Cloud IAM Architect, VP

Cloud IAM Architect

Discover your opportunity with Mitsubishi UFJ Financial Group (MUFG), one of the world's leading financial groups. Across the globe, we're 150,000 colleagues, striving to make a difference for every client, organization, and community we serve. We stand for our values, building long-term relationships, serving society, and fostering shared and sustainable growth for a better world.

With a vision to be the world's most trusted financial group, it's part of our culture to put people first, listen to new and diverse ideas and collaborate toward greater innovation, speed and agility. This means investing in talent, technologies, and tools that empower you to own your career.

Join MUFG, where being inspired is expected and making a meaningful impact is rewarded.

The selected colleague will work at an MUFG office or client sites four days per week and work remotely one day. A member of our recruitment team will provide more details.

Job Summary:

The Cloud IAM Architect is a senior architecture role responsible for defining authorization and access patterns for cloud platforms, with a primary focus on AWS and multi-account environments. This role ensures cloud platforms conform to global IAM standards while enabling secure, scalable, and auditable access across multiple accounts, environments, and regions.

The Cloud IAM Architect translates global IAM strategy into cloud-native authorization models, preventing identity and permission sprawl while supporting modern delivery models such as DevSecOps, platform engineering, and infrastructure as code. This role focuses on architecture, standards, and reusable patterns, not day-to-day access administration.

Key Responsibilities:

• Cloud Authorization Architecture
• Define and govern AWS IAM Identity Center architecture and permission-set standards.
• Establish global role design patterns (e.g., reader, operator, administrator) aligned to least privilege.
• Drive evolution of authorization models from RBAC toward ABAC / PBAC where appropriate.
• Multi-Account & Multi-Region Access
• Architect secure cross-account access strategies in AWS Organizations and Control Tower environments.
• Ensure permission models respect Service Control Policies (SCPs) and organizational guardrails.
• Design environments-specific access patterns (sandbox, development, staging, production).
• Infrastructure-as-Code & Platform Enablement
• Define Terraform-based IAM patterns for permission sets, role assignments, and policy enforcement.
• Integrate IAM standards into AWS Control Tower and account-vending workflows.
• Partner with platform and DevSecOps teams to embed IAM by design.
• Governance, Metrics & Risk Alignment
• Partners with IAM Governance teams to define and consume cloud IAM metrics, including role reuse, exception volume, and privilege concentration.
• Ensure cloud authorization models are auditable, regulator-defensible, and consistent across regions.
• Provide architectural guidance and review for cloud onboarding initiatives.

This role is:

• A senior cloud authorization architecture role
• Focused on standards, patterns, and scale
• Closely aligned with platform engineering and security architecture
• This role is not:
• A cloud access provisioning or ticket-based role
• A generic IAM or directory services position
• A single-account or single-team solution owner

Skills & Capabilities:

• Required Skills (Must Have)
• Cloud IAM & Authorization
• Deep experience designing AWS IAM authorization models in multi-account environments.
• Strong hands-on architectural knowledge of AWS IAM Identity Center and permission sets.
• Expertise in RBAC design, with working knowledge of ABAC / PBAC concepts.
• AWS Organizations & Governance
• Experience with AWS Organizations, SCPs, and permission boundaries.
• Understanding of Control Tower landing zone governance and inheritance models.
• Infrastructure as Code
• Experience designing IAM solutions using Terraform or equivalent IaC tools.
• Ability to standardize and template IAM controls for repeatable use.
• Architecture & Communication
• Strong ability to define reusable patterns and influence adoption across teams.
• Experience collaborating with cloud engineering, platform, security, and audit stakeholders.

Suggested Skills (Strongly Preferred):

• Experience operating IAM in regulated or highly controlled environments.
• Familiarity with environment-specific role design (dev vs. sandbox vs. prod).
• Experience integrating workforce identity (e.g., Entra ID) with cloud authorization.
• Experience defining or consuming IAM metrics to drive continuous improvement.

Optional Skills (Nice to Have):

• Exposure to multi-cloud IAM concepts beyond AWS.
• Familiarity with DevSecOps or platform engineering operating models.
• Relevant cloud or security certifications (e.g., AWS, security architecture).

What Success Looks Like:

• Consistent, reusable cloud authorization patterns adopted across accounts and regions
• Reduced permission sprawl and fewer manual access exceptions
• Clear auditability of cloud access decisions
• Secure scale without slowing down delivery teams

Why This Role Matters:

• Cloud platforms scale faster than traditional controls. This role ensures cloud access scales securely, consistently, and defensibly, enabling the business while preventing long-term identity and authorization debt.

Education:

•Bachelor's degree in Computer Science or a closely-related discipline, or an equivalent combination of formal education and experience

"Visa sponsorship/support is based on business needs. We do not anticipate providing visa sponsorship/support for this position."

The typical base pay range for this role is between $180k - $220k depending on job-related knowledge, skills, experience, and location. This role may also be eligible for certain discretionary performance-based bonuses and/or incentive compensation. Additionally, our Total Rewards program provides colleagues with a competitive benefits package (in accordance with the eligibility requirements and respective terms of each) that includes comprehensive health and wellness benefits, retirement plans, educational assistance and training programs, income replacement for qualified employees with disabilities, paid maternity and parental bonding leave, paid vacation, sick days, and holidays.

Our hybrid work schedule is four days on-site and work remotely one day per week.

MUFG Benefits Summary

We will consider for employment all qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local laws (including (i) the San Francisco Fair Chance Ordinance, (ii) the City of Los Angeles' Fair Chance Initiative for Hiring Ordinance, (iii) the Los Angeles County Fair Chance Ordinance, and (iv) the California Fair Chance Act) to the extent that (a) an applicant is not subject to a statutory disqualification pursuant to Section 3(a)(39) of the Securities and Exchange Act of 1934 or Section 8a(2) or 8a(3) of the Commodity Exchange Act of 1936, and (b) they do not conflict with the background screening requirements of the Financial Industry Regulatory Authority (FINRA) and the National Futures Association (NFA). The major responsibilities listed above are the material job duties of this role for which the Company reasonably believes that criminal history may have a direct, adverse and negative relationship potentially resulting in the withdrawal of conditional offer of employment, if any.The above statements are intended to describe the general nature and level of work being performed. They are not intended to be construed as an exhaustive list of all responsibilities duties and skills required of personnel so classified.We are proud to be an Equal Opportunity Employer and committed to leveraging the diverse backgrounds, perspectives and experience of our workforce to create opportunities for our colleagues and our business. We do not discriminate on the basis of race, color, national origin, religion, gender expression, gender identity, sex, age, ancestry, marital status, protected veteran and military status, disability, medical condition, sexual orientation, genetic information, or any other status of an individual or that individual's associates or relatives that is protected under applicable federal, state, or local law