Identity & Access Engineer (IAM)

Finova is seeking a seasoned IAM Specialist to own the design and implementation of identity, access, and entitlements across a multi-cloud SaaS fintech platform.

• Core Responsibility: Translate architectural choices into practical, automated, and secure IAM implementations spanning workforce, customer, and machine identities.
• The Stack: Multi-cloud infrastructure across AWS, Azure, and GCP . Applications run on .NET / ASP.NET with SQL Server-backed role systems.
• Key Challenge: Enforce tenant isolation and strict least-privilege to satisfy regulators, while defining cutting-edge access boundaries for AI pipelines, vector databases, and automated decision engines.
• Work Model: A highly collaborative, hands-on hybrid role. You will balance high-level access modeling with day-to-day configuration, such as writing OPA Rego rules or configuring Azure AD Conditional Access policies., * The Structural Architect: You enjoy mapping complex business roles into clean, automated framework permissions, avoiding the technical debt of "privilege creep.", * Platform Architecture: Design and implement the identity framework across workforce (employees/contractors), customer (tenant users/admins), and machine identities (services/AI pipelines).
• Primary IdP Management: Configure and manage Azure AD (Entra ID) tenant structures, app registrations, Conditional Access policies, and directory sync.
• Enterprise Federation: Implement SAML 2.0, OIDC, and WS-Federation patterns to smoothly onboard customer-managed IdPs like Okta, Ping, and ADFS for enterprise SSO.
• Automated Provisioning: Design and operate SCIM-based provisioning and deprovisioning workflows to automate user lifecycles across SaaS tenants.
• Multi-Cloud Mapping: Map Azure AD identities to AWS IAM roles and GCP Workforce Identity Federation to maintain a cohesive, centralized access model.

Privileged Access & Entitlements Management

• PIM/PAM Operations: Implement Just-In-Time (JIT) access, time-bound elevation, and multi-stage approval workflows for sensitive administrator roles.
• CIEM Right-Sizing: Utilize Cloud Infrastructure Entitlements Management (CIEM) concepts to monitor and reduce standing privileges or over-entitled accounts across AWS, Azure, and GCP.
• Access Certification: Build automated entitlement review campaigns so business managers can attest to access appropriateness with minimal friction.
• Break-Glass Procedures: Establish emergency access workflows equipped with automated expiration, full audit trails, and post-incident review requirements.

Application-Level Access Control (RBAC / ABAC)

• Layered Enforcement: Design access models that cross multiple enforcement boundaries, including ASP.NET middleware, API gateways, and SQL Server database layers.
• Claims Mapping: Maintain the mapping between business roles, ASP.NET Identity/Claims, and database-level permissions (such as SQL Server roles and Row-Level Security).
• Tenant Isolation: Enforce tenant-scoped RBAC to ensure roles and claims are strictly bound to tenant context, architecturally preventing cross-tenant privilege escalation.
• Policy-as-Code: Write Open Policy Agent (OPA) / Rego policies to centralize fine-grained authorization, utilizing version control, automated testing, and staged rollouts in CI/CD.

Multi-Cloud IAM Operations

• Cloud Hardening: Manage cloud-native IAM mechanisms, including AWS SCPs and Permission Boundaries; Azure RBAC and Managed Identities; and GCP Organization Policy Constraints.
• Least-Privilege Verification: Use automated tooling (permission analyzers, simulation tools) to discover and eliminate unused access before deployments go live.
• Machine Identities: Enforce short-lived credentials, workload identity federation, and secretless patterns for service accounts and machine-to-machine authentication., * Pipeline Security: Secure access to CI/CD pipelines (Azure DevOps, GitHub Actions), artifact registries, and IaC codebases using federated workload identity (OIDC) rather than static keys.
• SQL Governance: Manage SQL Server database role hierarchies, schema-level permissions, Row-Level Security (RLS) policies, dynamic data masking, and Always Encrypted structures.
• Database DevOps: Design access controls for migration tools, analytics queries, and read-replicas to empower engineering velocity without providing permanent production database access.
• Database Auditing: Implement and monitor database audit logs to track privileged queries, schema alterations, and potential anomalous data access.

AI & ML Pipeline Access Control

• Workload Identity: Ensure model training jobs, feature pipelines, and serving endpoints utilize scoped, short-lived credentials to access data.
• AI Component Protection: Define and implement access controls for vector databases, feature stores, and model registries to secure training datasets and model artifacts.
• Endpoint Authorization: Establish strict authorization policies controlling which roles or tenants can invoke AI endpoints, minimizing AI service account permissions.
• Data Boundary Enforcement: Partner with Data and AI teams to enforce isolation in ML pipelines during both training phases and inference-time retrieval.

AppSec & Compliance Integration

• Automated Evidence: Align IAM configurations with SOC 2 Type II, PCI-DSS, and regulatory mandates, building automated evidence collection natively into the platform.
• Identity Auditing: Design unified audit logging for all authentication events, authorization decisions, privilege elevations, and policy updates.
• Threat Modeling & Assessment: Participate in threat modeling sessions to bring deep identity expertise to bear against credential stuffing, token theft, and lateral movement vectors.
• AI Governance Integration: Address specific access oversight constraints regarding who can approve model deployments and who can access AI decision logs.

