IAM/Security Architect (PBAC / ReBAC Architect)

Role: IAM/Security Architect (PBAC / ReBAC Architect)
Location: 100% Remote (EST time)

We are seeking a seasoned architect to lead the transformation from Role-Based Access Control (RBAC) to Policy-Based Access Control (PBAC) and Relationship-Based Access Control (ReBAC) for a large enterprise in the Edutech sector. You will drive the evaluation, design, and implementation of modern authorization frameworks, working directly with business and technology stakeholders to align solutions with regulatory and business objectives.

What You ll Do
Lead the end-to-end strategy and architecture for transitioning from RBAC to PBAC/ReBAC across enterprise applications and data platforms.
Evaluate and recommend policy engines and authorization frameworks including Styra DAS / Enterprise OPA, Axiomatics ALFA, OpenFGA / Zanzibar, AWS Cedar, and Ping Authorize (XACML v3) against current and projected use cases.
Analyze existing authorization models: map access patterns, role hierarchies, permission dependencies, and data platform access control across AWS, Google Cloud Platform, and Azure environments.
Build and present architectural recommendations to senior stakeholders with clear trade-offs, cost implications, migration impact, and compliance alignment.
Lead proof-of-concepts on 1 2 shortlisted solutions to validate feasibility, performance, and integration complexity.
Define the target-state PBAC/ReBAC architecture, integration strategy, and phased migration roadmap.
Guide the offshore engineering lead and supporting team through discovery, POC execution, and documentation.
Facilitate workshops, design reviews, and alignment sessions with client engineering, security, and business teams.
What You Bring
Subject Matter Expert in PBAC and ReBAC with a proven track record of implementing PBAC/ReBAC solutions in enterprise environments.
Hands-on implementation experience with one or more: Styra DAS / Enterprise OPA, Axiomatics ALFA, OpenFGA / Google Cloud Platform Zanzibar, AWS Cedar, Ping Authorize (XACML v3).
Deep expertise in OAuth 2.0, OpenID Connect, SAML, JWT, JWKS, SCIM, FAPI 2.0, and token-based authentication patterns.
Strong understanding of IAM and IGA frameworks: RadiantLogic, ForgeRock IGA, ISVG, Okta IGA, SailPoint ISC, Saviynt EIC.
Experience with cloud-based IAM/IGA platforms and security model integration across hybrid (AWS, Google Cloud Platform, Azure) infrastructures.
Excellent communication skills and a business-savvy mindset able to translate complex technical trade-offs for business stakeholders and secure buy-in.
EduTech domain experience preferred
Preferred
Official certifications for PBAC/IAM SaaS platforms mentioned above (Styra, Axiomatics, Okta, Ping, SailPoint, Saviynt).
Knowledge of regulatory requirements and compliance standards relevant to EduTech services (SOX, GLBA, GDPR, FAPI 2.0).
Experience with data platform access control using PBAC on cloud-native services (Lake Formation, BigQuery, Synapse).