Staff Systems Administrator

POSITION SUMMARY

Join EarnIn's IT team to own enterprise identity architecture end-to-end and lead AI-enabled automation that replaces manual workflows with scalable, auditable systems. The base salary range for this full-time position is $221,900 - $271,200, plus equity and benefits. Our salary ranges are determined by role, level, and location. This is a hybrid position in Mountain View (Headquarters) and will require in-office work 2 days a week.

WHAT YOU'LL DO

• Design and evolve EarnIn's enterprise identity model with Workday as the authoritative HRIS source and Okta as the central control plane. Drive zero-touch joiner/mover/leaver provisioning and own the program's First-Pass Automation Yield (FPAY) metric.
• Architect privileged access management at scale: just-in-time elevation, time-bound exceptions, managed-device enforcement, and policy-driven entitlement reviews. Build and maintain the IAM Roles Catalog with expiring exceptions and clear ownership for every entitlement.
• Lead federation strategy across AWS, Databricks, and the SaaS estate. Standardize entitlements via Identity-as-Code (Terraform) so every change is reviewable, diffable, and reversible.
• Design a Continuous Access Evaluation pipeline -- manual-grant detection, quarterly evidence packaging, tamper-resistant sealing -- so audit readiness is a standing capability rather than a quarterly scramble.
• Lead the design and rollout of agentic AI workflows that replace ticket-driven, human-in-the-loop IT processes: access intake, approvals routing, ownership reconciliation, helpdesk triage, and drift remediation.
• Build reusable AI patterns, guardrails, and components (eval harnesses, tool-use scaffolds, prompt and policy libraries) that other EarnIn teams can adopt to AI-enable their own workflows. Partner with team leads across the company to turn working automations into a repeatable practice.
• Set architectural direction for the IT team: tool selection, identity protocols (SAML, OAuth2, OIDC, SCIM), automation patterns, observability, and build-vs-buy decisions. Mentor IT engineers through code review, ADRs, runbooks, and design docs.

WHAT WE'RE LOOKING FOR

• Bachelor's degree (or higher) in Computer Science, Information Systems, or a related technical field
• 7+ years in IT Engineering or Identity & Access roles, including experience setting technical direction for a program and being accountable for the outcome.
• Demonstrated experience architecting and implementing an enterprise IAM program end-to-end -- design, rollout, and operational steady-state -- at meaningful scale, not solely operating a vendor product.
• Significant hands-on expertise in Okta (Workflows, Identity Governance, sign-on policies, group rules) and at least one HRIS-driven lifecycle integration (Workday preferred). Fluency in SAML, OAuth2, OIDC, SCIM, federation, JIT provisioning, and PAM patterns.
• Experience codifying identity infrastructure (Terraform, GitOps, or equivalent) and shipping changes through code review rather than admin consoles. Proficient in Python.
• Track record of systematically replacing manual processes with automation as the explicit operating model of the team -- not as a side project.
• Demonstrated experience designing, shipping, or championing AI-enabled workflows in a production environment (LLM-backed agents, retrieval-augmented assistants, or agentic automation replacing human-in-the-loop steps). Uses AI-assisted development tools (e.g., Copilot, Cursor, Claude Code) to accelerate own work.
• Clear written and verbal communication: able to lead an architecture review, write a decision doc, and explain why a control matters to both a developer and a CFO.
• Experience in a fintech or regulated environment (SOC 2, PCI) with audit-grade evidence pipelines is a plus
• Hands-on work with Databricks federation or AWS IAM Identity Center is a plus
• Certifications such as Okta Certified Consultant/Administrator or CISSP are a plus

#LI-Hybrid