Manager of Identity & Access Management

NYC or SF · San FranciscoFullTimePosted Jul 14, 2026

Our Mission

Reflection is a research lab making intelligence open and accessible for everyone to use, customize, and build on. We build open models that let anyone control their intelligence and help shape the future of AI. Our mission: make intelligence open and accessible to all.

Role Overview

The Head of Identity and Access Management is responsible for architecting, building, and operating Reflection’s identity infrastructure — the foundational security layer in an environment where the perimeter is entirely identity-based and the threat model includes sophisticated, highly motivated nation-state actors targeting intellectual property, training pipelines, and model weights. This leader will design and operate a bleeding-edge, zero-trust identity architecture that treats identity as software, eliminates static credentials, and protects Reflection’s researchers and massive-scale compute environments without introducing friction.

This is not a traditional enterprise IAM or Active Directory management role. The ideal candidate is a security architect and software engineer in equal measure — capable of mandating hardware-backed phishing-resistant authentication globally, building just-in-time credentialing systems for GPU cluster access, and engineering dynamic, context-aware authorization pipelines that hold up against the most advanced adversary techniques. They bring first-principles cryptographic depth, cloud-native mastery, and the software engineering capability to build custom tooling where commercial solutions fall short.

This is a high-stakes, high-visibility role at the center of Reflection’s security posture. Success requires the ability to build identity infrastructure that is simultaneously state-of-the-art in its security guarantees and genuinely developer-friendly in its design — because at Reflection, security that slows down a researcher is security that has failed.

What You'll Do

Next-Generation IAM Architecture

  • Design and implement a resilient, cloud-native identity architecture leveraging modern IdPs (Okta, OIDC/OAuth 2.0 federations) unified with edge-enforced zero-trust access networks (Cloudflare Access, Tailscale / WireGuard topologies).

  • Architect and continuously evolve the organization’s identity boundary with a first-principles approach — replacing legacy constructs with modern, cryptographically-grounded alternatives at every layer.

  • Own the full identity lifecycle architecture across corporate, production, and research environments, ensuring consistency, auditability, and resilience across all access surfaces.

Phishing-Resistant Zero Trust

  • Mandate and enforce hardware-backed authentication (YubiKeys/WebAuthn) globally across all corporate, production, and research endpoints.

  • Eliminate SMS, TOTP, and legacy MFA bypass vectors — driving the organization to a posture where phishing-resistant authentication is the only path.

  • Design and operate zero-trust access controls that enforce least-privilege dynamically, incorporating device posture, user context, and behavioral signals into access decisions.

Privileged Access Management & Compute Security

  • Build short-lived, just-in-time credentialing systems for engineering and research access to massive GPU clusters across AWS, GCP, and OCI environments.

  • Replace SSH keys and long-lived credentials with ephemeral, short-lived certificate-based access via tools like Teleport or HashiCorp Boundary.

  • Design and enforce privileged access workflows that give researchers and engineers the access they need — instantly, securely, and with full audit trail — without creating persistent attack surface.

Workload & Machine Identity

  • Architect SPIFFE/SPIRE or cloud-native cryptographic identity frameworks for service-to-service communication across the full workload landscape.

  • Ensure machine accounts, training jobs, and CI/CD pipelines use dynamic, short-lived tokens rather than long-lived secrets — eliminating static credential exposure as an attack vector.

  • Maintain and evolve workload identity infrastructure as the compute environment scales, ensuring machine identity remains cryptographically sound and operationally reliable at scale.

Policy as Code & Developer Integration

  • Treat authorization policies as code using Open Policy Agent (OPA)/Rego, Cedar, or equivalent frameworks — with full version control, testing, and deployment pipelines.

  • Integrate policy evaluation directly into developer workflows and infrastructure deployment pipelines, ensuring authorization is enforced at build time as well as runtime.

  • Partner with engineering teams to design access models that make the secure path the path of least resistance — eliminating the developer friction that causes security to be circumvented.

Automation, Lifecycle Management & Detection

  • Build automated provisioning and deprovisioning workflows via SCIM and API-first tooling, ensuring identity lifecycle events are handled with speed, accuracy, and full audit trail.