You are a highly analytical identity purist who recognizes that in a modern cloud ecosystem, identity is the actual security perimeter. You bridge the gap between application engineering, cloud infrastructure, and regulatory audit, acting as the subject matter expert on who-and what-has access to everything., * Code-Driven Security Advocate: You prefer policy-as-code over manual UI configurations, favoring auditable git repositories and continuous testing for authorization logic.

• Pragmatic Problem Solver: You understand that security fails if it creates friction, meaning you are constantly looking for ways to use JIT elevation, automated provisioning, and SSO to make access seamless yet secure.
• Rigorous Guard of Boundaries: You possess an uncompromising eye for isolation details, instinctively knowing how to defend against cross-tenant data leaks and broken access controls.
• Experience: 4-6 years in IAM, security engineering, or identity-focused cloud engineering with hands-on enterprise deployment experience.
• Entra ID Expertise: Deep practical knowledge of Azure AD (Entra ID), encompassing app registrations, Conditional Access, PIM, and federation configurations.
• Multi-Cloud Competency: Hands-on experience with at least two major cloud providers (AWS IAM, Azure RBAC, or GCP IAM) and operational familiarity with all three.
• Application & DB IAM: Experience implementing RBAC/ABAC models within .NET / ASP.NET applications (Claims, ASP.NET Identity) alongside practical SQL Server access management (roles, RLS, data masking).
• Federation Protocols: Strong capabilities with SAML 2.0, OIDC, OAuth 2.0, and SCIM provisioning workflows.
• Policy-as-Code Skills: Experience writing, testing, and deploying authorization policies (OPA/Rego, Azure Policy, or AWS SCPs) directly within a CI/CD pipeline.
• Modern IAM Tooling: Familiarity with PIM/PAM, CIEM concepts, secretless DevOps access patterns (OIDC-based pipeline identity), and secrets managers (Azure Key Vault, HashiCorp Vault).
• SaaS Architecture Intuition: A strong understanding of multi-tenancy, with the ability to easily identify missing tenant contexts or authorization bypass vulnerabilities.
• Communication: Ability to articulate complex identity structures and compliance mandates clearly to developers, architects, and non-technical auditors alike.

Nice-to-Have

• Fintech Experience: Prior experience navigating IAM in highly regulated domains like banking, payments, or insurance.
• CIEM/IGA Platforms: Familiarity with platforms like Microsoft Entra Permissions Management, Ermetic, SailPoint, or Saviynt.
• AI Infrastructure Security: Experience building access controls explicitly tailored for model training environments, feature stores, or LLM integrations.
• Certifications: SC-300 (Microsoft Identity Administrator), AWS Security Specialty, AZ-500, CISSP, or CCSP.
• Automation Scripting: Competency in PowerShell or Python for automating access reviews, reporting, and IAM operations.
• Zero Trust Strategy: Understanding of broader Zero Trust architectures, integrating device compliance and network trust factors with core identity decisions.

Work in a hybrid way that suits you. Our model is primarily office-based, with flexibility to work remotely as needed. We're committed to supporting a healthy balance between work and life.

• Private medical insurance ?? Comprehensive health cover, with the option to add your family to your plan, because your well-being matters to us.

• Life assurance & income protection We provide life assurance and income protection to give you peace of mind for the future

• Family friendly policies Our enhanced family-friendly policy goes beyond maternity and paternity leave, offering paid time off for when plans change or alternative paths to parenthood are needed.

• Work from anywhere Some thrive in the office, others at home - and many do best with choice. With approval, Finova employees can work abroad for up to 4 weeks each year.

• Flexible holiday package ? Enjoy 25 days paid holiday allowance, plus all public holidays. And, you can rebook any public holidays for a day that aligns with your personal beliefs or celebration calendar. We also offer holiday trading allowing you to purchase or sell your holiday allowance.

• Company pension scheme With salary exchange, you save on tax and can build a secure future.

• Employee assistance programme We understand that mental health is just as important as physical health. Access to a 24/7 confidential counselling helpline ensures you have support when you need it.

• Electric car scheme Get a brand-new electric vehicle with salary sacrifice as a benefit, paid for through your gross monthly pay, saving on Income Tax and National Insurance.

• Health cash plan Our Health Cash Plan empowers you to prioritise your wellbeing by providing effortless reimbursement for everyday healthcare costs, from dental and optical visits to physiotherapy.

• Gym discounts ? Achieve your fitness goals for less with GymFlex, which offers significant savings on annual memberships at over 3,000 gyms and leisure centers nationwide.

• Perks that matter We fuel your day with a fully stocked pantry of fresh fruit and snacks and keep the team spirit high with weekly socials and events.

Finova is the UK's largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400+ brokers to stay ahead in a competitive market. Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts. Be part of a team that's driving innovation, enabling growth and shaping the future of UK lending. For Lenders Finova offers a flexible, modular technology suite designed to help lenders move faster, scale efficiently and deliver standout digital experiences.