Lead Systems Engineer, Secrets and Vault Engineering

Job Purpose

The Lead Systems Engineer joins our Secrets and Vault Engineering team within Identity and Access Management. The team is responsible for the platforms and services that protect secrets, certificates, encryption keys, and machine identity across the enterprise — a foundational layer that nearly every application at ICE depends on.

This is a hands-on engineering role with a strong design and architecture component. The ideal candidate has built or operated a HashiCorp Vault platform in production, writes clean automation code in Python and Ansible, and is comfortable working at the intersection of cryptography, identity, and platform engineering. You will help shape how the next generation of our secrets and machine-identity services are built, including emerging areas such as workload identity for AI and agentic workloads, policy-as-code, and proactive non-human identity governance.

We are looking for someone who can move fluidly between writing the code, designing the system, and explaining the trade-offs to stakeholders. You should be the kind of engineer who pushes back on a design when there's a better way, and who can mentor others through the why, not just the how.

What You'll Gain

This role offers direct, hands-on exposure to areas that few enterprise engineering teams are working on in earnest today:

• Post-quantum cryptography (PQC). You'll be part of the team thinking through how an enterprise cryptography platform evolves to meet PQC readiness, including algorithm migration strategies, key lifecycle implications, and the operational realities of running hybrid classical/post-quantum systems at scale.
• Agentic and AI workload identity. As AI agents and machine-driven workflows become first-class citizens in the enterprise, the question of how they authenticate, what they're allowed to do, and how that's governed is largely unsolved. You'll help build that foundation from the ground up — workload identity, dynamic credentials, policy enforcement, and proactive anomaly detection for non-human identities.
• A platform being designed, not just operated. The team is actively shaping its next-generation architecture rather than maintaining a legacy stack. You'll have meaningful influence on design decisions and the chance to shape patterns the rest of the organization will adopt.

Responsibilities

• Design, build, and maintain platform services for secrets management, certificate lifecycle, encryption key management, and policy enforcement.
• Develop automation and tooling in Python and Ansible to streamline operations, enforce security controls, and reduce manual provisioning effort.
• Contribute to a self-service model for application teams, including golden-pattern templates, declarative manifests, and approval workflows integrated with enterprise systems such as ServiceNow.
• Collaborate with cross-functional teams (application, infrastructure, security, compliance) to translate requirements into reliable, well-governed services.
• Help shape the team's roadmap in emerging areas including workload identity (SPIFFE/SPIRE), policy-as-code, and identity controls for AI and machine-driven workloads.
• Participate in code reviews, design reviews, and architecture discussions; mentor and coach engineers earlier in their career.
• Contribute to internal documentation, runbooks, and knowledge-sharing.
• Participate in a light on-call rotation supporting the team's services.

Knowledge and Experience

• 7+ years of infrastructure, platform, or systems engineering experience.
• Production experience with HashiCorp Vault — secret engines, authentication methods, policies, and operational concerns. Architect-level depth is not required, but you should have shipped against it and understand how it fits into a broader platform.
• Strong proficiency in Python and Shell scripting for automation and tooling.
• Experience with Ansible for configuration management and orchestration.
• Solid understanding of identity, authentication, and secure communication protocols (TLS, OAuth, OIDC, x.509).
• Working knowledge of CI/CD tooling (Jenkins, GitHub Actions, GitLab CI, or similar) and Infrastructure-as-Code (Terraform preferred).
• Experience designing and consuming RESTful APIs.
• Strong fundamentals in Linux systems.
• Demonstrated ability to write production-quality code, communicate design trade-offs clearly, and collaborate across teams.

Preferred Knowledge and Experience

• Bachelor's degree in Computer Science, Engineering, or related field.
• Experience building or contributing to a self-service Vault, secrets, or cryptography platform.
• Familiarity with SPIFFE/SPIRE or other workload identity frameworks.
• Familiarity with policy-as-code tooling such as Open Policy Agent (OPA) or HashiCorp Sentinel.
• Exposure to AI/ML infrastructure or interest in identity controls for AI and agentic workloads.
• Awareness of post-quantum cryptography standards (NIST PQC, hybrid key exchange) and their operational implications.
• Experience with cloud platforms (AWS, GCP, or hybrid environments) and cloud-native secrets services such as AWS Secrets Manager or KMS.
• Exposure to container platforms (Docker, Kubernetes, OpenShift).
• Understanding of threat modeling, secrets rotation, secret-zero patterns, and zero trust architectures.
• Experience in fintech, financial services, mortgage technology, or other regulated and security-sensitive domains.

New York Base Salary Range 

The expected base salary for this role, if located in New York, is between $149,400 - 180,000 USD.  The base salary range does not include Intercontinental Exchange’s incentive compensation.  While we provide this range as general guidance, at ICE we compensate employees based on the skillset and experience of the individual. Regular full-time ICE employees are eligible for a suite of competitive employee benefits, including healthcare coverage (medical, dental and vision), a 401(k) plan, life insurance, time off, and paid leave for qualifying circumstances.