Job Description - Principal IAM Engineer (Active Directory & BeyondTrust)

Role Overview
The Principal IAM Engineer is a senior, hands-on technical authority responsible for end-to-end engineering ownership, design decisions, and technical governance of enterprise Identity and Access Management (IAM) platforms, with deep expertise in Active Directory (AD) and BeyondTrust (PAM/EPM).

This role acts as the highest-level technical escalation (L4) for IAM engineering, drives architecture standards, and ensures IAM platforms are secure, scalable, resilient, and audit-ready across on-prem, hybrid, and cloud environments.

Key Responsibilities

Active Directory - Principal Engineering Ownership
. Own architecture, design authority, and technical standards for Active Directory.
. Design and govern AD forest/domain architecture, trust models, OU strategies, and delegation.
. Lead Domain Controller lifecycle management including build, hardening, patching, and health.
. Design and approve Group Policy (GPO) strategies aligned with security and compliance.
. Troubleshoot complex replication, DNS, authentication, and Kerberos issues.
. Lead AD modernization and technical debt reduction initiatives.

BeyondTrust - Privileged Access & Endpoint Privilege Engineering
. Act as technical authority for BeyondTrust PAM / EPM platforms.
. Design least-privilege enforcement and endpoint elevation policies.
. Define enterprise privilege use cases, guardrails, and exception handling.
. Ensure auditability and monitoring of privileged access activities.

Architecture, Standards & Governance
. Define IAM engineering standards, reference architectures, and patterns.
. Review and approve high-risk IAM designs and integrations.
. Align IAM platforms to Zero Trust and identity-centric security models.
. Drive roadmap, upgrades, and continuous improvement initiatives.

Operational Excellence
. Serve as L4 escalation point for complex IAM issues.
. Lead root cause analysis for critical incidents.
. Ensure SOPs, runbooks, and design artifacts are maintained.

Mentorship & Technical Leadership
. Mentor IAM engineers and leads through design and technical reviews.
. Act as trusted advisor to security, infrastructure, and application teams.

Required Skills & Experience
. 12+ years of experience in IAM or security engineering.
. Expert-level hands-on experience with Active Directory.
. Strong expertise in BeyondTrust PAM / EPM.
. Advanced PowerShell scripting skills.
. Experience in large, regulated enterprise environments.

Good to Have
. Experience with Microsoft Entra ID / Azure AD.
. Exposure to SailPoint or other IGA platforms.
. Knowledge of ISO 27001, SOX, HITRUST, or SOC 2 environments.
. Zero Trust architecture familiarity.

Role Level Clarification
. Principal-level individual contributor
. Technical authority role (non-people manager)