Identity Access Manager (IAM) Engineer

WHO WE ARE
We are PEAK6, a leading investment firm, using technology to find a better way of doing things. The company's first tech-based solution was developed in 1997 to optimize options trading, and over the past two decades, the same formula has been used across a range of industries, asset classes, and business stages to consistently deliver superior results. Today, PEAK6 seeks transformational opportunities to provide capital and strategic support to entrepreneurs and forward-thinking businesses. PEAK6's core brands include PEAK6 Capital Management, PEAK6 Strategic Capital, Apex Fintech Solutions, FOCUS, We Insure, Evil Geniuses, Poker Power, Zogo, and Bruce Markets.
ABOUT THIS ROLE
About the role
You will own the identity layer that everything else depends on. That means making sure the right people have the right access at the right time, and that attackers cannot abuse credentials, tokens, or access paths to move through our environment. You will harden admin accounts, automate the joiner/mover/leaver lifecycle, clean up risky OAuth grants, and build the evidence trails that prove identity controls are working. You will partner closely with our US and Budapest teams to reduce account takeover risk and keep privileged access tight across PEAK6 and its portfolio companies.
PEAK6 operates across financial services, broker-dealer, insurance, and technology sectors. The identity controls you build directly support regulatory obligations including the GLBA Safeguards Rule, SEC Regulation S-P, and SEC cybersecurity risk management requirements, so your work has real stakes and visibility.
What you will do

• Harden privileged access: deploy and validate phishing-resistant MFA for admin accounts (FIDO2/WebAuthn hardware keys or equivalent), maintain break-glass account procedures and test them on a defined cadence, and enforce least-privilege baselines across cloud and SaaS environments.
• Own OAuth hygiene: audit and clean up risky or overprivileged OAuth grants across Google Workspace and connected SaaS platforms; define and enforce a restriction baseline that blocks high-risk scopes without breaking legitimate workflows.
• Build and operate JML automation: design and implement joiner, mover, and leaver workflows with evidence trails; drive leaver access revocation to a consistent sub-24-hour SLA and mover access delivery within defined SLAs.
• Apply risk-based access controls: define and implement stronger authentication and higher-scrutiny monitoring for risk cohorts (executives, finance, and IT admins) in partnership with the identity platform owners.
• Maintain continuous IAM visibility: build and sustain reporting that makes access posture visible (stale accounts, standing privilege, risky grants, and JML exceptions) and route findings to owners with Jira-tracked SLAs.
• Partner on identity-adjacent controls: coordinate with the Cloud/Platform team on cloud IAM policy, admin MFA enforcement, and least-privilege baselines across AWS and GCP environments.
• Document and prove outcomes: maintain runbooks, process documentation, and evidence records that support audit inquiries, access certifications, and executive reporting.

What you will bring

• Experience: 5+ years in identity and access management, with hands-on depth in Okta (or a comparable identity provider), Google Workspace admin, and OAuth/SAML/OIDC.
• Lifecycle automation: designing or operating joiner/mover/leaver workflows, ideally with evidence trails and measurable SLA tracking.
• Grant and scope analysis: comfort auditing grants, scoping restrictions, and distinguishing legitimate from risky delegated access in Google Workspace or Microsoft 365 environments.
• Privileged access patterns: familiarity with break-glass patterns, MFA enforcement policies, and admin account separation; experience with an enterprise password/secrets manager (we use 1Password).
• Ticket discipline: you route findings, exceptions, and lifecycle tasks to tickets naturally and keep them clean.
• Communication: able to write concise runbooks, explain access decisions to non-technical stakeholders, and produce audit-ready evidence.
• Autonomy: you operate with high autonomy, surface blockers early, and do not wait to be handed a playbook.
• After-hours response: willingness to participate in shared after-hours response to identity-related security alerts.

Certifications (nice to have, not required)
Okta Certified Professional or Administrator; GIAC GISF, GCIH; CompTIA Security+; Google Workspace Administrator; AWS Security Specialty or GCP Professional Cloud Security Engineer where cloud IAM is in scope.
How we will measure success

• Leaver access is revoked consistently within 24 hours with clean evidence trails.
• Admin accounts have phishing-resistant MFA enforced and break-glass procedures are tested and documented.
• Risky OAuth grants are identified, assessed, and resolved on a defined cadence, with a visible reduction in high-risk delegated access over time.
• JML workflows deliver and revoke access within SLA with audit-ready records.
• Identity posture is visible and improving: stale accounts, standing privilege, and exceptions are tracked and trending in the right direction.

#LI-P6
OUR REWARDS
We offer a robust package of employee perks and benefits, including healthcare benefits (medical, dental and vision, EAP), competitive PTO, 401k match, parental leave, and HSA contribution match. We also provide our employees with a paid subscription to the Calm app and offer generous external learning and tuition reimbursement benefits. As a hybrid workforce, we offer our employees the ability to work remotely up to two days a week.
Base pay offered may vary depending on job-related knowledge, skills, experience, and office location. This position also may be eligible for a discretionary annual bonus in addition to a range of health & wellness benefits, enhancing your overall compensation package.
Base Salary Range
$104,000-$130,000
PEAK6 is proud to be an equal opportunity employer that does not discriminate on the basis of race, color, religion, sex (including pregnancy, sexual orientation, and gender identity), national origin, age, disability, veteran status, marital status, or any other protected characteristic. Our hiring practices ensure that all qualified applicants receive fair consideration without regard to these characteristics.
PEAK6 is committed to creating an inclusive and accessible workplace for all candidates, including those with disabilities. We are dedicated to ensuring equal employment opportunities and providing reasonable accommodations to qualified individuals with disabilities. If you require reasonable accommodations to participate in the application or interview process, please contact our HR department at [email protected]. We will work with you to provide the necessary accommodations to ensure your full participation in our hiring process.
#PEAK6