Principal Cloud IAM Engineer

Your work days are brighter here.

We’re obsessed with making hard work pay off, for our people, our customers, and the world around us. As a Fortune 500 company and a leading AI platform for managing people, money, and agents, we’re shaping the future of work so teams can reach their potential and focus on what matters most. The minute you join, you’ll feel it. Not just in the products we build, but in how we show up for each other. Our culture is rooted in integrity, empathy, and shared enthusiasm. We’re in this together, tackling big challenges with bold ideas and genuine care. We look for curious minds and courageous collaborators who bring sun-drenched optimism and drive. Whether you're building smarter solutions, supporting customers, or creating a space where everyone belongs, you’ll do meaningful work with Workmates who’ve got your back. In return, we’ll give you the trust to take risks, the tools to grow, the skills to develop and the support of a company invested in you for the long haul. So, if you want to inspire a brighter work day for everyone, including yourself, you’ve found a match in Workday, and we hope to be a match for you too.

About the Team

Workday's Cybersecurity & Trust organization exists to inspire confidence and trust in Workday. We safeguard the personal information of 60+ million people and the financial information of some of the largest companies in the world. Cybersecurity is woven into the fabric of Workday and is core to everything we do. We nurture a security-first mentality and believe that moving with speed and velocity is enabled by building security into the foundation. Build the future of Cybersecurity at Workday by applying innovative technology to a customer-centric platform!
The Workday Enterprise Security team safeguards Workday's vital data, infrastructure, and applications through authority, technical solutions, and risk mitigation across all enterprise systems, concentrating on security architecture, engineering, and infrastructure. We select, engineer, and lead a robust suite of technical controls to actively prevent, detect, and respond to threats. Ultimately, Enterprise Security acts as the central line of defense, proactively leading security posture, ensuring operational resilience, and maintaining customer trust in Workday's dedication to security excellence.
Within Enterprise Security, the Enterprise Identity team is where identity meets impact. We own and evolve the Identity and Access Management systems that serve as Workday's first and most critical line of defense governing who gets access, to what, and why. From zero-trust architecture and privileged access governance to identity lifecycle automation and federation at scale, we operate across one of the most complex enterprise environments in cloud software. As a Principal IAM Engineer here, you'll architect bold solutions, challenge assumptions, and drive decisions that protect Workday at its core. If you're energized by hard problems at the intersection of identity, security, and engineering excellence, this is where you belong.

About the Role

Workday's identity surface is large, distributed, and growing spanning multi-account AWS environments, enterprise SaaS, a global workforce, and an expanding set of AI-driven workloads. Identity is no longer a support function; it's a core security boundary and an enabler of how we build and ship products.

We're looking for a Principal Identity and Access Management Architect to own the strategy, design, and long-term direction of our IAM program. This is not an operational role. You'll set the patterns other engineers build against, make the architectural calls that shape how we scale, and work directly with engineering, security, and Risk leadership to drive alignment across the organization.

The scope spans human and non-human identity, cloud authorization, federation, secrets management, and the emerging challenge of securing AI agents in production — where the patterns don't fully exist yet and you'll be helping to define them.

This role sits at the intersection of deep technical ownership and cross-functional influence. You'll be expected to lead without always having direct authority, mentor engineers who are earlier in their IAM journey, and bring a risk-informed perspective that translates threat exposure into pragmatic architectural decisions — not checkbox compliance.

If you're the kind of engineer who gets ahead of problems before they scale, builds with the next three years in mind, and can hold a technical vision across a complex enterprise environment — this is the role.

About You

Basic Qualifications

• 10+ years of experience in cloud security or IAM, with at least 3 years in a senior or architect-level role with clear ownership of strategy and technical direction.
• Proven AWS IAM foundations SCPs, IAM Identity Center, ABAC, multi-account Organizations architecture, and secrets management at scale via AWS Secrets Manager or equivalent vault solutions. GCP familiarity is advantageous but not required.
• Demonstrated Okta experience at enterprise scale SSO, adaptive MFA, SCIM provisioning, lifecycle management, and AWS environment integration.
• Deep familiarity with federation protocols SAML, OIDC, and OAuth2  applied and debugged across complex, heterogeneous environments.
• Infrastructure-as-code fluency with Terraform, and a clear understanding of how identity controls integrate into and are enforced through CI/CD pipelines.
• Hands-on engagement with AI and agentic identity is required. This means working knowledge of NHI lifecycle management, service-to-service trust models, and least-privilege design for workloads that assume IAM roles, call external APIs, and chain actions across services. Familiarity with AI security tooling  such as identity-aware proxies, agent observability platforms, or LLM access governance is a strong differentiator. You don't need to have solved this at scale; you do need to be actively working in this space.
• Zero Trust applied in practice identity-aware perimeters, conditional access policies, and workload-level controls implemented in production environments.
• Proven ability to drive technical alignment across engineering, security, and business stakeholders without relying on positional authority. Comfortable mentoring and leveling up less senior engineers takes the time to transfer context, not just deliver outcomes.

Other Qualifications

• A risk mitigation mindset: you understand threat exposure well enough to make pragmatic architectural trade-offs, engage credibly with Risk and GRC teams, and push back when a proposed control creates engineering friction without meaningfully reducing risk.
• Secrets Management experience
• AWS Certified Security Specialty and a signal of structured cloud depth.

Workday Pay Transparency Statement

The annualized base salary ranges for the primary location and any additional locations are listed below.  Workday pay ranges vary based on work location. As a part of the total compensation package, this role may be eligible for the Workday Bonus Plan or a role-specific commission/bonus, as well as annual refresh stock grants. Recruiters can share more detail during the hiring process. Each candidate’s compensation offer will be based on multiple factors including, but not limited to, geography, experience, skills, job duties, and business need, among other things. For more information regarding Workday’s comprehensive benefits, please click here.

Primary Location: USA.VA.Reston

 

Primary Location Base Pay Range: $184,800 USD - $277,200 USD

 

Additional US Location(s) Base Pay Range: $167,200 USD - $300,000 USD

Our Approach to Flexible Work
 

With Flex Work, we’re combining the best of both worlds: in-person time and remote. Our approach enables our teams to deepen connections, maintain a strong community, and do their best work. We know that flexibility can take shape in many ways, so rather than a number of required days in-office each week, we simply spend at least half (50%) of our time each quarter in the office or in the field with our customers, prospects, and partners (depending on role). This means you'll have the freedom to create a flexible schedule that caters to your business, team, and personal needs, while being intentional to make the most of time spent together. Those in our remote "home office" roles also have the opportunity to come together in our offices for important moments that matter.

Pursuant to applicable Fair Chance law, Workday will consider for employment qualified applicants with arrest and conviction records.

Workday is an Equal Opportunity Employer including individuals with disabilities and protected veterans.

At Workday, we are committed to providing an accessible and inclusive hiring experience where all candidates can fully demonstrate their skills. If you require assistance or an accommodation at any point, please email [email protected].

Are you being referred to one of our roles? If so, ask your connection at Workday about our Employee Referral process!

At Workday, we value our candidates’ privacy and data security.  Workday will never ask candidates to apply to jobs through websites that are not Workday Careers. 

  

Please be aware of sites that may ask for you to input your data in connection with a job posting that appears to be from Workday but is not.

  

In addition, Workday will never ask candidates to pay a recruiting fee, or pay for consulting or coaching services, in order to apply for a job at Workday.