Key skills
GoAISAMLLDAPSSO
About this role
IBM Software is a leader in AI-powered, cloud-native products that shape the future of business and society. The Senior Engineer - Security, Compliance & Policy Engineering will design and implement a policy engine that enforces safety and compliance across infrastructure and agent operations, ensuring secure and auditable systems.
Responsibilities:
- Build a unified policy enforcement stack spanning authentication, RBAC, transport safety, and per-agent policy envelopes
- Design policy as auditable, declarative configuration (YAML), including safety tiers and resource-level controls
- Implement enterprise-grade identity: OIDC/SAML SSO, RBAC roles, agent identity via certificates and mTLS, and gateway-level ACLs
- Deliver the compliance evidence framework, including PCI-DSS v4.0 control mappings and auditor-ready evidence exports (JSON/CSV/PDF)
- Implement drift detection between declared and observed infrastructure state, with guided remediation and approval workflows
- Harden audit infrastructure with structured, signed, immutable logs using FIPS-aligned cryptography
Requirements:
- Security engineering experience. You've built authentication, authorization, or policy enforcement systems. OIDC, RBAC, certificate-based auth, session management — you've implemented at least some of these in production
- Compliance intuition. You don't need to be a GRC analyst, but you understand how regulatory control requirements (PCI-DSS, SOX, HIPAA, NIST) translate into technical enforcement and evidence collection. You know what auditors need
- Go proficiency. The policy engine, auth layer, and audit system are Go. You can be productive in Go from day one
- You think adversarially. You design for the failure case. You write tests that try to break things. You think about what happens when the policy is misconfigured, the token is expired, or the agent tries something it shouldn't
- IBM Z security architecture (RACF, LDAP, SSH key management on z/OS) and mainframe security models
- Our safety tier enforcement model and how it integrates with the gateway proxy
- Agent policy envelopes — how to bound what AI agents can do within their sessions