**Employee Applicant Privacy Notice**

Who we are:

Shape a brighter financial future with us.

Together with our members, we’re changing the way people think about and interact with personal finance.

We’re a next-generation financial services company and national bank using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. Join us to invest in yourself, your career, and the financial world.

The Role

The Staff IAM Engineer is responsible for securing and managing all non-human identities including service accounts, application identities, machine credentials, APIs, bots, and workloads across on-prem, cloud, and crypto infrastructure. This role ensures that automated and machine-based identities follow the same governance, lifecycle, and least-privilege principles as human users. You will design systems that enable secure authentication, secrets management, and access provisioning for automated services, APIs, and DevOps pipelines. This role directly protects sensitive financial data, crypto custody environments, and transaction systems from privilege misuse, credential leakage, and insider or supply chain threats.

What You’ll Do

Identity Architecture & Engineering

Design, implement, and maintain a Non-Human Identity (NHI) framework governing all service accounts, API tokens, certificates, and machine credentials.
Implement centralized secrets management using tools such as HashiCorp Vault or AWS Secrets Manager,
Build integrations with CI/CD pipelines and cloud services (AWS, GCP, Azure) to enforce automated credential rotation and JIT provisioning.
Define and implement tagging, ownership, and classification models for non-human identities.
Develop scalable onboarding processes for applications, workloads, and bots that require secure authentication.

Lifecycle Management & Governance

Develop automated workflows for creation, rotation, deactivation, and certification of service accounts and API keys.
Partner with developers and DevOps to transition hard-coded credentials to secure vaults.
Establish policies for key rotation frequency, credential expiration, and certificate renewal.
Integrate NHI lifecycle into IAM governance tools (Okta).
Support quarterly access reviews and certification campaigns for non-human identities.

Automation & Integration

Build automation using APIs, Python, PowerShell, or Terraform to manage credentials and monitor access.
Integrate non-human identity telemetry into SIEM/SOAR platforms for anomaly detection.
Implement visibility dashboards to track total NHI inventory, owners, last use, and compliance status.
Deploy Just-in-Time (JIT) credential provisioning for ephemeral workloads and containers (Kubernetes, Lambda, ECS, etc.).

Security & Risk Management

Enforce least privilege and zero-trust principles for machine access.
Monitor for unused or excessive service accounts and remediate over-permissioned credentials.
Support incident response teams with forensics on compromised API keys or tokens.
Define detection logic for credential misuse or non-standard access patterns.
Partner with Application Security to integrate secure NHI handling into SDLC.

Compliance & Audit

Maintain audit trails for credential issuance, usage, and rotation events.
Produce compliance reports for SOX, SOC 2, PCI DSS, FFIEC, and crypto-custody audits.
Collaborate with internal audit and compliance teams to validate NHI control effectiveness.
Document architecture, data flows, SOPs, and exception processes for NHI management.

Innovation & Continuous Improvement

Evaluate emerging NHI management solutions (e.g., SPIFFE/SPIRE, workload identity federation, cloud-native secrets stores).
Lead proof-of-concepts to modernize credentialless or short-lived identity methods.
Advocate for security automation and the reduction of static credentials across the enterprise.

What You’ll Need

Education & Experience

Bachelor’s degree in Computer Science, Cybersecurity, or related discipline.
3–6 years of experience in IAM, DevSecOps, or Security Engineering roles.
Hands-on experience with non-human identity or secrets management tools
Familiarity with cloud IAM concepts (AWS IAM Roles, Azure Managed Identities, GCP Service Accounts).
Experience integrating IAM or secrets systems with CI/CD pipelines and DevOps tools.

Technical Skills

Proficiency in automation and scripting (Python, PowerShell, or Bash).
Strong understanding of authentication standards (OIDC, OAuth 2.0, SAML, JWT).
Knowledge of API security, key rotation policies, and service-to-service authentication.
Familiarity with container and workload identities (Kubernetes, ECS, Lambda).
Understanding of Zero Trust, machine identity, and certificate lifecycle management.

Preferred Certifications

HashiCorp Certified Vault Associate
AWS Certified Security – Specialty
Okta Certified Professional or Administrator
(ISC)² Certified Identity and Access Manager (CIAM) or CISSP

Compensation and Benefits

The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location.

To view all of our comprehensive and competitive benefits, visit our **Benefits at SoFi **page!

SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law.

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

SoFi is committed to an inclusive culture. As part of this commitment, SoFi offers reasonable accommodations to candidates with physical or mental disabilities. If you need accommodations to participate in the job application or interview process, please let your recruiter know or email accommodations@sofi.com.

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

Internal Employees

If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.

**Employee Applicant Privacy Notice**

Who we are:

Shape a brighter financial future with us.

Together with our members, we’re changing the way people think about and interact with personal finance.

