Authorization management in 2025: why AI and NHI changed the model

At a glance

What this is: Cerbos frames 2025 as the year authorization moved from static policy enforcement to runtime control for humans, NHIs, and AI-driven systems.

Why it matters: That matters because IAM teams now have to govern permissions that change with context, scale, and execution speed across both machine and human identity programmes.

By the numbers:

• 4x in 2025.
• Cerbos shipped 11 PDP updates and more than 20 product releases in total.
• Cerbos published 130+ guides helping engineers and security leaders understand emerging security risks.

👉 Read Cerbos' 2025 update on authorization management, AI, and NHI adoption

Context

Authorization is the control plane that decides what an identity can do at runtime, not just whether it can sign in. In 2025, the problem shifted because AI agents, MCP servers, and non-human identities started making or inheriting access decisions faster than static role models and human review cycles can govern.

Cerbos' own account shows how enterprise authorization is being pulled in two directions at once: broader adoption in regulated environments and a new need to govern machine-speed access. That is a familiar IAM pattern with a new failure mode, because the same policy model now has to cover humans, service accounts, and agentic systems without collapsing into ad hoc exceptions.

Key questions

Q: How should security teams govern AI agent authorization in enterprise systems?

A: Security teams should govern AI agent authorization with runtime policy evaluation, not static roles alone. The key is to decide access using context such as tool, tenant, dataset, and session state, then log every decision for review. That approach works only if policy lifecycle management is versioned and tested like code.

Q: Why do non-human identities complicate least-privilege design?

A: Non-human identities complicate least privilege because they often inherit permissions across services, workflows, and environments that were never designed around a single accountable user. The result is hidden privilege accumulation and unclear ownership. Teams need a single entitlement model that covers service accounts, workloads, and agents consistently.

Q: What breaks when authorization is still handled through static RBAC for AI systems?

A: Static RBAC breaks when access decisions depend on runtime context that roles cannot express, such as which tool an agent is calling or which dataset it is touching. The result is overbroad access or brittle exceptions. Practitioners should evaluate whether their policy model can change with execution, not just with provisioning.

Q: How do teams know if authorization controls are actually working?

A: Teams know authorization controls are working when every decision is auditable, policy changes are versioned, and denied or allowed access can be explained after the fact. If access is technically granted but cannot be traced to a policy version and request context, the control is not operationally governable.

Technical breakdown

Runtime authorization for AI agents and MCP servers

Runtime authorization evaluates each access request in context instead of assuming that a role or token tells the full story. For AI agents and MCP servers, that matters because tool choice, dataset choice, and action timing can vary within a single workflow. Static RBAC alone cannot express those changing conditions, especially when access is delegated across APIs and services. Cerbos' framing points to policy evaluation at the moment of use, with decision logs and policy versioning providing traceability after the fact. The technical issue is not just identity proof, but whether authorization can keep pace with contextual execution.

Practical implication: move sensitive AI and workload decisions into runtime policy evaluation, not pre-baked role assignment.

Policy lifecycle management at enterprise scale

Policy lifecycle management treats authorization rules like governed software, not static configuration. That means creating, testing, reviewing, deploying, and auditing policies through controlled workflows so changes are traceable and reversible. Cerbos describes Git-based workflows, programmatic policy updates, and per-tenant policy stores as part of that model. The architecture challenge is scale: one policy set may need to behave differently across tenants, environments, and use cases without duplicating logic or creating drift. In regulated environments, lifecycle discipline is what turns authorization from a developer convenience into an auditable control.

Practical implication: manage authorization policies through versioned workflows, with testing and approvals before promotion.

Least privilege for non-human identities

Least privilege for non-human identities is harder than for humans because the subject is often a service, agent, or workload that never logs in the way a person does. These identities accumulate inherited permissions, long-lived access, and hidden dependencies across systems. Cerbos' argument is that organizations need a single permission model that can govern human and non-human identities together without treating NHI access as an exception. The technical gap is consistency: if policy is enforced differently across services, the attack surface becomes the inconsistency itself.

Practical implication: map machine identities into the same authorization governance model you use for human access.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authorization is becoming an identity governance layer, not just an application control. The Cerbos story reflects a broader shift we see across the market: access decisions are moving out of application code and into runtime policy systems because identity sprawl now spans humans, service accounts, and AI-driven actors. That matters because authorization is no longer a narrow permission check. It is the point where identity, context, and operational risk meet, which makes it central to both NHI governance and human IAM design.

Static role models are collapsing under agentic and machine-speed access. RBAC was designed for relatively stable subjects and predictable entitlement patterns. That assumption weakens when agents, MCP servers, and automated workflows make repeated context-dependent decisions inside a single workflow. The result is not just more risk. It is a model mismatch that leaves teams trying to govern dynamic behaviour with static abstractions. Practitioners should treat policy expressiveness as a governance requirement, not a platform preference.

