Security Architect (Agentic Identity & Access) in England

Our client is a leading global investment management company headquartered in London. It manages over $228 billion in assets and serves institutional investors, pension funds, wealth managers, and other sophisticated clients worldwide. The firm specializes in quantitative investing, alternative investments, systematic trading strategies, and technology-driven asset management. Data science, machine learning, and AI are core components of its investment and research processes.

As part of our collaboration, we will focus on two foundational capabilities required to enable safe and scalable AI adoption across the enterprise: Agentic Security and AI-Ready Data Foundations.

Project overview: We define how autonomous agents authenticate, obtain scoped access, and operate safely across a large, regulated financial estate where the runtime security model genuinely does not exist yet. The value, and the danger, of agentic AI is set by what an agent can reach: an agent that inherits a full user context and long-lived secrets has an effectively unlimited blast radius. Your job is to close that gap.

This is a hands-on senior role for a security architect who still ships code, working at the intersection of enterprise IAM, platform engineering, and the agentic-AI security frontier. You will design and build the IaC-driven, self-service identity patterns, credential flows, and onboarding standards that make the secure way the easy way, across high-velocity teams that have long governed themselves.

Requirements:

• 8+ years in security architecture and/or platform engineering, with a track record of shipping production code. Principal / Staff-level depth, ideally in a high-velocity or quant / financial-services engineering culture.
• Deep, mechanical command of modern identity and authorisation: OIDC / OAuth2 / JWT — token issuance flows, claims design, and delegation / impersonation patterns.
• Hands-on HashiCorp Vault experience, including dynamic / short-lived secrets and the realities of migrating off long-lived tokens without breaking a large application estate at once.
• Keycloak policy modelling, ideally with the Terraform-driven configuration the firm already uses.
• Strong Terraform / IaC fluency — enough to design repeatable, self-service patterns that others adopt, rather than bespoke per-team setups.
• Working knowledge of the Active Directory + Entra legacy reality: nested groups, LDAP-backed role mapping, and the distribution-list-as-permission-group failure mode — able to design around the mess pragmatically.

Nice to have:

• Real exposure to agentic / LLM systems and why they change the threat model — an agent actively probes and exploits standing permissions rather than stumbling onto them.
• Familiarity with MCP as an integration / onboarding standard, and at least one agent harness (Claude Agent SDK preferred).
• Experience with just-in-time, task-scoped delegation versus standing access, and risk-gated credential issuance (e.g. a short-lived token issued against a CrowdStrike-style risk score).
• Behavioural baselining / anomaly detection for workloads — defining “normal” for a recurring workflow and catching deviation at volume.
• SIEM integration and action attribution: distinguishing an agent’s action from the human whose credentials it borrowed.
• Financial-services audit literacy.
• Consulting or client-facing / pre-sales experience.

Responsibilities:

• Design and ship IaC-driven, self-service identity patterns that roll out firm-wide without requiring a full Active Directory cleanup first.
• Define the currently undefined agentic runtime security model: containerised code execution, permission delegation to agents, and MCP-based tool access.
• Lead the transition from long-lived secrets toward ephemeral, time-based, risk-scored credentials, scoped to task duration and issued via JWT / OIDC.
• Layer LLM / software guardrails (policy-as-text plus human review) on top of whatever hard guardrails are feasible across the estate.
• Establish an opinionated onboarding standard (e.g. mandatory MCP interfaces) and win adoption through better defaults and developer experience, not mandate alone.
• Design SIEM integration, behavioural baselining, and anomaly detection for agentic workflows, and centralise siloed audit logs to satisfy both security and regulatory requirements.
• Take bounded beachheads (for example, authenticate users and then delegate scoped access to internal systems) from vague to delivered.

Why this position:

This role sits at the intersection of data engineering, AI, and financial services, solving one of the most important challenges in enterprise AI: enabling agents to securely access and reason over trusted data. You'll have the opportunity to design and build foundational platforms that combine large-scale data systems, governance, and AI technologies in highly regulated environments. It offers significant technical ownership, exposure to cutting-edge AI agent architectures, and the chance to shape how organisations safely unlock value from their data.