The Role

What You’ll Do

Identity Architecture & Engineering

Design, implement, and maintain a Non-Human Identity (NHI) framework governing all service accounts, API tokens, certificates, and machine credentials.
Implement centralized secrets management using tools such as HashiCorp Vault or AWS Secrets Manager,
Build integrations with CI/CD pipelines and cloud services (AWS, GCP, Azure) to enforce automated credential rotation and JIT provisioning.
Define and implement tagging, ownership, and classification models for non-human identities.
Develop scalable onboarding processes for applications, workloads, and bots that require secure authentication.

Lifecycle Management & Governance

Develop automated workflows for creation, rotation, deactivation, and certification of service accounts and API keys.
Partner with developers and DevOps to transition hard-coded credentials to secure vaults.
Establish policies for key rotation frequency, credential expiration, and certificate renewal.
Integrate NHI lifecycle into IAM governance tools (Okta).
Support quarterly access reviews and certification campaigns for non-human identities.

Automation & Integration

Build automation using APIs, Python, PowerShell, or Terraform to manage credentials and monitor access.
Integrate non-human identity telemetry into SIEM/SOAR platforms for anomaly detection.
Implement visibility dashboards to track total NHI inventory, owners, last use, and compliance status.
Deploy Just-in-Time (JIT) credential provisioning for ephemeral workloads and containers (Kubernetes, Lambda, ECS, etc.).

Security & Risk Management

Enforce least privilege and zero-trust principles for machine access.
Monitor for unused or excessive service accounts and remediate over-permissioned credentials.
Support incident response teams with forensics on compromised API keys or tokens.
Define detection logic for credential misuse or non-standard access patterns.
Partner with Application Security to integrate secure NHI handling into SDLC.

Compliance & Audit

Maintain audit trails for credential issuance, usage, and rotation events.
Produce compliance reports for SOX, SOC 2, PCI DSS, FFIEC, and crypto-custody audits.
Collaborate with internal audit and compliance teams to validate NHI control effectiveness.
Document architecture, data flows, SOPs, and exception processes for NHI management.

Innovation & Continuous Improvement

Evaluate emerging NHI management solutions (e.g., SPIFFE/SPIRE, workload identity federation, cloud-native secrets stores).
Lead proof-of-concepts to modernize credentialless or short-lived identity methods.
Advocate for security automation and the reduction of static credentials across the enterprise.

What You’ll Need

Education & Experience

Bachelor’s degree in Computer Science, Cybersecurity, or related discipline.
3–6 years of experience in IAM, DevSecOps, or Security Engineering roles.
Hands-on experience with non-human identity or secrets management tools
Familiarity with cloud IAM concepts (AWS IAM Roles, Azure Managed Identities, GCP Service Accounts).
Experience integrating IAM or secrets systems with CI/CD pipelines and DevOps tools.

Technical Skills

Proficiency in automation and scripting (Python, PowerShell, or Bash).
Strong understanding of authentication standards (OIDC, OAuth 2.0, SAML, JWT).
Knowledge of API security, key rotation policies, and service-to-service authentication.
Familiarity with container and workload identities (Kubernetes, ECS, Lambda).
Understanding of Zero Trust, machine identity, and certificate lifecycle management.

Preferred Certifications

HashiCorp Certified Vault Associate
AWS Certified Security – Specialty
Okta Certified Professional or Administrator
(ISC)² Certified Identity and Access Manager (CIAM) or CISSP

Compensation and Benefits

The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location.

To view all of our comprehensive and competitive benefits, visit our **Benefits at SoFi **page!

SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law.

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

SoFi is committed to an inclusive culture. As part of this commitment, SoFi offers reasonable accommodations to candidates with physical or mental disabilities. If you need accommodations to participate in the job application or interview process, please let your recruiter know or email accommodations@sofi.com.

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

Internal Employees

If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.

Staff Iam Engineer

What you'd actually do

Skills

Required

Nice to have

What the JD emphasized

The Role

Lifecycle Management & Governance

Automation & Integration

Security & Risk Management

Compliance & Audit

Innovation & Continuous Improvement

Technical Skills

Preferred Certifications

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

The Role

Lifecycle Management & Governance

Automation & Integration

Security & Risk Management

Compliance & Audit

Innovation & Continuous Improvement

Technical Skills

Preferred Certifications

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

What you'd actually do

Skills

Required

Nice to have

What the JD emphasized

The Role

** Lifecycle Management & Governance**

** Automation & Integration**

** Security & Risk Management**

** Compliance & Audit**

** Innovation & Continuous Improvement**

** Technical Skills**

** Preferred Certifications**

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

The Role

** Lifecycle Management & Governance**

** Automation & Integration**

** Security & Risk Management**

** Compliance & Audit**

** Innovation & Continuous Improvement**

** Technical Skills**

** Preferred Certifications**

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

Lifecycle Management & Governance

Automation & Integration

Security & Risk Management

Compliance & Audit

Innovation & Continuous Improvement

Technical Skills

Preferred Certifications

Lifecycle Management & Governance

Automation & Integration

Security & Risk Management

Compliance & Audit

Innovation & Continuous Improvement

Technical Skills

Preferred Certifications