PitchMeAI
SoFi

Staff IAM Engineer

SoFi · Frisco, TX

  • On site
  • Full-time
  • $150,000 / year
  • Frisco, TX

Job highlights

  • Manage non-human identities across infrastructure.
  • Design secure authentication and secrets management.
  • Automate credential rotation and provisioning.
  • Enforce least privilege and zero-trust principles.
  • Support compliance and security audits.

About the role

Staff IAM Engineer

Shape a brighter financial future with SoFi. We are a next-generation financial services company and national bank using innovative, mobile-first technology to help our millions of members reach their goals. Join us to invest in yourself, your career, and the financial world.

The Role

The Staff IAM Engineer is responsible for securing and managing all non-human identities including service accounts, application identities, machine credentials, APIs, bots, and workloads across on-prem, cloud, and crypto infrastructure. This role ensures that automated and machine-based identities follow the same governance, lifecycle, and least-privilege principles as human users. You will design systems that enable secure authentication, secrets management, and access provisioning for automated services, APIs, and DevOps pipelines. This role directly protects sensitive financial data, crypto custody environments, and transaction systems from privilege misuse, credential leakage, and insider or supply chain threats.

What You’ll Do

Identity Architecture & Engineering
  • Design, implement, and maintain a Non-Human Identity (NHI) framework governing all service accounts, API tokens, certificates, and machine credentials.
  • Implement centralized secrets management using tools such as HashiCorp Vault or AWS Secrets Manager.
  • Build integrations with CI/CD pipelines and cloud services (AWS, GCP, Azure) to enforce automated credential rotation and JIT provisioning.
  • Define and implement tagging, ownership, and classification models for non-human identities.
  • Develop scalable onboarding processes for applications, workloads, and bots that require secure authentication.
Lifecycle Management & Governance
  • Develop automated workflows for creation, rotation, deactivation, and certification of service accounts and API keys.
  • Partner with developers and DevOps to transition hard-coded credentials to secure vaults.
  • Establish policies for key rotation frequency, credential expiration, and certificate renewal.
  • Integrate NHI lifecycle into IAM governance tools (Okta).
  • Support quarterly access reviews and certification campaigns for non-human identities.
Automation & Integration
  • Build automation using APIs, Python, PowerShell, or Terraform to manage credentials and monitor access.
  • Integrate non-human identity telemetry into SIEM/SOAR platforms for anomaly detection.
  • Implement visibility dashboards to track total NHI inventory, owners, last use, and compliance status.
  • Deploy Just-in-Time (JIT) credential provisioning for ephemeral workloads and containers (Kubernetes, Lambda, ECS, etc.).
Security & Risk Management
  • Enforce least privilege and zero-trust principles for machine access.
  • Monitor for unused or excessive service accounts and remediate over-permissioned credentials.
  • Support incident response teams with forensics on compromised API keys or tokens.
  • Define detection logic for credential misuse or non-standard access patterns.
  • Partner with Application Security to integrate secure NHI handling into SDLC.
Compliance & Audit
  • Maintain audit trails for credential issuance, usage, and rotation events.
  • Produce compliance reports for SOX, SOC 2, PCI DSS, FFIEC, and crypto-custody audits.
  • Collaborate with internal audit and compliance teams to validate NHI control effectiveness.
  • Document architecture, data flows, SOPs, and exception processes for NHI management.
Innovation & Continuous Improvement
  • Evaluate emerging NHI management solutions (e.g., SPIFFE/SPIRE, workload identity federation, cloud-native secrets stores).
  • Lead proof-of-concepts to modernize credentialless or short-lived identity methods.
  • Advocate for security automation and the reduction of static credentials across the enterprise.

