Identity and Access Engineer a

This role focuses on identity governance and platform engineering rather than operational access request handling: Operate, extend and optimize the One Identity platform by onboarding new applications and entitlements into the governance model. Design, implement and optimize identity governance workflows, role models and target system integrations within One Identity Manager. Collaborate with external developers and internal stakeholders to evolve and maintain the One Identity platform. Improve identity data quality, reconciliation processes and entitlement structures. Support the design and implementation of Conditional Access policies in Microsoft Entra ID and contribute to authentication hardening initiatives. Integrate applications into SSO (SAML/OIDC) and standardize strong authentication mechanisms (MFA, step-up authentication). Support the implementation of Privileged Access and PIM capabilities as part of the broader identity security roadmap. Contribute to the organization’s Zero Trust journey by enforcing least-privilege principles and improving governance of human and non-human identities. Reduce permanent administrative privileges and implement time-bound, approval-based privileged access workflows. Secure service accounts and non-human identities and eliminate legacy authentication patterns. Align technical entitlements with business role models and support segregation-of-duties enforcement. Identify and remediate excessive permissions, privilege persistence and legacy authentication risks. Automate access enforcement, remediation workflows and identity-related security controls. Collaborate with IT, OT and business stakeholders to harden authentication patterns across infrastructure, cloud and production systems. Support audits and compliance initiatives by ensuring enforceable and demonstrable access governance controls (ISO 27001, GxP, NIS2). Contribute to identity security architecture decisions and challenge legacy access patterns. Act as a security advocate to promote modern, user-friendly access controls balancing usability, compliance and risk reduction.

Bachem is a leading, innovation-driven company specializing in the development and manufacture of peptides and oligonucleotides. With over 50 years of experience and expertise Bachem provides products for research, clinical development and commercial application to pharmaceutical and biotechnology companies worldwide and offers a comprehensive range of services. Bachem operates internationally with headquarters in Switzerland and locations in Europe, the US and Asia. The company is listed on the SIX Swiss Exchange. To strengthen our team in the Global IT, Security and Compliance (S&C;) department, we are seeking an experienced IAM & Access Control Engineer (a), 100%. Reporting to the Head of Security Operation and Architecture and working within the CISO organization, you will reinforce the existing IAM platform ownership and management capabilities. This role complements and reinforces the existing IAM platform capabilities by bringing additional depth in access control enforcement, privileged access hardening and Zero Trust implementation. Our Identity team operates the One Identity platform and Microsoft Entra ID as the central control layer governing authentication, authorization, and privileged access across IT, OT, laboratory, and cloud environments.

• Bachelor’s or Master’s degree in Information Security, Computer Science, or Engineering

• Hands-on experience with Identity Governance platforms (preferably One Identity Manager)

• Strong experience designing workflows, role models and integrations in IGA environments

• Experience with Microsoft Entra ID and Conditional Access is a strong advantage

• Experience implementing or supporting Privileged Access / PIM programs

• Strong understanding of identity security risks (privilege escalation, legacy authentication, service account exposure)

• Knowledge of security frameworks and standards (ISO 27001, NIST, CIS, MITRE ATT&CK;)

• Experience reducing identity-based lateral movement risks and understanding of hybrid AD / Entra attack surface

• Ability to work in complex identity environments and progressively expand into adjacent domains such as access control enforcement and privileged access

• Excellent communication skills to collaborate with IT, OT, and business stakeholders

• Analytical mindset with problem-solving ability

• Relevant certifications are a plus (e.g., GCIA, GCIH, GCED, Azure Security Engineer, CISSP, Security+)

• Identity Governance (IGA) process and data model understanding (One Identity or similar IGA platforms)

• Microsoft Entra ID and Conditional Access policy management

• Privileged Identity Management / Privileged Access concepts

• SSO Federation (SAML, OIDC, OAuth2)

• Active Directory / Hybrid identity environments

• PowerShell / API automation

• Cloud identity (Azure, AWS, SaaS environments)

• Understanding of regulated environments (GxP, pharmaceutical, manufacturing) desirable