Senior Software Engineer 2, IAM

At Drata, we’re not just building software - we’re building a mindset. Everything we do springs from:

Drata's Identity & Access Management team owns the identity, authentication, and access control infrastructure that every customer uses to access the platform — and that every internal platform service relies on for trust boundaries.

• →

  Design and operate Drata's authentication surface: SSO integrations (SAML, OIDC), session and token handling, MFA, and flexible enterprise identity configurations.

• →

  Contribute to Drata's authorization architecture — collaborating on direction, owning meaningful pieces of execution, and bringing your perspective on the tradeoffs (RBAC vs. ABAC vs. etc., policy engines, audit and observability of access decisions).

• →

  Build and harden SCIM provisioning at enterprise scale: group sync, role mapping, deactivation, conflict resolution, and the long tail of IdP-specific behavior.

• →

  Build and operate identity sync workflows — full and delta syncs across major identity providers — with the observability, retry semantics, and parity guarantees enterprise sync demands.

• →

  Build authentication and authorization for AI features and agentic flows: scoped credentials for AI agents, human-in-the-loop approval workflows, and the audit trail needed to defend AI-driven actions in a compliance product.

• →

  Provide the auth primitives other platform services depend on, and represent IAM in cross-team architecture discussions.

• →

  Threat-model identity surfaces, partner with security on hardening, and own the response when identity is implicated in an incident.

• 7+ years building production software, with meaningful time spent on authentication, authorization, or identity infrastructure.

• 3+ years experience in a NodeJS / TypeScript codebase with a deep understanding of Typescript.

• Working knowledge of the identity protocols this team operates against: OAuth 2.0 / OIDC, SAML 2.0, SCIM 2.0. You don't need to have shipped all three — fluent enough to design against them.

• Experience designing or operating access control systems — at minimum RBAC, ideally with exposure to attribute-based or relationship-based authorization.

• Working knowledge of surfacing observability & security information from complex systems.

• Experience designing and collaborating on API design and architecture

• Strong fundamentals in session management, token lifecycle, MFA, and the security tradeoffs that come with each.

• Production experience operating on a major cloud (AWS preferred; we use it heavily).

• Security-first instinct: you think about misuse before you ship, and you can defend a design decision against a threat model.

• Comfortable in collaborative architecture work — contributing to designs you don't fully own while owning execution on the pieces you do.

• Experience integrating with or building on top of identity platforms: Okta, Microsoft Entra ID, Auth0, Ping, WorkOS.

• Experience with authorization engines (OpenFGA, Cedar, OPA) or with designing a custom policy model.

• Experience operating SCIM, SSO, or identity sync at enterprise scale (multi-IdP, multi-domain customers).

• Familiarity with durable workflow engines (e.g., Temporal).

• Experience with HRIS API integrations

• Compliance context: SOC 2, ISO 27001, NIST, FedRAMP — Drata is a compliance product, so a working understanding helps.

• Experience building auth for AI agents, MCP servers, or other emerging agentic-system contexts — scoped credentials, delegation, HITL approvals.

• Bug bounty, appsec, or red-team experience on identity surfaces.

How we support you:
At Drata, our people are our strongest advantage—and we prove it with support that exceeds industry standards. Our total rewards package is designed to power your well-being, accelerate your growth, and keep your work-life balance thriving.

Explore how we invest in your Life at Drata.

• Shared Success: We provide stock equity to ensure that as the company grows, you share directly in that success. Equity gives every employee a sense of ownership and the opportunity to celebrate our wins together—because your contributions don’t just support our progress; they help drive our collective success.

• Health & Wellness: Up to 100% employer-paid premiums for medical, dental, and vision coverage for employees and their dependents, along with comprehensive wellness benefits and healthcare concierge services designed to support your needs beyond traditional insurance.

• Financial Well-being: A comprehensive suite of financial benefits, including a 401(k) plan, company-paid life and disability insurance, tax-advantaged spending accounts, and a range of discounted voluntary offerings to help you customize and strengthen your overall financial position.

• Family Support: We want to support you in life's most important moments, so we offer a paid Parental Leave policy, after six months of employment. Employees also receive access to Kindbody fertility and family-building benefits and dedicated leave specialists who help guide you through the entire process.

• Growth & Development: Generous annual stipends for both professional and personal development, empowering you to invest in your continued growth. You’ll also have access to a wide range of internal learning opportunities, ensuring you can build new skills, deepen your expertise, and advance your career with confidence.

• Time Off & Flexibility: We believe that to do your best work, you should get the time you need for rest, rejuvenation and recovery. Drata offers a flexible vacation policy, paid holidays, and other perks to recharge.

This role will receive a competitive base salary, benefits, and stock, typically in the form of Restricted Stock Units (RSUs). The applicable salary range for this role is: $174,500 - $236,100.

A variety of factors are considered when determining someone’s leveling and compensation–including a candidate’s professional background and experience. These ranges may be modified in the future and final offer amounts may vary from the amounts listed above.