TL;DR: Authorization is the feature B2B SaaS teams rebuild repeatedly as customers move from simple permission checks to nested resources, custom roles, policy engines, and agent access, according to WorkOS's ERC 2025 recap. The governance problem is no longer just access design but keeping authorization aligned with enterprise hierarchy, identity provider automation, and AI-driven requests without breaking least privilege.
At a glance
What this is: This is an analysis of why authorization becomes harder at each stage of SaaS growth, with AI agents and enterprise hierarchy turning access control into a multi-dimensional governance problem.
Why it matters: It matters because IAM teams increasingly need to govern application authorization patterns that span human users, service-like automation, and AI agents without letting permission models drift out of control.
👉 Read WorkOS's ERC 2025 recap on authorization at scale
Context
Authorization in modern SaaS is no longer a simple yes-or-no access check. As applications add organizations, groups, nested resources, policy conditions, and delegated agent actions, the permission model becomes part of the product architecture itself. That is why enterprise buyers push authorization requirements into identity systems and expect the application to respect those controls consistently.
For IAM, PAM, and NHI programmes, this creates a practical governance problem: the same access model must work for people, machine-driven automation, and agent-like execution paths without allowing privilege to expand beyond intent. The challenge is not only enforcement at login, but preserving least privilege as the application adds new resource types and decision layers.
Key questions
Q: How should security teams govern authorization when applications add nested resources?
A: Security teams should model authorization around resource boundaries, inheritance rules, and override paths instead of assuming flat RBAC will hold. Once users can belong to multiple groups or access multiple workspaces, the control problem becomes relational. The key test is whether the application can explain why a user has access in one context and not another.
Q: Why do AI agents need separate authorization boundaries from the users they represent?
A: AI agents can execute actions faster than humans can review them, so inheriting a user’s full permission graph creates unnecessary blast radius. Agents should receive only the scope required for the task, and they should be blocked from self-escalation, token minting, and credential changes. That separation preserves accountability and limits damage if the agent behaves unexpectedly.
Q: What breaks when policy-based access controls are layered on top of static roles?
A: What breaks first is consistency. Static roles define baseline access, but policy layers can override or condition that access based on context such as time, location, or business events. If the application does not keep policy state, workflow state, and resource state aligned, users can see contradictory outcomes across different code paths.
Q: How do teams know if their authorization model is too brittle for enterprise customers?
A: A brittle model shows up when every new org structure, subsidiary, or resource type requires a rewrite or a long exception list. If product teams keep adding one-off logic to satisfy enterprise deals, the authorization layer is no longer scaling with the business. The signal is repeated rework, not just more permissions.
Technical breakdown
From atomic roles to multi-dimensional permission graphs
Early authorization models usually start with simple role checks. As products add organizations, groups, and nested resources, the model shifts from a flat assignment list to a graph where access depends on both identity and resource context. Role inheritance, group membership, and explicit overrides create edge cases that basic RBAC cannot resolve cleanly. This is why many platforms move toward resource-scoped RBAC or ReBAC, where permissions are evaluated against relationships between users, objects, and organizations. The architecture change is not cosmetic. It determines whether the product can represent enterprise reality without endless exceptions.
Practical implication: Map where your current model breaks once access depends on resource context, not just user role.
Policy engines turn authorization into runtime decisioning
Once customers need conditions like location, time, or business event windows, authorization becomes ABAC-style policy evaluation rather than a static entitlement lookup. A policy engine introduces decision logic that evaluates attributes, context, and sometimes manual overrides before allowing an action. That adds flexibility, but also synchronization overhead because policy, workflow, and application state must stay aligned. In practice, this is where teams discover that authorization is not only a control layer. It becomes a runtime system with failure modes around drift, stale context, and inconsistent enforcement across products and APIs.
Practical implication: Treat policy logic as part of the application’s control plane and test for drift between policy state and app state.
AI agents should not inherit a user's full permission graph
When an application allows an agent to act on behalf of a user, the agent becomes a distinct actor with its own authorization boundary. The agent may need to perform user-scoped tasks, but it should not inherit the user’s entire access graph, because machine-speed execution compresses the time available for review and correction. The right pattern is scoped, just-in-time privilege with hard prohibitions on self-escalation, token minting, credential changes, or role changes. This is an authorization design problem, not just an AI feature problem.
Practical implication: Define separate access boundaries for agents and block any path that lets them expand their own privileges.
Threat narrative
Attacker objective: The objective is unauthorized access to actions, data, or administrative paths that should remain outside the actor’s intended authorization scope.
- Entry occurs when an application exposes a user-facing or agent-facing action path that accepts delegated access without a properly scoped authorization model.
- Escalation happens when group inheritance, nested resources, or policy overrides let the actor exceed the intended resource boundary or privilege boundary.
