Lead Architect (Policy as Code & Cloud Governance)
- Location: Toronto, ON – Hybrid
- Pay Rate: $120/hr
- Contract Length: 7 Months
We at Raise are hiring a Lead Architect (Policy as Code & Cloud Governance) for one of our top clients. After establishing themselves as an industry leader, they’re now expanding their team to meet rising demand. We’re hiring right now; if you’re interested, apply below for your chance to join a great place to work.
Responsibilities:
Architecture & Technical Leadership
- Own the target architecture for the enterprise Policy as Code platform, including
- OPA Control Plane (OCP) / Enterprise OPA (EOPA)
- Policy lifecycle management, versioning, distribution, and auditability
- CI/CD and Terraform Cloud Run Task integrations
- Define and govern architecture standards, patterns, and principles for PaC on Google Cloud Platform.
- Lead architectural decision-making and maintain Architecture Decision Records (ADRs) with full traceability.
- Ensure designs are scalable, modular, cloud agnostic, and aligned with enterprise governance constraints.
Governance & Compliance Enablement
- Design and implement the PaC governance model, including:
- Policy ownership and domain boundaries (Security, IAM, network, and Organizational)
- Contribution, review, approval, and escalation workflows
- Enforcement modes (advisory vs hard) and promotion lifecycle
- Ensure alignment with financial services regulatory requirements and internal controls (e.g., auditability, traceability, segregation of duties).
- Support architecture and security governance forums (eARB, Security Advisory, TRA), including preparation of required artifacts.
- Platform & Framework Design
- Architect a modular PaC framework, including
- Reusable Rego libraries and shared data contracts
- Cloud abstraction layers (provider-agnostic vs. provider-specific policies)
- Standardized repository and bundle structures
- Define policy authoring, testing, enforcement, and release pipelines, including:
- Rego unit and regression testing (opa test)
- CI/CD integrated validation and enforcement
- Terraform Cloud Run Task governance
- Impact analysis and decision log-based backtesting
- Ensure policy enforcement is deterministic, auditable, and production faithful.
Integration & Automation
- Architect CI/CD and automation patterns using GitHub Actions, including reusable workflows and onboarding automation.
- Define integration approaches for:
- Terraform Cloud
- Kubernetes admission control (OPA Gatekeeper)
- Centralized decision logging and observability (e.g., Cloud Logging, BigQuery)
- External enterprise systems via secure data bridge patterns
- Ensure strong separation between policy logic and enterprise system integrations.
Migration & Enablement
- Define migration strategies to transition legacy Terraform Cloud / OPA policies into the new PaC framework with functional equivalence.
- Oversee controlled rollouts and enforcement promotion strategies to minimize operational risk.
- Lead knowledge transfer, documentation strategy, and operational readiness to enable client teams to independently operate the platform.
Leadership & Collaboration
- Provide technical leadership to platform engineers, policy engineers, and DevSecOps specialists.
- Act as the primary technical escalation point for complex design or enforcement issues.
- Translate business and compliance requirements into clear, actionable technical designs.
- Foster strong collaboration between architecture, security, platform, and delivery teams.
Required Skillsets & Experience
Core Technical Expertise
- Policy as Code & OPA
- Deep experience with Open Policy Agent (OPA) and Rego
- Hands on knowledge of Enterprise OPA (EOPA) capabilities (impact analysis, decision logging, bundle lifecycle)
- Infrastructure as Code
- Strong experience with Terraform and Terraform Cloud
- Terraform Cloud Run Tasks (design, enforcement, governance)
- CI/CD & Automation
- oGitHub Actions (advanced workflows, reusable workflows, automation patterns)
- Pipeline integrated validation and policy enforcement
- Cloud Platforms
- Strong experience with GCP in regulated environments
- Kubernetes policy enforcement (OPA Gatekeeper)
- Observability & Auditability
- Policy decision logging, ingestion, analytics, and reporting
- Designing immutable, auditor friendly evidence pipelines
Architecture & Governance
- Proven experience leading enterprise architecture designs in regulated industries
- Strong understanding of:
- Governance models
- Segregation of duties
- Audit and compliance requirements
- Experience producing architecture artefacts:
- C4 diagrams, data flows, process flows
- ADRs and architecture review submissions
Domain & Industry Experience
- Experience delivering cloud platforms for financial services or regulated enterprises
- Familiarity with:
- Banking security posture expectations
- Compliance driven SDLC controls
- Risk and control validation processes
Leadership & Soft Skills
- Strong technical leadership and mentoring capabilities
- Ability to influence without authority across multiple stakeholder groups
- Excellent written and verbal communication skills
- Comfortable engaging architecture boards, security teams, and executive stakeholders
Nice to Have / Preferred
- Experience with:
- Terratest and infrastructure level policy validation
- Release automation and promotion pipelines
- Decision replay and regression analysis
- Background in DevSecOps or platform engineering at scale
- Experience designing policy frameworks used by multiple lines of business.
Looking for meaningful work? We can help!
Raise is an established hiring firm with over 65 years of experience. We believe strongly in making the world a better place through work, which is why we’re a certified B Corporation and donate 10% of our profits to charity.
We strive to build teams that reflect the diversity of the communities we work in. We encourage all qualified applicants to apply, including people from traditionally underrepresented groups such as women, visible minorities, Indigenous peoples, people identifying as LGBTQ2SI, veterans, and people with visible/nonvisible disabilities.
We have a dedicated webpage for accommodations where you can learn more about what we offer, and request accommodation: https://raise.jobs/accommodations/
In order to submit candidates for roles, our clients will sometimes require personal information to confirm the identity of applicants and their legal status to work. Raise will never ask you for personal or banking information unless you have been selected for a job. If you are ever unsure about the legitimacy of this or another job posting by Raise (or have any other questions), please contact us at +1 800-567-9675 or hello@raiserecruiting.com