IAM in IT — CIS and Europe market

Median IAM Engineer — $2717/mo per Zorky CRM (4 active openings with explicit IAM focus — real pool wider due to overlap with general Security / Backend). Junior —, Middle $2717/mo, Senior —, Lead —. A stable premium segment thanks to «identity is the new perimeter» Zero Trust shift + regulatory pressure (access certification audits — SOC 2 / ISO 27001 / SOX). Senior with workforce IdP mastery (Okta / Entra ID) + protocols deep (SAML / OAuth / OIDC / SCIM) + PAM or IGA expertise — $7,000-9,500. Senior at RF banks + Russian IAM vendors (Avanpost / Solar / Indeed Identity) — $6,500-10,000. Outsourcers (EPAM Security Practice / Luxoft) — $7,000-11,000 Senior on US enterprise IAM projects. International tech companies (Okta + Microsoft + Ping Identity + SailPoint + CyberArk + BeyondTrust + WorkOS + Auth0) — full-remote $9,000-15,000+ Senior. Big Tech identity teams (Google Identity / AWS IAM / Microsoft Entra / Apple) — $14,000-22,000+ Senior + RSU. Premium add-ons: Okta Certified Consultant / Developer +10-20%, SailPoint / CyberArk certifications +10-20%, Microsoft SC-300 +5-15%, authorization specialty (OPA / OpenFGA / Cedar) +10-20% (rising rare skill), CIAM platform engineering depth +10-15%.

Salary ladder (median USD/mo): Junior —, Middle $2717/mo, Senior —, Lead —. Junior — typical entry: 1) Sysadmin / IT support + Active Directory administration experience → IAM Junior, 2) Security Engineer Middle + identity specialization, 3) Backend Engineer + auth implementation experience (OAuth / OIDC) → CIAM-leaning IAM. Jump Junior → Middle — after first end-to-end IdP deployment (SSO for org) + first MFA rollout + lifecycle automation (joiner-mover-leaver). Middle → Senior — multi-system identity architecture + protocol mastery + PAM or IGA deep + access governance ownership (typical mandate: automate access certification campaigns + reduce orphaned accounts). Senior → Identity Architect — org-wide IAM strategy + Zero Trust identity design + protocol expertise + compliance leadership. Career flow: Sysadmin (AD admin) / Security Middle / Backend Middle (2-3 years) + IAM focus → IAM Junior (1-2 years) → Middle (2-3 years) → Senior → either Identity Architect, or PAM specialist, or IGA specialist, or CIAM Engineer (consumer-facing — Backend-leaning), or Authorization Engineer (OPA / OpenFGA — rising).

Moscow Senior IAM Engineer — $6,500-9,500/mo (banks dominate — Sber.Tech / Tinkoff / VTB / Gazprombank / Alfa / Raiffeisen / MKB have large IAM teams + Russian IAM vendors — Avanpost (IDM + FAM — leader RF) + Solar (inRights IGA + SafeInspect PAM) + Indeed Identity + RT-IAM (Rostelecom) + CryptoPro (certificate-based) + IT Bastion (SKDPU NT PAM); Yandex / VK / Ozon / Wildberries / X5 Group / MTS identity teams; state companies — Gazprom / Rosneft / Atomenergoproekt). SPb $6,000-9,000. Minsk/Kyiv $5,500-8,500 Senior. Poland €6,500-10,500 gross Senior. Germany €75-115K/yr Senior. 0% — remote. Outsourcers (EPAM Security Practice / Luxoft Security / Andersen / DataArt) — almost always remote, $7,000-11,000 Senior on US IAM projects. International tech companies (Okta / Microsoft Entra / Ping Identity / SailPoint / CyberArk / BeyondTrust / Delinea / WorkOS / Auth0 / Stytch / Frontegg / Clerk) — full-remote $9,000-15,000+ Senior. Big Tech identity teams (Google Identity / AWS IAM team / Microsoft Entra / Apple / Meta) — $14,000-22,000+ Senior. Premium for multi-platform cert holders (Okta + Microsoft SC-300 + SailPoint / CyberArk) — $10,000-16,000+ Senior on international remote.

