The Senior IAM Analyst - Risk & Compliance is responsible for ensuring that Identity and Access Management controls are designed, implemented, and operated in alignment with regulatory, security, and risk management requirements. This role serves as the primary liaison between IAM engineering/operations teams, Information Security operations, internal and external auditors, and application owners
The role focuses on governance, control effectiveness, policy enforcement, metrics, and audit readiness across the IAM ecosystem, including Identity Governance & Administration (IGA), Access Management, Privileged Access Management (PAM), and directory services.
This position requires strong analytical skills, deep understanding of IAM control frameworks, and the ability to translate regulatory and audit requirements into actionable IAM controls and operational processes.
Essential Functions: IAM Risk & Control Management
- Own and maintain IAM-related controls mapped to frameworks such as NIST 800-53, NIST CSF, HIPAA Security Rule, and Mass General Brigham security policies
- Partner with IAM Engineering and Operations teams to ensure controls are properly designed, implemented, and operating effectively
- Identify IAM control gaps, assess risk, and drive remediation plans with clear owners and timelines
- Evaluate IAM processes for alignment with least privilege, separation of duties, and zero trust principles
Metrics, Reporting & Continuous Improvement
- Define and report IAM risk and compliance KPIs, such as:
- Certification completion and exception rates
- Orphaned and dormant account trends
- Privileged access violations
- Access request SLA adherence
- Use data to identify trends, emerging risks, and opportunities for automation or control enhancement
- Contribute to continuous improvement of IAM governance processes and tooling
Audit & Compliance Support
- Act as the primary IAM point of contact for:
- Internal audits
- External audits
- Regulatory inquiries
- Prepare audit evidence, narratives, and walkthroughs for IAM controls including:
- User lifecycle management
- Access requests and approvals
- Access certifications
- Privileged access management
- Authentication and authorization controls
- Track audit findings, manage remediation efforts, and validate closure
Access Governance & Certification Oversight
- Provide risk and compliance oversight for access certification campaigns (manager, application owner, privileged access)
- Define and enforce certification standards, review quality thresholds, and escalation criteria
- Analyze certification results to identify systemic risk, role sprawl, or control weaknesses
Policy, Standards & Procedures
- Develop and maintain IAM-related:
- Policies
- Standards
- Procedures
- Control documentation
- Ensure policies are actionable, enforceable, and aligned with technical implementations
- Support annual policy reviews and exception management processes
Cross-Functional Collaboration
- Collaborate closely with:
- IAM Engineering and Operations
- Information Security Operations and Program Governance
- Privacy and Legal teams
- Internal Audit
- Application and Infrastructure owners
- Serve as a trusted advisor on IAM risk topics to technical and non-technical stakeholders
Education:
- Bachelor's or Associate's Degree preferred
Licenses and Certification:
- Relevant certifications such as CISSP, CISA, CRISC, or IAM platform certifications (e.g., Saviynt, Okta, CyberArk) - Preferred
Work Experience:
- 5+ years of progressively responsible experience in Identity and Access Management, Information Security, or IT Risk & Compliance, preferably in a large, regulated healthcare or academic medical environment
- Demonstrated experience supporting audits, regulatory inquiries, and control remediation efforts related to IAM
Knowledge, Skills, and Abilities:
- Advanced expertise in IAM governance, risk, and compliance, including identity lifecycle controls, access governance, privileged access management, and authentication and authorization models.
- Strong working knowledge of healthcare regulatory and security frameworks, including HIPAA and NIST-based control models, and the ability to map requirements to technical IAM controls.
- Hands-on experience assessing and governing IAM controls within enterprise IAM platforms (e.g., IGA, access management, PAM, directory services).
- Ability to apply risk-based and analytical thinking to identify control gaps, prioritize remediation, and drive measurable improvements.
- Strong written and verbal communication skills, with the ability to clearly articulate IAM risk and compliance concepts to technical teams, auditors, and non-technical stakeholders.
- Proven ability to lead complex initiatives, manage competing priorities, and deliver outcomes in a matrixed enterprise environment.
- Strong judgment and decision-making skills, with demonstrated ability to evaluate trade-offs and recommend solutions that align with MGB's risk tolerance and
M-F Eastern Business Hours required Hybrid onsite Flexible working model required weekly includes onsite in office (number of days weekly can vary, must be flexible for business needs) 1-2 onsite days per week Remote working days require stable, secure, quiet, compliant working station
Mass General Brigham Incorporated is an Equal Opportunity Employer. By embracing diverse skills, perspectives and ideas, we choose to lead. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law. We will ensure that all individuals with a disability are provided a reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment.
|
Mass General Brigham (Enterprise Services)
Jan 14, 2026