• We’re seeking an experienced Senior Security Engineer with a strong passion for Identity and Access Management(IAM) and proven expertise in cloud-native environments, particularly AWS
• In this role, you’ll help shape and implement modern identity strategies to secure access across all of Marqeta’s systems and services—100% cloud-based, with no data center footprint
• Building and evolving our Identity Governance and Administration (IGA) capabilities
• Implementing & Operating Privileged Access Management (PAM) in a cloud-first (AWS-focused) environment
• Designing and architecting a Certificate Lifecycle Management solution that supports cloud-native workloads
• Driving integration of IAM across AWS services, SaaS platforms, and developer/DevOps pipelines
• Designing identity and access controls to protect AI/ML systems—ensuring secure access to training data, models, and inference APIs
• Develop and lead implementation of robust IAM strategies aligned with cloud-native architecture and security principles
• Expand and operationalize the IAM program across IGA, PAM, SSO, MFA, access management, secrets management, and certificate lifecycle
• Automate identity provisioning, de-provisioning, and access reviews using AI tools and infrastructure-as-code
• Design IAM integrations for AWS-native services (Lambda, EC2, S3, IAM, etc.), SaaS platforms, and third-party identity tools (e.g., Okta, CyberArk)
• Promote and enforce least privilege and zero-trust principles through scalable access controls and policy automation
• Mentor junior engineers and serve as a technical lead for IAM-related projects
• Collaborate with Security, DevOps, and Infrastructure teams to embed IAM controls across the engineering lifecycle
• Stay ahead of emerging trends and continuously refine IAM strategy based on evolving cloud threats and compliance requirements

Benefits

• Praise: We believe in generously recognizing each other’s talents and contributions, and sharing the goodness we see
• Health and wellness: We cover your premiums for health, dental, and vision. Plus, your pet gets his/her/its own insurance, on us
• Flexible time off: We take time to relax and recharge when needed. We have unlimited time off for most employees and encourage an average of 5 weeks per year
• Marqeta paid family leave: We support all families. We offer 12 weeks of paid leave for all new parents and up to 20 for birthing parents. We also offer 4 weeks of caregiving leave
• 401k match: We invest in your future. We’ll match 50% of your contribution and up to 6% of your salary
• Meaningful equity: As owners of the company, we’re all in this together. Full-time employees will receive equity in Marqeta
• Giving back: We recognize we’re part of a larger community and encourage employees to donate their time and expertise to organizations they support
• Monthly stipend: You’ll get an additional monthly stipend on your paycheck to help fund your daily commute, cell phone, and/or internet connectivity
• Stock discount: The Employee Stock Purchase Program allows employees to buy discounted company stock- Solid understanding of compliance standards: NIST, SOC 2, PCI DSS, etc
• Strong grasp of directory services like Active Directory, LDAP, and cloud-based alternatives
• Excellent communication skills and ability to influence and lead cross-functional teams
• A minimum of 8 years related experience with a Bachelor’s degree; or 5 years and a Master’s degree; or a PhD with 3 years’ experience; or equivalent combination of related education and work experience
• Familiarity with authentication and authorization protocols (SAML, OAuth2, OpenID Connect, Kerberos)
• Strong experience with IAM tools (e.g., Okta, CyberArk, Ping, SailPoint)
• Proven experience integrating IAM into CI/CD pipelines, secrets management, and DevOps workflows
• Hands-on skills in scripting (e.g., Python, PowerShell) to automate IAM operations
• Proficiency in infrastructure-as-code (e.g., Terraform, CloudFormation)
• Deep knowledge of IAM in cloud-native environments, especially AWS IAM, roles, policies, permissions boundaries, and federation
• Relevant certifications such as CISSP, CISM, or IAM-specific credentials (e.g., CIAM/CAMS, CyberArk Certified, Okta Certified Consultant)
• Experience with AWS technologies such as Lambda, S3, DynamoDB, RDS, Aurora, SNS, SQS, CloudTrail, CloudWatch, Code Pipeline, AWS Developer Tools, and IAM roles and permissions
• Experience with DevOps tools and practices, including secrets management and CICD pipelines