Runtime policy, auditability, and policy versioning are now the control surface for enterprise authorization. Cerbos' emphasis on decision logs, Git-based policy workflows, and tenant-specific policy stores maps to where the market is heading. Enterprises need proof of who was allowed to do what, under which policy version, and why. That is especially relevant in regulated environments, where authorization must be reviewable and explainable across distributed systems. The practitioner conclusion is clear: if you cannot audit the decision, you cannot reliably govern the identity.

Identity blast radius is the right concept for AI and NHI authorization risk. When a single overprivileged agent or workload can fan out across datasets and services, the real problem is not only access excess. It is how far one credential or policy error can travel before detection. That concept helps connect authorization design with incident containment, because every extra permission expands the blast radius of failure. Security teams should evaluate authorization by the damage a single decision can amplify, not just by whether the policy is technically correct.

Enterprise authorization is converging across human, NHI, and AI use cases. The market is moving toward unified control planes because the same governance issues repeat across actor types: entitlement sprawl, policy drift, and weak traceability. The difference is that AI and machine identities compress time, making those governance failures harder to spot and harder to unwind. Practitioners should expect authorization management to sit closer to identity governance, PAM, and application security rather than remaining a niche application-layer function.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Also from our research: Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably see where machine access is accumulating, according to the Ultimate Guide to NHIs.
• For a related NHI lifecycle angle: Review the NHI Lifecycle Management Guide for the operational lifecycle controls that keep authorization decisions aligned with provisioning, rotation, and offboarding.

What this signals

Identity blast radius: the next authorization problem is not whether a system can make a decision, but how far one decision can travel before it is contained. As AI-driven access and distributed workloads grow, teams need to design for limited fan-out, policy traceability, and revocation speed across both human and non-human identities.

Cerbos' 4x demand growth is a signal that authorization is being pulled into the centre of IAM and application security planning, not left as an implementation detail. That aligns with the NIST Cybersecurity Framework 2.0 emphasis on govern and protect functions, especially where runtime access decisions must be explainable across environments.

For practitioners, the near-term watchpoint is whether policy governance can scale without creating policy sprawl. If versioning, testing, and auditing are not built into the authorization pipeline, machine identities and AI agents will force the exception process to become the de facto control model.

For practitioners

• Separate runtime policy from static role assignment Move high-risk access decisions into context-aware policy evaluation so humans, services, and AI-driven workflows are judged on current conditions rather than inherited entitlements. This is especially important where access to sensitive datasets or tools changes during execution.
• Version and test authorization policies before promotion Treat policy changes like code changes, with review, testing, and rollback paths before deployment. Use Git-based workflows or equivalent controls to preserve traceability across environments and tenants.
• Unify governance for human and non-human identities Map service accounts, workloads, and AI agents into the same entitlement review and exception process used for human access. That reduces hidden privilege differences and makes audit findings easier to reconcile.
• Measure authorization by blast radius, not only by correctness Assess how far one misconfigured permission can propagate across systems, datasets, and tools. Prioritise controls that limit fan-out, preserve audit trails, and make denied decisions visible for investigation.

Key takeaways

• Authorization is no longer a narrow app-layer decision because AI systems and NHIs now need runtime governance.
• Cerbos' 2025 growth story reinforces the scale of the problem, with 4x platform demand and repeated pressure to govern dynamic access.
• The practical response is to treat policy lifecycle, auditability, and least privilege as a single control plane across humans and machines.

Key terms

• Runtime Authorization: Runtime authorization is the practice of deciding access at the moment a request is made, using current context rather than only a pre-assigned role. It is essential where agents, workloads, and distributed services change behaviour during execution and need auditable decisions.
• Policy Lifecycle Management: Policy lifecycle management is the controlled creation, testing, review, deployment, and retirement of authorization policies. In enterprise environments, it turns access rules into governed assets with version history, traceability, and rollback capability.
• Identity Blast Radius: Identity blast radius is the amount of damage one overprivileged identity or authorization mistake can cause before it is detected or contained. It helps teams evaluate access not only by correctness, but by how far a bad decision can propagate across systems.
• Non-Human Identity: A non-human identity is a machine or software identity used by services, workloads, tokens, certificates, bots, or AI agents to authenticate and act. Unlike human users, these identities often run continuously, accumulate permissions quickly, and create governance gaps when ownership is unclear.

Deepen your knowledge

Authorization management for AI agents and non-human identities is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building runtime access governance across mixed identity types, it is worth exploring.

This post draws on content published by Cerbos: A year of growth, focus, and enterprise adoption. Read the original.