Staff System Engineer I -Saviynt IGA, IAM, Azure AD, Entra ID

Scope:

• We are seeking an experienced and technically deep Staff Security Engineer to lead Blue Yonder's Identity & Access Management engineering program.
• This role serves as the technical owner of the Saviynt IGA implementation-Blue Yonder's most strategically critical security program-while also setting the architecture direction for a wider IAM portfolio spanning privileged access management (Delinea), MFA enforcement, Entra ID/Active Directory, and identity governance policy.

What you will be doing:

• Serve as the technical lead for the Saviynt IGA implementation, owning architecture decisions across all integration workstreams: Workday HCM (joiner/mover/leaver), Active Directory provisioning (6,000 groups), Salesforce (Apttus/CPQ), Workday Strategic Sourcing, ShareWorks, and MS Dynamics (scoping in progress)
• Design and implement the full identity lifecycle in Saviynt: joiner provisioning, role assignment, mover workflows, leaver deprovisioning, and account reconciliation
• Lead access review campaign configuration in Saviynt: Role Owner Campaigns, User Access Management Campaigns, manager and role-owner certification workflows, and vacation delegation handling
• Own the Saviynt-Azure AD/Entra ID SSO integration and API authentication architecture for downstream app connectivity
• Drive integration with cross-functional ITG teams to resolve sandbox/dev environment dependencies, connector configuration, and environment refresh protocols
• Define and own the IGA program's testing strategy: establish test case standards, manage test data generation, and coordinate test execution coverage across sprints-including identifying and onboarding engineering resources to fill testing gapsEnsure all IGA implementation work meets SOX audit requirements: accurate test case documentation, clean sprint closure, and evidentiary output aligned to Internal Audit expectations
• Set the technical direction for Blue Yonder's IAM architecture across IGA (Saviynt), PAM (Delinea), MFA Everywhere, Conditional Access, and AD/Entra ID
• Design the identity-edge Zero Trust model, replacing VPN-centric access with an identity-first architecture built on Entra ID Conditional Access, Saviynt governance, and Delinea privileged access controls
• Define and maintain the IAM technical roadmap in partnership with the Identity Security manager, translating business and compliance requirements into sequenced engineering deliverables
• Evaluate and guide the consolidation of identity tools around Microsoft E5 (Entra ID, Defender for Identity) and drive rationalization of legacy identity infrastructure
• Architect JIT provisioning capabilities to address access governance gaps, including Blue Yonder personnel with direct admin accounts in customer environments
• Lead M&A IGA design work, establishing a scalable onboarding pattern for acquired entities that integrates into the core Saviynt/AD stackC
• Own the technical controls and evidentiary artifacts that support SOX access review attestation, SOD enforcement, and QAR (Quarterly Access Review) campaigns
• Collaborate directly with Internal Audit to ensure the IGA program's access governance outputs satisfy audit requirements
• Design and implement Segregation of Duties (SOD) rule sets in Saviynt, with clear conflict detection, exception handling, and compensating controls
• Support ISO 42001 AI governance requirements as they intersect with identity tooling and access controls for AI systems
• Ensure access governance controls for SOX-in-scope applications (Salesforce/Apttus, Workday HCM, Workday Strategic Sourcing, ShareWorks, AD) are complete, documented, and auditor-ready ahead of the October 30, 2026 go-live commitment
• Own the technical response to the JSOX deprovisioning deficiency: partner with HR on termination workflow timing, removal of back-end manager approval bottlenecks, and implementation of timely leaver deprovisioning controls that satisfy JSOX requirement
• Serve as the senior technical mentor on the Identity Security team, upleveling engineers on Saviynt platform depth, IAM architecture patterns, and compliance-grade delivery standards
• Establish technical standards for IGA engineering: test case quality, sprint closure criteria, test data generation, and peer review norm
• Act as the technical interface with Saviynt Professional Services, GuidePoint (PAM managed services), and Microsoft (Entra ID/Defender), ensuring vendor deliverables meet Blue Yonder's architecture and compliance requirements
• Contribute to the Security AI Agents program by identifying identity-adjacent automation opportunities (e.g., Saviynt, Delinea, Entra ID MCP integrations)

What we are looking for:

• 8+ years of experience in Identity & Access Management, Identity Security Engineering, or Security Engineering roles with demonstrated delivery of enterprise IAM programs
• Deep, hands-on Saviynt implementation experience: connector configuration, role management, access request workflows, access review campaigns, and Workday/AD/Salesforce integrations in production environments
• Expert-level knowledge of Active Directory and Entra ID (Azure AD) architecture: OU design, group policy, conditional access policies, Entra ID application registrations, and hybrid identity (AD Connect/cloud sync)
• Strong understanding of identity lifecycle management (joiner/mover/leaver), SOD enforcement, access certification, and access governance frameworks in SOX-regulated or similarly audited environments
• Experience designing and delivering IGA programs under SOX, PCI-DSS, ISO 27001, or SOC 2 compliance obligations, with direct engagement with internal or external audit functions
• Working knowledge of Privileged Access Management platforms (Delinea, CyberArk, or equivalent) and experience integrating PAM with IGA governance workflows
• Proficiency in identity automation and scripting (PowerShell, Python) for provisioning workflows, access review automation, and API-based integrations between identity platforms
• Demonstrated ability to operate at Staff/Principal IC level: setting technical direction, influencing cross-functional teams without direct authority, and driving complex programs through ambiguity
• Experience with ERP/CRM IGA connector integration, particularly MS Dynamics or Salesforce, including RBAC analysis, SOD rule configuration, and audit-readiness documentation
• Hands-on experience with Microsoft E5 identity and security suite: Entra ID P2, Defender for Identity, Microsoft Entra Permissions Management (CIEM), and Entra ID Governance
• Experience with PAM platforms in managed services or co-delivery models, particularly in post-migration hardening and roadmap planning scenarios
• Familiarity with JIT (Just-in-Time) provisioning patterns and implementation in enterprise IGA platforms
• Experience with M&A identity integration: designing onboarding patterns for acquired entities into an existing IGA/AD/PAM stack
• Exposure to AI governance requirements (ISO 42001, EU AI Act) as they apply to identity tooling, access controls for AI systems, or AI-assisted identity workflows
• Experience integrating identity platforms with MCP (Model Context Protocol) or similar agentic automation frameworks
• Relevant certifications: Saviynt Certified Professional, Microsoft Certified: Identity and Access Administrator (SC-300), CISSP, or equivalent

Our Values

If you want to know the heart of a company, take a look at their values. Ours unite us. They are what drive our success - and the success of our customers. Does your heart beat like ours Find out here:

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.