Enterprise Security Engineer

We are rebuilding biotech for the AI era.
When a breakthrough is delayed, the world waits. Getting a molecule from discovery to patients, or a crop from lab to field, involves thousands of slow, manual, disconnected steps. AI has the potential to change this, compressing decades of R&D work into years. But that only happens when clean, structured scientific data and AI are built into how science gets done.
Benchling is the AI platform for biotech R&D. Scientists use Benchling to design experiments, capture structured data, and run AI agents and models directly in their workflows. Over 200,000 scientists around the world trust Benchling to power their most important work, from academic labs to Sanofi, Moderna, and more than half of the world's top 50 biopharma.
We’re building an AI scientist for our customers. We can’t do that if we haven’t built the muscle ourselves. AI fluency is the foundation we build on; it's core to how we work, and we're committed to helping every new hire integrate it into their day-to-day. As part of our interview process, you'll complete a brief AI-focused exercise or discussion so we can understand how you think about and use AI to drive impact in your role. Feel free to reference any tools, platforms, or workflows you use today.

 As an Enterprise Security Engineer at Benchling you’ll be joining a team responsible for building a best-in-class security program from the ground up. Our focus is on providing value to the organization by emphasizing real world security and embracing automation and AI. We’re looking for engineers who are excited to apply their expertise to our mission of securing some of society's most sensitive data.

• Drive the organization's zero trust strategy end to end — treating identity, device health, network context, and application sensitivity as continuous inputs to access decisions rather than one-time gates

• Design and maintain least-privilege access patterns, Just-in-Time (JIT) access, and Privileged Access Management (PAM) controls

• Deploy, configure, and maintain MDM infrastructure for the macOS fleet, ensuring device compliance feeds directly into zero trust access policy decisions

• Enforce SSO-required policies, review and restrict OAuth scopes, and audit third-party integration access

• Build processes and tooling to detect shadow IT, unauthorized OAuth app grants, and SaaS tools that bypass identity controls

• Evaluate and deploy AI-native security tooling where it demonstrably reduces analyst burden or closes coverage gaps faster than traditional approaches

• Define and enforce security standards for AI agent and LLM service identities — including scoped API keys, short-lived credentials, and workload identity federation

• Develop and enforce CIS/NIST-aligned configuration baselines

• Meaningfully reduce manual toil through automation and, where applicable, AI-assisted tooling 

•  5+ years in a security engineering or IAM-focused role

• Deep, hands-on IdP expertise (preferably Okta) — SSO, SCIM, MFA, Lifecycle Management, and NHI management are all areas you can speak to with depth and demonstrate in practice

• Demonstrated experience implementing zero trust architecture in practice — not just familiarity with the framework, but hands-on delivery of continuous verification, device trust integration, and least-privilege enforcement across an organization

• Strong working knowledge of identity protocols: SAML, OIDC, OAuth 2.0, and SCIM

• Proficiency managing macOS endpoints at scale using Fleet or an equivalent MDM platform

• Foundational cloud IAM experience across at least one major provider (AWS, GCP, or Azure) — enough to audit, scope, and remediate identity issues

• Demonstrated track record of building automation that eliminated recurring manual work

• Scripting proficiency in in at least one language, preferably Python

• Excellent communication skills, with the ability to engage effectively with both technical teams and non-technical stakeholders.

• Strong understanding of operating systems fundamentals (MacOS/Linux/Windows)

Preferred

• Experience with ZTNA platforms (Cloudflare Access, Zscaler Private Access, Tailscale, or similar) and the operational patterns around replacing VPN with identity-aware access

• Hands-on use of AI coding assistants (Copilot, Claude, Cursor, or similar) to increase velocity

• Experience governing AI/ML service identities or securing LLM API integrations

• Familiarity with PAM solutions such as HashiCorp Vault, AWS Secrets Manager, or Okta Privileged Access

• Okta Certified Administrator, Okta Certified Consultant, or equivalent certification
  

#LI-CG1

Benchling welcomes everyone.

We believe diversity enriches our team so we hire people with a wide range of identities, backgrounds, and experiences.
We are an equal opportunity employer. That means we don’t discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We also consider for employment qualified applicants with arrest and conviction records, consistent with applicable federal, state and local law, including but not limited to the San Francisco Fair Chance Ordinance.