Top 5: Okta, Microsoft Entra ID, Keycloak, SAML, OAuth 2.0. Workforce IdP mastery: one of Okta (industry leader — Workforce Identity Cloud — premium knowledge) / Microsoft Entra ID (former Azure AD — dominates Microsoft-shop) / Ping Identity (enterprise) / OneLogin / JumpCloud / Keycloak (open-source Red Hat — popular RF) / Authentik (open-source modern rising) / Zitadel. Russian: Avanpost (leader RF) / Solar inRights / Indeed Identity / RT-IAM / CryptoPro. CIAM (Customer IAM) mastery: Auth0 (Okta-owned — developer favorite) / Amazon Cognito / Microsoft Entra External ID / Firebase Authentication / Frontegg (B2B) / Stytch (passwordless-first) / SuperTokens (open-source) / WorkOS (B2B SSO-as-a-service) / Clerk (React-first modern) / Ory (open-source — Kratos + Hydra + Keto). PAM (Privileged Access Management): CyberArk (leader — PAM + Conjur secrets) / BeyondTrust / Delinea (Thycotic + Centrify merger) / HashiCorp Vault + Boundary / Teleport (modern infrastructure access — rising 2024+) / StrongDM. Russian: Solar SafeInspect / Indeed PAM / Avanpost PAM / SKDPU NT (IT Bastion). IGA (Identity Governance & Administration): SailPoint (leader — IdentityIQ + IdentityNow) / Saviynt / Microsoft Entra ID Governance / Omada / One Identity. Russian: Solar inRights / Avanpost IDM. Protocols / standards mastery — must: SAML 2.0 (enterprise SSO), OAuth 2.0 / 2.1 (authorization framework — grant types, PKCE, token rotation), OIDC (OpenID Connect — authentication layer), SCIM (provisioning standard — joiner-mover-leaver automation), FIDO2 / WebAuthn (passwordless), LDAP + Kerberos (legacy directory + auth). MFA / Passwordless: FIDO2 / WebAuthn / Passkeys (passwordless future — Apple / Google / Microsoft push 2024-2026 — phishing-resistant), YubiKey (hardware tokens), Duo Security (Cisco), Okta Verify / Microsoft Authenticator, magic links + OTP (legacy). Directory services: Active Directory (AD — enterprise standard — Group Policy + OU design + replication), Microsoft Entra ID, LDAP (OpenLDAP / 389 Directory Server), Google Workspace Directory. Authorization (fine-grained — rising 2024+): OPA (Open Policy Agent — CNCF — Rego policy language), OpenFGA (CNCF — relationship-based, Google Zanzibar-inspired), Cedar (AWS authorization language — Amazon Verified Permissions), SpiceDB (Authzed — Zanzibar-inspired), Oso (authorization library), Permit.io. Zero Trust identity: Conditional Access policies (risk-based authentication), continuous verification, device trust, ITDR (Identity Threat Detection & Response — rising 2024+). Secrets management (overlap): HashiCorp Vault + cloud-native. Languages: Python primary (IAM automation + SCIM connectors + custom integrations) + JavaScript / TypeScript (CIAM frontend integration) + bash + PowerShell (AD administration).

IAM Engineer (this page) — focus on identity & access management implementation: SSO + MFA + provisioning + privileged access + governance. Specialty within security. Pay $4,500-9,500. Identity Architect — Senior IAM with org-wide strategy focus: Zero Trust identity architecture design + protocol expertise + technology selection + compliance leadership. Less programming, more strategy. Career evolution from Senior IAM Engineer. Pay $9,000-14,000. Security Engineer (general) — broad coverage of all security domains (SIEM + EDR + network + IAM — but IAM is just one part). See Security Engineer (general). Pay $4,500-9,500. Backend Engineer (auth-focused) — implements authentication / authorization in product code (OAuth flows + session management + JWT handling + RBAC implementation). Not an IAM specialist, but overlap in CIAM context. Pay varies — backend tier. Reality 2026 (overlap heatmap): IAM ↔ Security Engineer: 40% (IAM is one security domain). IAM ↔ Backend (auth): 50% in CIAM context (consumer-facing auth — Backend Engineers often implement, IAM Engineers design). IAM ↔ DevOps: 30% (machine identity + secrets management + service-to-service auth). Workforce IAM vs CIAM split: Workforce IAM — employee identity (Okta / Entra ID — SSO for internal apps + lifecycle management) — closer to traditional IT / security. CIAM (Customer IAM) — consumer-facing auth (Auth0 / Cognito / Clerk — millions of users + scalability + UX) — closer to Backend engineering + product. These two IAM directions require different skill sets. Career pivots: Sysadmin (AD admin) → Workforce IAM Engineer — 4-8 months. Backend Engineer → CIAM Engineer — 3-6 months (auth knowledge translates). Security Engineer → IAM Engineer — 3-6 months. IAM Senior → Identity Architect — 2-4 years.

