Authorization, not login, is the real access control gap

At a glance

What this is: This analysis argues that secure access is now an authorization problem, not just a login problem, because teams often cannot prove what a user or service could do after authentication.

Why it matters: For IAM practitioners, the gap affects human, NHI, and agentic access models alike because production risk now depends on scoped privilege, revocation, and evidence, not just successful sign-in.

👉 Read P0 Security's analysis of why authorization, not login, is the real access gap

Context

Access control is not a single decision. In practice it splits into connectivity, authentication, and authorization, and most programmes are strongest in the first two layers. This post focuses on the authorization gap that appears when a person, service, or agent is already inside production and teams still cannot explain the allowed actions, duration, or revocation path.

That gap matters across human IAM, NHI governance, and emerging agentic access models because the operational question is the same: what can the identity actually do once access is granted? Security teams that only optimise login controls end up with weak evidence, standing privilege, and brittle incident response when production access becomes urgent.

Key questions

Q: How should security teams govern production access beyond login controls?

A: Security teams should govern production access by separating authentication from authorization and proving what each identity can do after sign-in. That means time-bound privilege, explicit scope, revocation triggers, and auditable evidence of access state. Without those controls, production access becomes a reconstruction exercise during incidents and audits.

Q: Why do standing privileges create so much risk in production environments?

A: Standing privileges create risk because they outlive the reason they were granted, which weakens least privilege and makes incident response harder. When access persists indefinitely, teams lose a clean picture of who could perform sensitive actions at a given moment. That increases blast radius and obscures accountability.

Q: What do security teams get wrong about access reviews?

A: They often review identity possession instead of action scope. A login review can confirm that an account exists and was used, but it does not prove which production actions were allowed, whether those rights were appropriate, or whether they were revoked on time. Effective reviews must inspect entitlement boundaries, not just account status.

Q: Who is accountable when production access cannot be explained after an incident?

A: Accountability sits with the governance model that allowed unclear scope and weak revocation, not just with the individual operator. If an organisation cannot explain what was permitted during the incident window, its access programme failed to preserve evidence and control. Frameworks such as the OWASP Non-Human Identity Top 10 help teams harden that governance for non-human access.

Technical breakdown

Connectivity, authentication, and authorization are different controls

Connectivity answers whether the system can be reached. Authentication answers whether the caller is the claimed identity. Authorization is the enforcement layer that determines which actions are permitted, in which scope, and for how long. Many programmes treat these as one control surface, but they fail differently. Strong MFA and a solid identity provider do not prove that a user can only act within the intended production boundary. In high-pressure environments, authorization is usually assembled from roles, tickets, exceptions, and manual approvals, which makes it harder to audit than login. Practical implication: separate access governance from sign-in governance and measure them independently.

Practical implication: map access controls to what identities can do after login, not just how they authenticate.

Standing privilege turns production access into an evidence problem

Standing privilege is access that remains in place after the reason for it has passed. In production systems, that creates a second problem beyond overreach: it destroys evidentiary clarity. If access persists, incident review has to reconstruct who had what authority from logs, chat, and approvals instead of reading a current entitlement state. That is why temporary exceptions become permanent risk. The identity provider may still be healthy, but the authorization model becomes non-deterministic under pressure. Practical implication: treat persistent production entitlements as a control failure, not an administrative convenience.

Practical implication: reduce persistent production entitlements and make every exception time-bound, scoped, and traceable.

Authorization must be revocable in real time, not reconstructed later

A mature access model is not defined by whether access was granted cleanly. It is defined by whether the scope can be enforced during the session and withdrawn when the need disappears. That matters for humans, service accounts, and AI agents because each can hold privileged access in different operational forms, but the governance requirement is the same. If revocation depends on after-the-fact cleanup, the control is already late. Security teams should think in terms of enforcement windows, not just approval records. Practical implication: design production access so it can be narrowed and removed while the work is still happening.

Practical implication: build access paths that can be narrowed and revoked while the task is still active.

NHI Mgmt Group analysis

Authorization is the control plane that now determines whether identity governance is credible. Connectivity and authentication have become relatively standardised, but authorization still varies by environment, exception process, and operational urgency. That variation is why teams can say who logged in without being able to say what was actually permitted. The implication is that access programmes must be judged on enforceable scope, not on successful entry alone.

