IAM Engineer
Identity lifecycle, SSO, federation, conditional access, the unsung gate.
Quietly one of the best-paid and least-glamorous seats in security. Take it if you can stomach the work, the ceiling is unusually high.
- You're patient with directory plumbing and authentication flows
- You like problems where the answer is correct or it isn't
- You can hold an identity model across cloud, SaaS and on-prem in one head
- You're happy being the team that other teams complain about until they need you
- You can't bear long change-control cycles
- You want public credit, IAM is mostly invisible when it works
- You don't enjoy reading specs, half the job is RFCs and vendor docs
- Your access reviews actually catch things
- Engineering teams stop asking for break-glass admin
- You can design a joiner-mover-leaver flow that survives reorgs
- Auditors stop asking you the same questions year on year
IAM teams in the UK are often understaffed and chronically underfunded until something goes wrong. You'll inherit ten years of legacy entitlements, three identity stores nobody documented, and a leadership team who'll only fund the work after the breach. If you can survive the first eighteen months without being ground down, the compounding effect on your career is extraordinary. If you can't, this is one of the fastest paths to burnout in security.
Tradeoffs at a glance
Hover any chip for the calibrated meaning. Ratings are directional, not absolute.
Promotion ceiling
High. IAM architect is consistently in demand.
- +Sysadmin (AD-heavy)
- +Cloud Engineer
- +Security Engineer
- −That it's 'just provisioning', identity is the new perimeter.
Where this leads
- Cloud Security
- Zero Trust Architect
- PKI Engineer
Certifications people pair with this
Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.
Tech you'll see
- Active Directory
Pathways that pass through here
- Identity Security (IAM, PAM, SSO)
Engineer the identity layer. Entra ID, Okta, CyberArk, PAM, SSO, MFA, Zero Trust. Operational, technical, in demand.
- Enterprise IT. Windows / AD / M365
The Microsoft-shop spine. A durable, hireable lane and a direct on-ramp to security, cloud and IAM.
- Platform / DevOps Engineer → SRE
Build the systems other engineers depend on. Requires coding fluency. Rarely entry-level.
Where this fits
Roles connect to pathways, certs and other roles. Use one to test the next.
- Enterprise IT. Windows / AD / M365
The Microsoft-shop spine. A durable, hireable lane and a direct on-ramp to security, cloud and IAM.
- Identity Security (IAM, PAM, SSO)
Engineer the identity layer. Entra ID, Okta, CyberArk, PAM, SSO, MFA, Zero Trust. Operational, technical, in demand.
- GRC (Audit, Risk, Compliance)
Governance, risk and compliance. Policy, audit, evidence, frameworks. Biased toward CISA / CRISC / CISM, NOT toward OSCP.
The serious next step
You've read about the role. The harder question is whether it's the right one for you.
A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.
Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.