What You’ll Need

Education & Experience
  • Bachelor’s degree in Computer Science, Cybersecurity, or related discipline.
  • 3–6 years of experience in IAM, DevSecOps, or Security Engineering roles.
  • Hands-on experience with non-human identity or secrets management tools.
  • Familiarity with cloud IAM concepts (AWS IAM Roles, Azure Managed Identities, GCP Service Accounts).
  • Experience integrating IAM or secrets systems with CI/CD pipelines and DevOps tools.
Technical Skills
  • Proficiency in automation and scripting (Python, PowerShell, or Bash).
  • Strong understanding of authentication standards (OIDC, OAuth 2.0, SAML, JWT).
  • Knowledge of API security, key rotation policies, and service-to-service authentication.
  • Familiarity with container and workload identities (Kubernetes, ECS, Lambda).
  • Understanding of Zero Trust, machine identity, and certificate lifecycle management.
Preferred Certifications
  • HashiCorp Certified Vault Associate
  • AWS Certified Security – Specialty
  • Okta Certified Professional or Administrator
  • (ISC)² Certified Identity and Access Manager (CIAM) or CISSP

Key skills/competency

  • IAM
  • Non-Human Identity Management
  • Secrets Management
  • DevSecOps
  • Cloud IAM
  • Automation
  • Python
  • Zero Trust
  • CI/CD Integration
  • API Security

Skills & topics

  • IAM Engineer
  • Identity and Access Management
  • Non-Human Identity
  • Secrets Management
  • DevSecOps
  • Cybersecurity Engineer
  • Cloud Security
  • Automation
  • Python
  • Zero Trust

How to get hired

  • Tailor your resume: Highlight IAM, secrets management, and automation experience.
  • Showcase technical skills: Emphasize Python, PowerShell, and cloud IAM knowledge.
  • Certifications matter: Mention relevant certifications like HashiCorp Vault or AWS Security.
  • Prepare for technical interviews: Be ready to discuss identity architecture and security principles.
  • Understand SoFi's mission: Align your experience with their financial technology goals.

Technical preparation

Master Python for IAM automation scripts.,Practice OIDC, OAuth, SAML, JWT implementation.,Configure HashiCorp Vault or AWS Secrets Manager.,Learn Kubernetes and container identity management.

Behavioral questions

Describe a complex IAM challenge you solved.,How do you enforce least privilege principles?,Share an experience with automating security processes.,How do you handle security incidents with credentials?

Frequently asked questions

What is the primary focus of the Staff IAM Engineer role at SoFi?
The Staff IAM Engineer at SoFi focuses on securing and managing all non-human identities, including service accounts, API tokens, and machine credentials, across on-prem, cloud, and crypto infrastructure. This involves designing systems for secure authentication, secrets management, and access provisioning for automated services and DevOps pipelines.
What specific tools and technologies are used for secrets management at SoFi for this role?
While the job description mentions integrating with CI/CD pipelines and cloud services (AWS, GCP, Azure), it specifically calls out the use of tools like HashiCorp Vault or AWS Secrets Manager for centralized secrets management.
What kind of experience is required for the Staff IAM Engineer position at SoFi?
A Bachelor's degree in Computer Science, Cybersecurity, or a related field is required, along with 3-6 years of experience in IAM, DevSecOps, or Security Engineering. Hands-on experience with non-human identity or secrets management tools and familiarity with cloud IAM concepts are essential.
Does SoFi offer remote work options for the Staff IAM Engineer role?
The job description indicates that due to insurance coverage issues, SoFi is unable to accommodate remote work from Hawaii or Alaska at this time. Other remote work arrangements are not explicitly detailed but given the on-prem, cloud, and crypto infrastructure mentioned, a hybrid or on-site presence might be expected.
What are the key technical skills for a Staff IAM Engineer at SoFi?
Key technical skills include proficiency in automation and scripting (Python, PowerShell, or Bash), a strong understanding of authentication standards (OIDC, OAuth 2.0, SAML, JWT), knowledge of API security, key rotation policies, and service-to-service authentication. Familiarity with container and workload identities, Zero Trust, and certificate lifecycle management are also important.
How does SoFi ensure compliance and audit readiness for IAM controls?
SoFi maintains audit trails for credential issuance, usage, and rotation events. The IAM team produces compliance reports for SOX, SOC 2, PCI DSS, FFIEC, and crypto-custody audits, and collaborates with internal audit and compliance teams to validate control effectiveness. Documentation of architecture, data flows, SOPs, and exception processes is also crucial.
What does 'non-human identity' mean in the context of this role?
Non-human identity refers to any identity that is not a person. This includes service accounts, application identities, machine credentials, APIs, bots, and workloads that require authentication and authorization to access systems and data.