Identity Access Manager (IAM) Engineer

WHO WE ARE
We are PEAK6, a leading investment firm, using technology to find a better way of doing things. The company's first tech-based solution was developed in 1997 to optimize options trading, and over the past two decades, the same formula has been used across a range of industries, asset classes, and business stages to consistently deliver superior results. Today, PEAK6 seeks transformational opportunities to provide capital and strategic support to entrepreneurs and forward-thinking businesses. PEAK6's core brands include PEAK6 Capital Management, PEAK6 Strategic Capital, Apex Fintech Solutions, FOCUS, We Insure, Evil Geniuses, Poker Power, Zogo, and Bruce Markets.
ABOUT THIS ROLE
You'll own the identity layer that everything else depends on. That means making sure the right people have the right access at the right time - and that attackers can't abuse credentials, tokens, or access paths to move through our environment. You'll harden admin accounts, automate the joiner/mover/leaver lifecycle, clean up risky OAuth grants, and build the evidence trails that prove identity controls are working. You will partner closely with our United States and Budapest team to reduce account takeover risk and keep privileged access tight across PEAK6 and its portfolio companies.
What you'll do

• Harden privileged access: deploy and validate phishing-resistant MFA for admin accounts (hardware keys or equivalent), maintain break-glass account procedures and test them on a defined cadence, and enforce least-privilege baselines across cloud and SaaS environments.
• Own OAuth hygiene: audit and clean up risky or overprivileged OAuth grants across Google Workspace and connected SaaS platforms; define and enforce a restriction baseline that blocks high-risk scopes without breaking legitimate workflows.
• Build and operate JML automation: design and implement joiner, mover, and leavernworkflows with evidence trails; drive leaver access revocation to a consistent sub-24- hour SLA and mover access delivery within defined SLAs.
• Apply risk-based access controls: define and implement stronger authentication and higher-scrutiny monitoring for risk cohorts - executives, finance, and IT admins - in partnership with the identity platform owners.
• Maintain continuous IAM visibility: build and sustain reporting that makes access posture visible - stale accounts, standing privilege, risky grants, and JML exceptions - and route findings to owners with Jira-tracked SLAs.
• Partner on identity-adjacent controls: coordinate with the Detection and Response Engineer on identity-based detections (Okta signals, token abuse patterns, dormant-to-privilege jumps) and with the Cloud/Platform team on cloud IAM policy and admin MFA enforcement.
• Document and prove outcomes: maintain runbooks, process documentation, and evidence records that support audit inquiries, access certifications, and executive reporting.

What you'll bring

• Experience: 3 to 5 years in identity and access management, with hands-on depth in Okta (or a comparable identity provider), Google Workspace admin, and
• OAuth/SAML/OIDC.
• Experience designing or operating joiner/mover/leaver workflows, ideally with evidence trails and measurable SLA tracking.
• Comfort auditing grants, scoping restrictions, and distinguishing legitimate from risky delegated access in Google Workspace or Microsoft 365 environments.
• Familiarity with break-glass patterns, MFA enforcement policies, and admin account separation.
• You route findings, exceptions, and lifecycle tasks to tickets naturally and keep them clean.
• Able to write concise runbooks, explain access decisions to non-technical stakeholders, and produce audit-ready evidence without being asked twice.
• You operate with high autonomy, surface blockers early, and don't wait to be handed a playbook.

Certifications (nice to have, not required)
Okta Certified Professional or Administrator; GIAC GISF, GCIH; CompTIA Security+; Google Workspace Administrator; AWS Security Specialty or GCP Professional Cloud Security Engineer where cloud IAM is in scope.
How we'll measure success

• Leaver access is revoked consistently within 24 hours with clean evidence trails.
• Admin accounts have phishing-resistant MFA enforced and break-glass proceduresnare tested and documented.
• Risky OAuth grants are identified, assessed, and resolved on a defined cadence,
• with a visible reduction in high-risk delegated access over time.
• JML workflows deliver and revoke access within SLA with audit-ready records.
• Identity posture is visible and improving: stale accounts, standing privilege, and exceptions are tracked and trending in the right direction.

#LI-P6
OUR REWARDS
We offer a robust package of employee perks and benefits, including healthcare benefits (medical, dental and vision, EAP), competitive PTO, 401k match, parental leave, and HSA contribution match. We also provide our employees with a paid subscription to the Calm app and offer generous external learning and tuition reimbursement benefits. As a hybrid workforce, we offer our employees the ability to work remotely up to two days a week.
PEAK6 is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy, sexual orientation, and gender identity), national origin, age, disability, veteran status, marital status, or any other protected characteristic. Our hiring practices ensure that all qualified applicants receive fair consideration without regard to these characteristics.
PEAK6 is committed to creating an inclusive and accessible workplace for all candidates, including those with disabilities. We are dedicated to ensuring equal employment opportunities and providing reasonable accommodations to qualified individuals with disabilities. If you require reasonable accommodations to participate in the application or interview process, please contact our HR department at [email protected]. We will work with you to provide the necessary accommodations to ensure your full participation in our hiring process.
#PEAK6