  • Partner with Detection Engineering to instrument identity telemetry and build detection logic targeting anomalous authentication flows, session hijacking attempts, and nation-state adversary tactics.

  • Continuously improve automation coverage across the identity stack, reducing manual toil and eliminating the human error surface in identity operations.

What We're Looking For

Experience & Background

  • 15+ years of dedicated experience in identity security, security architecture, or infrastructure engineering within high-growth startups, hyperscale cloud environments, or elite security teams.

  • Demonstrated track record of architecting and operating modern, zero-trust identity infrastructure at scale — including hardware-backed authentication, JIT credentialing, and workload identity systems.

  • Hands-on experience securing IAM boundaries across major cloud providers (AWS, GCP) and containerized environments, including Kubernetes identity federation and IAM roles for service accounts.

  • Practical experience building and operating privileged access management systems for large-scale compute environments, including GPU cluster access in cloud or neocloud contexts.

  • Prior experience partnering with detection and response teams to instrument identity telemetry and build adversary-focused detection logic targeting identity-layer attack techniques.

Skills & Capabilities

  • Deep, first-principles understanding of OAuth 2.0, OIDC, SAML, WebAuthn / FIDO2, and PKI — able to reason from cryptographic fundamentals, not just implement vendor tooling.

  • Strong software engineering capability — able to write clean, maintainable code (Go, Python, or Rust) to build custom tooling, API integrations, and automation where commercial solutions fall short.

  • Proficiency in Infrastructure as Code (Terraform, Pulumi) for defining and managing identity constructs programmatically.

  • Clear, working knowledge of advanced adversary techniques targeting identity, including session token theft, OAuth consent abuse, device registration hijacking, and Golden SAML vectors.

  • Demonstrated ability to design identity systems that balance rigorous security guarantees with developer-friendly operational experience — treating usability as a security property, not a trade-off.

Mindset & Approach

  • Developer and researcher obsessed — genuinely believes that security is broken if it impedes a researcher’s ability to train a model, and designs systems where the secure path is also the easiest path.

  • A bleeding-edge pragmatist — keeps current with the latest developments in the identity and security ecosystem, preferring modern open-source and developer-first tooling over legacy enterprise security suites.

  • Resilient and threat-aware — understands that Reflection is a high-value target and constructs identity boundaries with the explicit assumption that individual components will be compromised, designing for resilience rather than relying on perimeter integrity.

  • A builder at heart — energized by the challenge of engineering identity infrastructure from scratch in an environment where the stakes are existential and the technical bar is genuinely high.

  • Mission-aligned — understands the unique identity security responsibilities of a frontier AI company and approaches the work with the depth of expertise and seriousness of purpose it demands.

What We Offer:

We believe that to make intelligence open and accessible to all, you need to start at the foundation. Joining Reflection means building from the ground up as part of a talent-dense team. You will help define our future as a company, and help define the future of open foundational models.

We want you to do the most impactful work of your career with the confidence that you and the people you care about most are supported.

  • Top-tier compensation: Salary and equity structured to recognize and retain our talent globally.

  • Stock options: Everyone who joins and contributes to Reflection's success gets to share in the upside through stock options.

  • Health & wellness: Comprehensive medical, dental, vision, and life, with an annual wellness allowance.

  • Meals: Lunch and dinner are provided in the office daily.

  • Life & family: 22 weeks paid parental leave for all new birthing and non-birthing parents, including adoptive and surrogate journeys.

  • Vacation days: Unlimited paid time off in the U.S. and 30 days in the U.K.

  • Sponsorship support: We sponsor visas to help exceptional talent join our team and support long-term immigration pathways where applicable.

  • Team building: We have regular off-sites, happy hours, and team celebrations.

Export Control Notice: This position may require access to technology or source code subject to the U.S. Export Administration Regulations. Any offer of employment for this role may be conditioned on the Company's ability to provide the candidate with access to such technology or source code in compliance with applicable U.S. export control laws, which may require the Company to seek government authorization.

Want jobs like this matched to you?

Swoopd scores fresh postings against your résumé so you only see the matches that matter.

Get started free