- Impact is enterprise-scale overreach, where users, automations, or agents can act in contexts they should not reach, undermining trust in the application’s access model.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Authorization is no longer a feature layer, it is a governance surface. Once access rules are embedded across organizations, nested resources, policy engines, and delegated agents, authorization shapes the product itself. That means identity governance cannot stop at login or directory sync. Practitioners need to treat application authorization as part of the broader identity control plane, not a separate developer convenience.
Least privilege defined at provisioning time breaks down when the resource graph keeps changing. Static access decisions were designed for stable roles and known boundaries. That assumption fails when the actor must traverse organizations, workspaces, projects, and policy conditions in one application. The implication is that entitlement design has to be aligned to runtime context, not only to initial assignment.
Agent access without permission isolation creates identity blast radius. The article’s agent model is a useful warning for both NHI and autonomous governance. When a non-human actor can act quickly, inherit broadly, and interact with tokens or credentials, the impact of one weak boundary multiplies across the application. Practitioners should read this as a sign that delegated execution needs a separate authorization model from human access.
Custom roles and policy overrides prove that enterprise authorization is a lifecycle problem. The need to add, inherit, and revise roles over time is not a niche implementation detail. It is the normal state of enterprise software. That aligns with OWASP-NHI and NIST CSF thinking: access structures must be governed through continuous change, not point-in-time design. Teams that cannot model this drift will keep rebuilding authorization under pressure.
Named concept: identity blast radius. This article shows how one poorly bounded authorization decision compounds across nested resources, inherited roles, and delegated agent actions. The broader the graph, the more a single access flaw becomes an enterprise-wide exposure. That is the core governance lesson for practitioners: keep the blast radius small before the product architecture makes it impossible to do so later.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- For a broader identity baseline, see NHI Lifecycle Management Guide for how lifecycle governance changes when access must be provisioned, rotated, and retired continuously.
What this signals
Identity blast radius is the right lens for this topic. As authorization graphs grow more dimensional, the cost of a single bad access decision rises because inheritance, overrides, and delegated execution multiply the paths to misuse. Teams should expect authorization to become a core governance dependency, not an application-side implementation detail.
As applications add agent-driven workflows, the practical question is whether the control model still assumes a human-paced decision loop. The moment it does, least privilege stops being a one-time design choice and becomes a runtime discipline. That is where IAM, PAM, and application security teams have to align on shared boundaries.
The operational signal to watch is rework. If every enterprise deal triggers another authorization redesign, the programme is already behind the product architecture. That is the point to anchor policy design to the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs and the NIST Cybersecurity Framework 2.0 functions for govern, protect, and detect.
For practitioners
- Inventory authorization by boundary, not by feature Map where your application shifts from flat role checks to organization, group, workspace, and resource-scoped access. Use that inventory to find places where the permission model no longer matches the product model.
- Separate human and agent access paths Give agents their own scoped entitlements and block any path that lets them mint tokens, change credentials, or elevate roles. Treat delegated execution as a distinct identity class, not a reused user session.
- Test policy drift across nested resources Build tests that simulate role inheritance, explicit overrides, and policy conditions across child and parent resources. Validate that access decisions stay consistent when the same user appears in multiple organizational contexts.
Key takeaways
- Authorization grows from a simple permission check into a product-wide governance surface as enterprise complexity increases.
- The pressure point is not just scale, but the shift from static roles to nested resources, policies, and delegated agent access.
- Teams that cannot model authorization drift early will keep rebuilding the control plane instead of governing it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Authorization drift and secret-related access boundaries are central to this article. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must stay aligned to changing enterprise roles and resource boundaries. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust requires continuous, context-aware authorization rather than static trust. |
Review non-human access paths for overbroad entitlements and tie changes to lifecycle governance.
Key terms
- Authorization Graph: An authorization graph is the relationship model that determines who can do what across users, groups, resources, and contexts. In enterprise software, it replaces flat role checks with connected rules that must evaluate inheritance, overrides, and resource scope together.
- Resource-Scoped Access: Resource-scoped access limits permissions to a specific object, workspace, project, or tenant boundary instead of granting broad application-wide rights. It is the practical answer when enterprise customers expect access to follow organizational structure and nested responsibility.
- Delegated Agent Access: Delegated agent access is a model where a non-human actor performs actions on behalf of a user or system under constrained permissions. The agent should receive only the narrow scope needed for the task, not the user’s full standing access.
Deepen your knowledge
Authorization at scale is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are translating complex access models into governance controls, it is a practical place to start.
This post draws on content published by WorkOS: The Feature You'll Rebuild Three Times, Authorization at Scale. Read the original.
Published by the NHIMG editorial team on 2025-10-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