Decision tree for IAM platform choice 2026: WORKFORCE IAM (employee SSO): 1) Microsoft Entra ID (former Azure AD) — default for Microsoft-shop organizations (if you already use Microsoft 365 / Azure — Entra ID included / discounted, native integration). Strengths: deep Microsoft ecosystem, Conditional Access, free tier with M365. Weaknesses: complex licensing tiers, weaker non-Microsoft app integration historically. 2) Okta (Workforce Identity Cloud) — best for multi-vendor environments + best-of-breed approach. Strengths: 7000+ pre-built app integrations (largest catalog), vendor-neutral, polished UX, strong lifecycle management. Weaknesses: premium pricing, 2022 breach reputational hit (recovered). Use case: non-Microsoft-centric orgs + want best integration coverage. 3) Ping Identity — enterprise-heavy, complex hybrid environments. Use case: large enterprises with on-prem + cloud hybrid + complex federation needs. 4) Keycloak (open-source — Red Hat) — best for self-hosted + zero-budget + technical teams. Strengths: free, full-featured (SAML + OIDC + identity brokering), customizable. Weaknesses: operational burden (you run it), steeper learning curve. Use case: budget-constrained + technical team + popular in RF context (self-hosted preference). 5) Authentik / Zitadel — open-source modern alternatives to Keycloak (better UX). Rising 2024+. 6) Russian workforce IdP (after import substitution): Avanpost (leader RF) / Solar inRights / Indeed Identity / RT-IAM — for RF-only organizations + state companies. CIAM (consumer-facing auth): 7) Auth0 (Okta-owned) — developer favorite, best DX (developer experience), extensive SDK / docs. Use case: startups → mid-market, fast time-to-market. Pricing scales aggressively at high MAU (Monthly Active Users). 8) Amazon Cognito — best for AWS-native applications. Cheap at scale. Weaknesses: clunky DX, limited customization. 9) WorkOS — B2B SSO-as-a-service — «enterprise readiness in one API» (SAML + SCIM + directory sync for B2B SaaS selling to enterprises). Rising fast 2024+ — best for B2B SaaS that needs to support enterprise customers' SSO. 10) Clerk — modern developer-friendly, React-first, beautiful pre-built UI components. Use case: modern web apps (Next.js / React), fast iteration. 11) Stytch — passwordless-first, modern API. 12) Firebase Authentication — best for mobile apps + Firebase ecosystem. 13) Ory (open-source — Kratos + Hydra + Keto) — best for self-hosted CIAM + full control. 14) SuperTokens — open-source CIAM alternative. Default 2026 recommendations: Microsoft-shop workforce → Entra ID. Multi-vendor workforce → Okta. Zero-budget self-hosted workforce → Keycloak (or Authentik / Zitadel for better UX). RF-only org → Avanpost / Solar. Consumer app CIAM → Auth0 (fast) or Clerk (modern React) or Cognito (AWS-native). B2B SaaS needing enterprise SSO → WorkOS. Self-hosted CIAM → Ory or SuperTokens. Authorization layer (separate from authentication): OPA (general policy) / OpenFGA or SpiceDB (relationship-based, Zanzibar-style) / Cedar (AWS) / Oso or Permit.io (embedded).

Yes, 0% of IAM Engineer vacancies — full-remote or hybrid. IAM work is primarily cloud-based (IdP consoles + SaaS platforms + API integrations). Outsourcers (EPAM Security Practice / Luxoft / Andersen / DataArt) — almost always remote on US IAM projects. Russian banks (Sber / Tinkoff / VTB / Alfa) — hybrid/office due to regulatory + identity-data sensitivity + security background-check. Russian IAM vendors (Avanpost / Solar / Indeed Identity / CryptoPro) — hybrid or remote after background-check. State companies — hybrid/office due to security clearances (especially for PAM work — privileged access — high-trust roles). International tech companies (Okta / Microsoft Entra / Ping Identity / SailPoint / CyberArk / BeyondTrust / WorkOS / Auth0 / Clerk / Stytch) — full-remote standard. Big Tech identity teams (Google Identity / AWS IAM / Microsoft Entra / Apple) — hybrid standard. CIAM Engineers (consumer-facing — Backend-leaning) — full-remote friendly due to product-engineering nature. Relocant hubs: Poland (Security-friendly EU) / Germany / Canada / Serbia. English for international IAM remote — must (protocol specs — SAML / OAuth / OIDC RFCs + vendor docs Okta / Microsoft / SailPoint + community are English-language).

