Identity & Access Management Specialist

Finova is the UK’s largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400+ brokers to stay ahead in a competitive market.   

Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts. 

Be part of a team that’s driving innovation, enabling growth and shaping the future of UK lending.   

Finova offers a flexible, modular technology suite designed to help lenders move faster, scale efficiently and deliver standout digital experiences.   

Financial Institutions use Finova to launch products faster, process applications up to 50% more efficiently and reduce operational costs — all while staying fully compliant in a fast-moving market.  

We're looking for a seasoned IAM Specialist who can own the design and implementation of identity, access, and entitlements across our multi-cloud SaaS fintech platform. This is a hands-on hybrid role — you'll design access control models in the morning and be configuring Azure AD Conditional Access policies or writing OPA Rego rules in the afternoon.

Our stack spans AWS, Azure, and GCP. Our applications run on .NET / ASP.NET with SQL Server-backed role systems. Our customers expect tenant-isolated access. Our regulators expect least-privilege everywhere and evidence to prove it. And our AI-powered features introduce new questions about what identities — human and machine — should be allowed to access training data, model endpoints, and automated decision pipelines.

You'll work closely with the Senior Cloud & SaaS Architect to translate architectural decisions into working IAM implementations, and with engineering teams to make sure secure access patterns are practical, automated, and don't slow anyone down.

• Design and implement the identity architecture across the platform — covering workforce identities (employees, contractors), customer identities (tenant users, admins), and machine identities (services, APIs, AI pipelines).
• Configure and manage Azure AD (Entra ID) as the primary IdP, including tenant structures, app registrations, Conditional Access policies, and directory synchronization.
• Implement federation patterns across identity providers — SAML 2.0, OIDC, and WS-Federation — supporting customer-managed IdPs (Okta, Ping, ADFS) for enterprise SSO onboarding.
• Design and operate SCIM-based provisioning and deprovisioning workflows to automate user lifecycle management across SaaS tenants.
• Manage identity for multi-cloud environments — mapping Azure AD identities to AWS IAM roles (via SAML/OIDC federation) and GCP Workforce Identity Federation, maintaining a consistent access model across all three CSPs.

• Implement and operate Privileged Identity Management (PIM) and Privileged Access Management (PAM) solutions — enforcing just-in-time access, time-bound elevation, and approval workflows for sensitive roles.
• Design and manage Cloud Infrastructure Entitlements Management (CIEM) — continuously monitoring and right-sizing permissions across AWS, Azure, and GCP to eliminate standing privilege and over-entitled identities.
• Build entitlement review and access certification campaigns — automating periodic reviews so managers and system owners can attest to access appropriateness with minimal friction.
• Implement break-glass procedures for emergency access with full audit trails, automatic expiry, and post-incident review workflows.

• Design and implement role-based and attribute-based access control models that span multiple enforcement points: ASP.NET framework-level roles, SQL Server database roles, application middleware, and API gateways.
• Build and maintain the mapping between business roles, application roles (ASP.NET Identity / Claims), and database-level permissions (SQL Server roles, row-level security) — ensuring consistency and auditability across layers.
• Implement tenant-scoped RBAC — ensuring that roles, permissions, and claims are always bound to a tenant context, and that cross-tenant privilege escalation is architecturally prevented.
• Design and write Open Policy Agent (OPA) / Rego policies for fine-grained authorization decisions — centralizing policy logic so that access rules are consistent across services, testable in CI, and auditable.
• Implement policy-as-code workflows: version-controlled policies, automated testing, staged rollouts, and policy decision logging for compliance evidence.

• Manage and harden IAM configurations across all three CSPs:
• AWS: IAM policies, SCPs, Permission Boundaries, IAM Identity Center (SSO), and role assumption chains.
• Azure: Entra ID roles, Azure RBAC, Managed Identities, Conditional Access, and PIM.
• GCP: IAM roles, Workload Identity Federation, Service Account management, and Organization Policy Constraints.
• Implement and enforce least-privilege across cloud environments using automated tooling — permission analyzers, unused access detection, and policy simulation before deployment.
• Design and manage service account / managed identity strategies — ensuring machine-to-machine authentication uses short-lived credentials, workload identity federation where possible, and no long-lived secrets.