Standing privilege is the hidden failure mode behind most production access confusion. When privileges survive the incident, survive the ticket, and survive the engineer who needed them, the organisation no longer has a clean entitlement state. Logs and approvals become forensic substitutes for governance. Practitioners should recognise this as access-state drift, where the recorded permission set no longer matches the intended one.

Identity governance must cover human, NHI, and agentic access through the same authorization lens. The article’s core point is not about one actor type, but about how all actors become risky when scope is unclear and revocation is weak. Human engineers, service accounts, and autonomous systems all need provable bounds on what they can do in production. Practitioners should align governance to action scope, duration, and removal, not to login mechanics.

Control evidence matters as much as control design. A programme that cannot answer who could do what during an incident will struggle in audit, post-incident review, and board reporting. The best authorization model is the one that leaves an intelligible record of permitted actions without reconstructing the story from inboxes and chat threads. Practitioners should make evidence quality a first-class governance requirement.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why governance often outruns actual control quality.
• For the broader identity picture, see Ultimate Guide to NHIs for lifecycle, visibility, and privilege control patterns.

What this signals

Authorization debt: the gap between what a team can prove about access and what it can actually enforce will become the next major identity governance problem. As production becomes more dynamic, organisations that still anchor control maturity to authentication quality will continue to miss the real failure point, which is scope.

With 32.4% of security budgets going to secrets management and code security in the State of Secrets in AppSec, teams are already spending heavily on adjacent controls while the authorization layer remains under-instrumented. The signal is clear: budget does not equal governance if scope and revocation are still manual.

Programmes should prepare for a shift from access approval records to action-level enforcement evidence. That means tying production entitlements to OWASP Non-Human Identity Top 10 style governance for non-human access and extending the same discipline to human operators and agentic workflows.

For practitioners

• Separate authentication from authorization reviews Assess whether your current controls can prove what an identity may do after login, not just that it authenticated successfully. Build separate review paths for sign-in assurance and permission scope, especially for production tenants and elevated workflows.
• Eliminate standing production privilege where possible Convert permanent elevated access into time-bound, task-scoped entitlement that expires when the operational need ends. Tie every exception to a named owner, a documented purpose, and a clear revocation trigger.
• Instrument revocation as an operational control Test whether access can be narrowed or removed while work is still in progress. If revocation depends on later cleanup, the programme is relying on post-incident housekeeping rather than enforceable authorization.
• Standardise evidence for incident review and audit Require current entitlement records, approval context, and access logs that show who could act during the relevant window. Do not rely on inboxes, screenshots, or chat threads as the primary source of truth.

Key takeaways

• The main risk is not failed login but unclear authorization, which leaves teams unable to prove what an identity could do in production.
• The evidence problem is real because persistent privilege and manual exceptions force incident review teams to reconstruct access from scattered artefacts.
• Practitioners should shift governance toward scoped, revocable, and auditable access that can be enforced while work is still in progress.

Key terms

• Authorization: Authorization is the control decision that determines what an identity may do after it has been authenticated. In identity programmes it is the practical boundary between access and misuse, because it governs scope, duration, and allowed actions in production systems.
• Standing Privilege: Standing privilege is persistent access that remains available beyond the moment it was needed. It creates governance debt because the organisation must later prove whether the privilege was still justified, instead of simply knowing it expired with the task.
• Access Scope: Access scope is the defined set of systems, actions, and conditions an identity is allowed to use. Strong scope limits blast radius, but only if it is enforced during the session and can be removed when the operational reason for access ends.
• Revocation: Revocation is the act of removing an identity's ability to continue using access that was previously granted. In mature programmes it is a live control, not a cleanup activity, and it must work quickly enough to matter during incidents and high-risk operations.

What's in the full article

P0 Security's full analysis covers the operational detail this post intentionally leaves for the source:

• How production authorization failures surface during incident review, including the evidence trail teams need to reconstruct access.
• The distinction between connectivity, authentication, and authorization in live operational environments.
• Why temporary privileges become permanent control debt when revocation is not embedded into the workflow.
• Practical examples of how human, service, and agent access all depend on the same authorization model.

👉 P0 Security's full post covers the production access review problem, entitlement scope, and revocation evidence.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.