IAM Engineer (general) — focus on workforce identity broadly: SSO + MFA + provisioning + access management for all users. PAM Engineer (Privileged Access Management specialty) — focus specifically on privileged accounts (administrator / root / service accounts — highest-risk identities). Day-to-day: 1) PAM platform deployment (CyberArk / BeyondTrust / Delinea / HashiCorp Boundary / Teleport), 2) Privileged credential vaulting (secrets rotation + checkout / checkin workflows), 3) Session recording + monitoring (record admin sessions for audit + forensics), 4) Just-In-Time (JIT) privileged access (grant admin rights temporarily, auto-revoke), 5) Privilege escalation control + least-privilege enforcement, 6) Service account / machine identity management (non-human identities — often 10× more than human accounts), 7) Break-glass access procedures (emergency access). Why a specialty: privileged accounts — primary target of ransomware + APT attacks (compromise admin → game over). Regulatory mandate (PCI-DSS / SOX / 187-FZ require PAM controls). Pay: PAM Engineer — premium over general IAM +10-20% due to rare-skill + high-trust nature. IGA Engineer (Identity Governance & Administration specialty) — another specialty: focus on access governance — access certification campaigns (periodic review «does this person still need this access?»), Segregation of Duties (SoD) policy enforcement, access request workflows, compliance reporting (SOC 2 / ISO 27001 / SOX access audits). Tools: SailPoint / Saviynt. CIAM Engineer — consumer-facing auth (millions of users — scalability + UX + Backend-engineering-leaning). See decision tree above. Authorization Engineer (rising 2024+) — fine-grained authorization specialty (OPA / OpenFGA / Cedar / SpiceDB) — «who can do what on which resource» at scale. Career choice: general IAM if breadth + workforce identity, PAM if high-trust + privileged-account-deep + security-critical, IGA if governance + compliance + audit-focused, CIAM if consumer-scale + product engineering, Authorization Engineer if fine-grained authz + modern policy engines.

Top: Sber.Tech, Avanpost, Tinkoff. Russian banks (largest channel due to regulatory + identity-security mandate): Sber.Tech, Tinkoff, VTB, Gazprombank, Alfa-Bank, Raiffeisen, Rosselkhozbank, MKB, Otkritie. Russian IAM vendors (largest IAM-product segment CIS — active hiring after import substitution): Avanpost (IDM + FAM + PKI — leader RF workforce IAM), Solar (MTS RED — inRights IGA + SafeInspect PAM), Indeed Identity (Indeed IAM + Indeed PAM), RT-IAM (Rostelecom — state IAM), CryptoPro (certificate-based authentication — state cryptography), IT Bastion (SKDPU NT — PAM), Aladdin R.D. (token-based auth). Yandex (internal IAM + Yandex Cloud IAM service). Ozon / VK / Wildberries / X5 Group / MTS identity teams. JetBrains (identity for JetBrains Account + IDE licensing). State companies: RTC / Rostelecom / Gazprom / Rosneft / Atomenergoproekt. Outsourcers with Security Practice: EPAM Security Practice (largest IAM outsource in CIS for US enterprise IAM projects — SailPoint / Okta / CyberArk implementations), Luxoft Security, Andersen Security, DataArt Security. International tech companies (full-remote premium): Okta (+ Auth0 — workforce + CIAM leader), Microsoft (Entra — largest identity team globally), Ping Identity, SailPoint (IGA leader), CyberArk (PAM leader), BeyondTrust, Delinea, WorkOS (B2B SSO — rising fast), Clerk (modern CIAM), Stytch, Frontegg, SuperTokens, Ory, Authzed (SpiceDB authorization), Teleport (infrastructure access). Y Combinator identity startups (CIAM + authorization space — the most active sub-niche 2024-2026). Big Tech identity teams (top-tier salary): Google Identity (Google Sign-In + Cloud Identity) / AWS IAM team / Microsoft Entra / Apple (Sign in with Apple + identity) / Meta (identity infrastructure) — $14,000-22,000+ Senior.