• Design and implement access controls for DevOps tooling — CI/CD pipelines (Azure DevOps, GitHub Actions), artifact registries, infrastructure-as-code repositories, and deployment environments.
• Implement pipeline identity patterns — ensuring CI/CD workloads authenticate to cloud resources using federated workload identity (OIDC), not stored service account keys.
• Manage SQL Server access governance — database role hierarchies, schema-level permissions, row-level security policies, dynamic data masking, and Always Encrypted configurations for sensitive financial data.
• Design access controls for database DevOps workflows — migration tooling, query access for analytics, and read-replica access — ensuring developers get the access they need without standing production privileges.
• Implement and monitor database audit logging — tracking privileged queries, schema changes, and data access patterns for compliance and anomaly detection.

• Design identity and access patterns for AI/ML workloads — ensuring model training jobs, feature pipelines, and serving endpoints authenticate with scoped, short-lived credentials and can only access tenant-appropriate data.
• Implement access controls for vector databases, feature stores, and model registries — preventing unauthorized access to training data, embeddings, or model artifacts.
• Define authorization policies for AI-powered features — controlling which tenants, users, and roles can invoke AI endpoints, and ensuring AI service accounts have the minimum permissions needed.
• Work with the data and AI teams to enforce tenant data boundaries in ML pipelines — ensuring training data isolation, inference-time data scoping, and audit trails for data access by automated systems.

• Ensure IAM implementations satisfy SOC 2 Type II, PCI-DSS, and other regulatory access control requirements — with automated evidence collection, not manual screenshots.
• Design and maintain audit logging for all identity events: authentication, authorization decisions, privilege escalation, role changes, and policy modifications.
• Support penetration testing and red team exercises by providing IAM configuration context and remediating access-related findings.
• Contribute to threat modeling sessions — bringing deep IAM expertise to assess identity-related attack vectors (credential stuffing, token theft, privilege escalation, lateral movement).
• Address AI governance access requirements — who can approve model deployments, who can access AI decision logs, and how model access is reviewed.

• 4–6 years in IAM, security engineering, or identity-focused cloud engineering, with hands-on implementation experience across enterprise environments.
• Strong working knowledge of Azure AD (Entra ID) — app registrations, Conditional Access, PIM, directory sync, and federation configuration.
• Hands-on experience with at least two of AWS IAM, Azure RBAC, and GCP IAM; working familiarity with all three CSPs.
• Practical experience implementing RBAC and ABAC models in .NET / ASP.NET applications — including Claims-based identity, ASP.NET Identity framework, and custom authorization middleware.
• SQL Server access management experience — database roles, row-level security, dynamic data masking, and audit configuration.
• Experience with federation protocols: SAML 2.0, OIDC, OAuth 2.0, and SCIM provisioning.
• Hands-on experience with policy-as-code — OPA / Rego, Azure Policy, AWS SCPs, or similar. You can write, test, and deploy authorization policies in a CI/CD workflow.
• Familiarity with PIM/PAM tooling and cloud entitlements management concepts — just-in-time access, standing privilege reduction, and access certification.
• Experience with DevOps tooling access patterns — CI/CD pipeline identity, workload identity federation, and secrets management (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault).
• Understanding of SaaS multi-tenancy and how IAM intersects with tenant isolation — you know why a missing tenant context on an authorization check is a critical vulnerability, not just a bug.
• Clear communicator who can explain IAM decisions to developers, auditors, and architects without drowning anyone in jargon.

• Experience in fintech, payments, banking, or insurance environments.
• Familiarity with CIEM tooling (CloudKnox / Microsoft Entra Permissions Management, Ermetic, CrowdStrike, or similar).
• Experience designing access controls for AI/ML infrastructure — model training pipelines, feature stores, or LLM-powered application features.
• Background in identity governance and administration (IGA) platforms — SailPoint, Saviynt, or similar.
• Relevant certifications: SC-300 (Microsoft Identity and Access Administrator), AWS Security Specialty, AZ-500, CISSP, or CCSP.
• PowerShell and/or Python scripting for IAM automation, reporting, and access reviews.
• Experience with Zero Trust architecture implementation beyond just identity — network, device, and workload trust assessment.
• Contributions to internal IAM tooling, access review automation, or identity platform development.