Job Description
Overview Job Purpose The Lead Systems Engineer joins our Secrets and Vault Engineering team within Identity and Access Management. The team is responsible for the platforms and services that protect secrets, certificates, encryption keys, and machine identity across the enterprise — a foundational layer that nearly every application at ICE depends on. This is a hands-on engineering role with a strong design and architecture component. The ideal candidate has built or operated a HashiCorp Vault platform in production, writes clean automation code in Python and Ansible, and is comfortable working at the intersection of cryptography, identity, and platform engineering. You will help shape how the next generation of our secrets and machine-identity services are built, including emerging areas such as workload identity for AI and agentic workloads, policy-as-code, and proactive non-human identity governance. We are looking for someone who can move fluidly between writing the code, designing the system, and explaining the trade-offs to stakeholders. You should be the kind of engineer who pushes back on a design when there's a better way, and who can mentor others through the why, not just the how. What You'll Gain This role offers direct, hands-on exposure to areas that few enterprise engineering teams are working on in earnest today: Post-quantum cryptography (PQC). You'll be part of the team thinking through how an enterprise cryptography platform evolves to meet PQC readiness, including algorithm migration strategies, key lifecycle implications, and the operational realities of running hybrid classical/post-quantum systems at scale. Agentic and AI workload identity. As AI agents and machine-driven workflows become first-class citizens in the enterprise, the question of how they authenticate, what they're allowed to do, and how that's governed is largely unsolved. You'll help build that foundation from the ground up — workload identity, dynamic credentials, policy enforcement, and proactive anomaly detection for non-human identities. A platform being designed, not just operated. The team is actively shaping its next-generation architecture rather than maintaining a legacy stack. You'll have meaningful influence on design decisions and the chance to shape patterns the rest of the organization will adopt. Responsibilities Design, build, and maintain platform services for secrets management, certificate lifecycle, encryption key management, and policy enforcement. Develop automation and tooling in Python and Ansible to streamline operations, enforce security controls, and reduce manual provisioning effort. Contribute to a self-service model for application teams, including golden-pattern templates, declarative manifests, and approval workflows integrated with enterprise systems such as ServiceNow. Collaborate with cross-functional teams (application, infrastructure, security, compliance) to translate requirements into reliable, well-governed services. Help shape the team's roadmap in emerging areas including workload identity (SPIFFE/SPIRE), policy-as-code, and identity controls for AI and machine-driven workloads. Participate in code reviews, design reviews, and architecture discussions; mentor and coach engineers earlier in their career. Contribute to internal documentation, runbooks, and knowledge-sharing. Participate in a light on-call rotation supporting the team's services. Knowledge And Experience 7+ years of infrastructure, platform, or systems engineering experience. Production experience with HashiCorp Vault — secret engines, authentication methods, policies, and operational concerns. Architect-level depth is not required, but you should have shipped against it and understand how it fits into a broader platform. Strong proficiency in Python and Shell scripting for automation and tooling. Experience with Ansible for configuration management and orchestration. Solid understanding of identity, authentication, and secure communication protocols (TLS, OAuth, OIDC, x.509). Working knowledge of CI/CD tooling (Jenkins, GitHub Actions, GitLab CI, or similar) and Infrastructure-as-Code (Terraform preferred). Experience designing and consuming RESTful APIs. Strong fundamentals in Linux systems. Demonstrated ability to write production-quality code, communicate design trade-offs clearly, and collaborate across teams. Preferred Knowledge And Experience Bachelor's degree in Computer Science, Engineering, or related field. Experience building or contributing to a self-service Vault, secrets, or cryptography platform. Familiarity with SPIFFE/SPIRE or other