Roadmap: 1) Identity fundamentals — authentication vs authorization vs accounting (AAA), identity lifecycle (joiner-mover-leaver), least-privilege principle, RBAC vs ABAC vs ReBAC (Role / Attribute / Relationship-Based Access Control). 2) Protocols deep — must: SAML 2.0 (assertions + bindings + SP-initiated vs IdP-initiated flows), OAuth 2.0 / 2.1 (grant types — authorization code + PKCE + client credentials; token types; common pitfalls), OIDC (OpenID Connect) (ID tokens + UserInfo + discovery), SCIM (provisioning standard). Book: «Solving Identity Management in Modern Applications» Yvonne Wilson / Abhishek Hingnikar (canonical — OAuth/OIDC for developers). 3) Active Directory fundamentals — AD structure (forests / domains / OUs), Group Policy, Kerberos authentication, LDAP. Book: «Active Directory» Brian Desmond (O'Reilly). 4) Workforce IdP hands-on — pick one: Okta (Okta Developer free tier — best for learning + Okta Certified Professional cert) or Microsoft Entra ID (Azure free tier + SC-300 cert) or Keycloak (self-host free — learn protocols deeply). Set up SSO for test apps. 5) MFA / Passwordless — understand FIDO2 / WebAuthn / Passkeys (passwordless future), set up YubiKey, configure Conditional Access policies. 6) CIAM hands-on (if consumer-facing track) — Auth0 free tier or Clerk or Keycloak. Implement login flows in test app (React / Next.js). 7) PAM hands-on (if privileged-access track) — HashiCorp Vault (free self-host) + Boundary, or Teleport (free tier). Understand secrets vaulting + session recording + JIT access. 8) IGA basics (if governance track) — SailPoint training (SailPoint University) — access certification + SoD concepts. 9) Authorization (rising 2024+) — OPA (Open Policy Agent — Rego language) + OpenFGA (relationship-based — read Google Zanzibar paper) + Cedar (AWS). Build fine-grained authz demo. 10) IAM automation — Python for SCIM connectors + custom integrations + IdP API automation (Okta API / Microsoft Graph API). 11) Certifications path: Okta Certified (Professional → Administrator → Consultant / Developer) or Microsoft SC-300 (Identity and Access Administrator) — foundational. Advanced: SailPoint certifications / CyberArk certifications (Defender → Sentry → Guardian) / CIDPRO (Certified Identity Professional — IDPro — vendor-neutral). 12) Pet project portfolio: a) full SSO setup (Keycloak / Okta) with multiple apps + SAML + OIDC + SCIM provisioning; b) CIAM demo app with passwordless (WebAuthn / Passkeys); c) fine-grained authorization demo (OpenFGA / OPA). Document on GitHub. RF courses: BI.ZONE Cybersecurity Academy, Otus «IAM» / Security courses, Avanpost training (Russian IAM), Solar training (inRights IGA / SafeInspect PAM). International (eng): Okta Learning (free — best for Okta track), Microsoft Learn SC-300 (free), IDPro Body of Knowledge (vendor-neutral — best foundational resource, free), Auth0 docs + blog (excellent CIAM learning), «OAuth 2 in Action» Justin Richer / Antonio Sanso (Manning — protocols deep). Books-must: «Solving Identity Management in Modern Applications» Wilson / Hingnikar, «OAuth 2 in Action» Richer / Sanso, IDPro Body of Knowledge (online). Communities: IDPro (Identity Professionals community — vendor-neutral), r/identitymanagement, Okta / Auth0 community forums, Telegram @iam_ru, @security_ru. Conferences: Identiverse (largest identity conference), Gartner IAM Summit, European Identity & Cloud Conference (EIC). Sysadmin (AD admin) / Security Middle / Backend Middle + IAM focus → IAM Junior — 4-8 months.

4 active open IAM Engineer vacancies with explicit IAM focus in our sample. The real market is significantly wider — many IAM roles classified as general Security Engineer / Backend Engineer (CIAM auth implementation) / DevOps (machine identity + secrets) / IT Administrator (AD administration). True IAM-focused dev jobs in CIS + Europe estimated 150-600 active positions at any moment 2026. Geography: 🇵🇱 Poland. Sources: hh.ru (especially banks + Russian IAM vendors — Avanpost / Solar / Indeed Identity active), Habr Career, getmatch, Djinni, LinkedIn (huge international IAM segment via Okta / Microsoft / SailPoint / CyberArk / WorkOS), NoFluffJobs / JustJoin.it (Poland IAM-friendly), Telegram (@iam_ru, @cybersec_jobs, @security_ru, @devops_jobs), career sites EPAM Security Practice / Luxoft / Andersen / DataArt, specialized boards (cybersecjobs.com, infosec-jobs.com, idpro.org community job board), Y Combinator identity startups (CIAM + authorization — active 2024-2026), Russian IAM vendor careers (avanpost.ru / rt-solar.ru / indeed-company.ru / cryptopro.ru), IAM vendor direct careers (okta.com / pingidentity.com / sailpoint.com / cyberark.com / workos.com), Identiverse / Gartner IAM Summit / EIC conference hiring. The real market is wider due to the international remote segment (Okta / Microsoft Entra / Ping / SailPoint / CyberArk / WorkOS / Auth0 / Clerk / Stytch — full-remote-friendly). Senior IAM Engineer closing time — 6-12 weeks (longer than general Security due to rare-skill — protocols depth + platform expertise + governance knowledge combination).

