Please note this position is based in our Phoenix, AZ Support Office. The Sr. IT Security Architect is the lead technical architect for Sprouts’ IT Security program, designing and driving security architecture across the enterprise.
The Sr. IT Security Architect mentors security engineers and analysts, leads through influence across infrastructure, network, cloud, and application teams, and carries architectural decisions to the Architecture Review Board (ARB) with a recommended path. The role translates business, compliance, and regulatory requirements into concrete, implementable designs and standards that survive implementation and audit.
Sprouts runs an Azure-first cloud stack—including Databricks, Synapse/Fabric, and Azure Virtual Desktop—alongside store systems, point-of-sale, and payment infrastructure under PCI-DSS. The role requires fluency across both. Architectural decisions align with NIST CSF, ISO 27001, CIS Controls, SOX, PCI-DSS, and applicable privacy regulations.
Periodic after-hours or weekend work may be required to support security escalations or major incidents.
Essential Functions:Essential job functions
· Author reference architecture and design documents across all security domains. Designs must be implementable, testable, and resistant to drift.
· Lead security architecture positions at the Architecture Review Board (ARB). Define and enforce architectural gates for development-to-production progression. Present options, trade-offs, and a recommended path for each decision.
· Lead complex, cross-functional security architecture initiatives of strategic importance to the organization. Advise senior leadership on security matters of significant impact, and provide input to department goals, planning, and budget priorities.
· Design and govern Azure landing zones, managed identity patterns, Key Vault and private-endpoint baselines, CSPM policy, and Terraform/Bicep security guardrails. Lead security architecture for Databricks, Synapse, and Fabric data platforms, including data-lake segmentation and access control.
· Design integration patterns for Microsoft Entra ID and Okta, conditional access, MFA strategy, B2C customer identity, Azure Virtual Desktop access, and BYOD access. Architect CrowdStrike Identity Protection integration with the identity estate.
· Partner with network architecture on segmentation for headquarters and store environments, SASE/CASB/NPA architecture (Netskope), edge protection (Cloudflare), and vendor/BYOD network zones. Drive zero-trust maturity across corporate, retail, and cloud perimeters.
· Set architectural direction for EDR/EPP/IDP (CrowdStrike), endpoint management (Tanium), CASB (Netskope), and email security (Proofpoint). Guide the decommissioning of legacy platforms and the onboarding of replacements.
· Design DLP, data classification (BigID), consent management, and data retention patterns. Govern the security and privacy architecture of AI platforms, vendors, and internal AI tooling, including model-training and data-handling terms.
· Support vendor risk assessments, review SOC 2 Type 2 reports, evaluate vendor SSO/SCIM/RBAC/audit-logging, and author SDLC security standards (secrets management, logging baselines, secure deployment patterns).
· Design security architecture for store systems, point-of-sale, handheld devices, and third-party store integrations. Ensure PCI-DSS alignment across applicable environments.
· Draft and maintain architectural standards and patterns: naming conventions, IaC security patterns, API gateway baselines, cloud tagging, and logging/compliance defaults.
· Map architectural initiatives to NIST CSF (Govern, Identify, Protect, Detect, Respond, Recover), CIS Controls, SOX, and PCI-DSS, borrowing from ISO 27001 and other best practices where applicable. Contribute to security policies and standards.
· Provide guidance, coaching, and training in security architecture across the Company within area of expertise — to security engineers and analysts as well as partners in infrastructure, network, cloud, and application teams.
· Participate in root cause analysis and architectural remediation for incidents, breaches, and HR/Legal investigations. Translate lessons learned into architectural changes.
· Comply with and contribute to change control, development lifecycle, and release management policies. Ensure architectural changes are represented at CAB and documented appropriately.
Knowledge, Skills, Abilities and Physical Requirements:
Knowledge Skills & Abilities
· Bachelor’s degree in Computer Science, Information Technology, Engineering, or equivalent experience in a related discipline.
· 10+ years of enterprise security architecture experience spanning cloud, identity, network, endpoint, application, and data security.
· 3+ years of hands-on Azure security architecture: landing zones, Key Vault, managed identity, private endpoints, Microsoft Sentinel, and Azure-native data platforms (Databricks, Synapse, Fabric).
· Deep identity architecture experience with core protocols (OAuth/OIDC, SAML, SCIM, federation), conditional access, MFA strategy, and B2C customer identity. Hands-on experience with Microsoft Entra ID and Okta preferred.
· Expert-level experience with EDR/EPP and Identity Protection platforms (CrowdStrike preferred).
· Expert-level experience with enterprise DLP, data classification (e.g., BigID), and CASB/SASE architecture (Netskope preferred).
· Expert-level experience with enterprise email security (Proofpoint preferred) and edge protection (Cloudflare preferred).
· Working experience with Infrastructure-as-Code security: Terraform and/or Bicep, policy-as-code, and CSPM platforms.
· Fluency with security and compliance frameworks: NIST CSF, CIS Controls, PCI-DSS, SOX, and applicable privacy regulations (CCPA).
· Retail, PCI, and store-systems experience strongly preferred (POS, payment, store network, third-party retail integrations).
· CISSP, CCSP, or equivalent security certification required.
· Demonstrated track record of authoring architecture documentation that survives review, implementation, and audit.
· Proficiency with monitoring, logging, change management, and CMDB tooling (ServiceNow experience a plus).
It's Healthy Living for Less! An impeccable eye for what's next in nutrition. A continuous drive to go the extra mile. Sprouts Farmers Market works to deliver the best possible shopping experience, helping customers live a healthy lifestyle at an affordable price—not just buy groceries. Sprouts is a healthy grocery store offering fresh, natural and organic foods at great prices. Since 2002, we've been committed to providing our customers with the best-in-class service—and to improving it every day. This commitment has taken us from a small grocery store in Chandler, Ariz. to the leading food retailer we are today. We're proud to serve customers in 10 states with more than 190 stores. Additionally, we strive to be the ultimate healthy living resource with recipes, how-to videos, wellness webinars and compelling content on sprouts.com. Our social media sites and email subscriptions give customers exclusive access to health tips, product information, and web-only coupons for extra savings. Our money-back guarantee, online experiences and product promotions allow us to serve more customers in fresh, new ways. We believe food is an industry of innovation, and in that spirit we are flexible, adaptable and responsive. Foods change. Tastes change. Times change. But our commitment to happy, healthy customers will never change.