primary identity platform.
• Deep knowledge of privileged access management, including CyberArk (PSM, PAS) or equivalent PAM platforms, secrets management, and least-privilege architecture.
• Demonstrable experience designing and delivering cloud-native identity solutions at enterprise scale, including workload identity and Kubernetes environments.
• Experience with identity governance platforms, particularly SailPoint IdentityNow or IdentityIQ, including optimisation and maturity uplift of existing deployments.
• Track record of managing non-human and machine-to-machine identity, including workload identities and CI/CD pipeline identity.
• Experience working within heavily regulated environments (banking, financial services) including audit remediation and regulatory compliance.
• Ability to operate as a thought leader: articulate a compelling vision, influence senior stakeholders, and drive alignment across business and technology.
• Experience leading or mentoring geographically distributed engineering teams.

Highly Desirable

• Experience with factory-model delivery for large-scale identity migration or onboarding programmes.
• Familiarity with HashiCorp Vault or comparable secrets management and workload identity platforms.
• Experience with Zero Trust architecture and identity-based microsegmentation.
• Familiarity with just-in-time (JIT) access provisioning and zero-standing-privilege models.
• SDK design and developer experience (DX) for identity platform onboarding.
• Previous experience in Australian banking or financial services.
• Understanding of prudential regulatory frameworks relevant to IAM in financial services.
• Awareness of emerging identity requirements for AI agents and autonomous systems.