Senior IAM Engineer owns the full identity & access management lifecycle + technical leadership. Protocols mastery deep: SAML 2.0 (assertions + bindings + SP/IdP-initiated flows + signing / encryption), OAuth 2.0 / 2.1 (all grant types + PKCE + token rotation + DPoP + common vulnerabilities — token leakage / CSRF / redirect manipulation), OIDC (ID tokens + claims + discovery + session management + back-channel logout), SCIM (provisioning automation — joiner-mover-leaver), FIDO2 / WebAuthn (passwordless implementation), Kerberos + LDAP (legacy directory). Workforce IdP mastery: one of Okta / Microsoft Entra ID / Ping deeply — SSO architecture, lifecycle management automation, Conditional Access / risk-based policies, app integration (7000+ catalog for Okta), custom SAML / OIDC app onboarding, IdP federation (multi-IdP scenarios). Directory services mastery: Active Directory deep (forest / domain / OU architecture + Group Policy + replication + AD security — Kerberoasting / DCSync awareness), Entra ID hybrid (AD Connect / Cloud Sync). PAM mastery (if PAM track): CyberArk / BeyondTrust / Delinea / HashiCorp Boundary / Teleport — privileged credential vaulting, session recording, JIT access, service account management, break-glass procedures. IGA mastery (if governance track): SailPoint / Saviynt — access certification campaigns, Segregation of Duties (SoD) policy, access request workflows, role mining, compliance reporting. CIAM mastery (if consumer track): Auth0 / Cognito / Clerk — scalable consumer auth (millions of MAU), passwordless UX, social login, progressive profiling, account security (credential stuffing protection + bot detection). Authorization mastery (rising 2024+): OPA (Rego policy language), OpenFGA / SpiceDB (relationship-based — Google Zanzibar model), Cedar (AWS), fine-grained authz design at scale. Zero Trust identity: Conditional Access architecture, continuous verification, device trust, ITDR (Identity Threat Detection & Response) integration. IAM automation: Python deep (SCIM connectors + IdP API automation — Okta API / Microsoft Graph API + custom integrations), Terraform for IaC IAM (Okta Terraform provider / Entra Terraform). Identity security: identity attack awareness (phishing / MFA bombing / token theft / OAuth consent phishing / Golden SAML), passwordless migration strategy, MFA hardening. System design for IAM: design enterprise SSO architecture on a whiteboard, design CIAM for millions of users, design Zero Trust identity architecture, design privileged access workflows. Compliance frameworks: SOC 2 + ISO 27001 + SOX (access controls) + PCI-DSS + 152-FZ + 187-FZ — access certification + audit support. Soft: ADRs writing for IAM decisions, technical writing (IAM architecture docs), cross-team collaboration (Security / IT / Backend / DevOps / HR teams — IAM touches everyone), executive communication (identity strategy to CISO / CIO), mentoring Middle IAM Engineers. English for Senior+ MUST — protocols specs (SAML / OAuth / OIDC RFCs) + vendor docs (Okta / Microsoft / SailPoint / CyberArk) + community (IDPro / Identiverse) are English-language. Certifications: Okta Certified Consultant / Developer, Microsoft SC-300, SailPoint / CyberArk certifications, CIDPRO (vendor-neutral). Optional bonus: open-source contributions to IAM tools (Keycloak / Ory / OpenFGA / Authentik), conference talks (Identiverse / EIC), authorization specialty depth (OpenFGA / SpiceDB — rising rare skill) — sharply increase market value for frontier-IAM companies (Okta / WorkOS / Authzed) hiring.

Data is collected automatically from 1000+ sources — Telegram job channels and job boards across CIS and Eastern Europe (HH, Habr Career, Djinni, DOU, NoFluffJobs, JustJoin.it, Pracuj.pl and others). Parsing runs 24/7, duplicates are filtered by description and URL, salary outliers are stripped. Detailed methodology — on the "How it works" page.