TL;DR: PDP performance, JWT verification hardening, CEL path functions, and bug fixes that remove a risky verification cache and a query plan regression are the focus of Cerbos v0.52.0 and v0.53.0, according to Cerbos release notes. The lesson for IAM teams is that policy engines need both throughput headroom and token-handling discipline because decision quality, not just speed, is part of the control plane.
At a glance
What this is: Cerbos’ latest releases improve policy decision performance while tightening JWT handling and correcting several PDP edge cases.
Why it matters: This matters because policy engines sit on the request path for both human and non-human access, so latency, token verification, and observability changes can alter IAM control reliability.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Cerbos’ release notes on PDP performance, JWT hardening, and bug fixes
Context
Cerbos is tightening the parts of the policy decision path that many IAM teams treat as implementation detail, even though they directly shape how access requests are authorised in production. The primary issue here is not feature breadth, but whether the PDP can stay accurate, auditable, and performant as request volume and policy complexity increase.
For teams governing human users, service accounts, and API-driven workloads, the message is the same: access control quality depends on both the policy logic and the runtime mechanics behind it. A faster engine helps, but any change to token verification, observability attributes, or plan generation can also change how confidently teams can explain why a request was allowed or denied.
The new CEL path functions also remove a common source of brittle string handling in policy writing, which matters when rules need to reason over file or object-storage paths. That kind of policy expressiveness is useful, but only if teams keep validation, logging, and release discipline tight enough to avoid hidden drift between policy intent and runtime evaluation.
Key questions
Q: How should security teams handle JWT verification changes in a policy engine?
A: Treat JWT verification as part of the authorisation trust boundary, not a performance detail. Revalidate tokens on the request path, confirm downstream services do not reuse prior verification state, and test policy outcomes with both valid and tampered claims. The goal is to preserve decision integrity even when throughput tuning changes.
Q: When does PDP performance become an IAM governance issue?
A: It becomes a governance issue whenever latency or resource pressure changes whether policy is enforced consistently at production scale. If a policy engine cannot keep up, teams may be tempted to add shortcuts, cache trust, or defer validation. That is where operational tuning starts affecting control reliability.
Q: What should teams validate when policy languages add path functions?
A: Validate normalization, prefix matching, relative path handling, and platform-specific separators. New path functions can make policies easier to read, but they also make it easier to miss edge cases if test coverage is too narrow. Strong rule testing should prove that intended access is allowed and unsafe variants are denied.
Q: How do audit log changes help with policy rollout investigations?
A: They help by tying each decision to a specific policy version, commit hash, and bundle ID. That traceability lets teams compare behaviour before and after a rollout, isolate the exact artefact that changed, and explain why a request was allowed or denied without guesswork.
How it works in practice
PDP throughput and decision-path efficiency
A policy decision point, or PDP, evaluates an access request against policy and returns allow, deny, or a plan outcome. In this release, Cerbos says internal data structure work reduces decision generation time and lowers CPU and memory use under load. That matters because PDPs are often embedded in high-frequency application paths, where small inefficiencies multiply quickly. Better throughput does not change the access model, but it does determine whether policy enforcement remains viable at production scale, especially where many requests depend on claims, scopes, or resource attributes.
Practical implication: size the PDP for peak request volume and re-test latency after each policy or engine upgrade.
JWT verification cache removal and request trust
JWT verification caches trade cryptographic work for speed by reusing prior validation results. Cerbos removed its in-memory verified-token cache because a tampered token with the same signature as an already verified token could influence decisions that rely on token contents. The release notes frame this as a trust-boundary issue in the calling application model, not a public vulnerability, but the architectural lesson is broader: if policy decisions depend on token claims, optimisation layers must never weaken token authenticity guarantees. Performance shortcuts in identity evaluation can become policy integrity problems.
Practical implication: confirm every JWT is reverified on the request path and reserve caching for safe, non-authoritative metadata only.
CEL path functions and policy expressiveness
Common Expression Language, or CEL, is used to write policy conditions in a structured way. The new path functions let policy authors inspect and compare file paths directly, rather than stitching together string operations for base directories, extensions, or relative paths. That reduces brittle rule logic and makes policies easier to read, especially in systems that authorize access to file-like or object-storage resources. The trade-off is that richer expressions still need strong testing, because cleaner syntax can hide deeper mistakes in scope, normalization, or prefix-matching assumptions.
Practical implication: validate path-based rules against edge cases such as traversal, normalization, and cross-platform path formats before rollout.
NHI Mgmt Group analysis
Policy engines are now part of the identity control plane, not just application plumbing. When a PDP sits on every request, its performance and token-handling choices shape the real-world enforcement boundary for both human and non-human identities. That means upgrade decisions are governance decisions, because the engine’s runtime behaviour can alter how reliably access policy is applied.
JWT verification cache removal is a control-integrity decision, not a cosmetic hardening change. The removed cache illustrates a familiar NHI failure mode: optimisation that assumes token state can be safely reused across requests. That assumption is weak in any request path where claims drive authorisation, and it becomes riskier as workloads scale and identities proliferate. Practitioners should treat this as evidence that identity decisions need fresh verification, not reused trust.
CEL path functions sharpen the policy authoring surface, but they also raise the bar for policy quality. Better path primitives reduce brittle string logic, yet they do not solve authoring mistakes around normalization, scope, or resource matching. In practice, richer policy languages help teams express intent more clearly, but only if testing and review are strong enough to catch subtle errors before they reach production.
Identity observability is only as useful as the artefacts attached to each decision. Version metadata, commit hashes, and bundle IDs in audit logs make it easier to tie a decision back to the exact policy state that produced it. That is essential when multiple bundles or environments coexist, because access governance fails when teams cannot prove which policy version made the call. The implication is straightforward: decision evidence must be traceable enough for post-rollout investigation.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 91.6% of secrets remain valid five days after notification, which shows how slowly remediation can trail exposure in real environments.
- For the operational path from visibility to control, review Ultimate Guide to NHIs for rotation, offboarding, and lifecycle discipline.
What this signals
Policy engine changes are a reminder that identity governance depends on runtime truth, not just policy intent. If your organisation cannot trace which bundle, commit, or version produced a decision, then auditability is already weakened before the access review starts. That is especially relevant in environments where non-human identities multiply faster than human oversight can keep up.
Decision points now sit close to workload identity and service-account governance. When access policy is evaluated at high request rates, teams need to align policy design, token handling, and observability rather than treating them as separate workstreams. For a broader control baseline, align the governance model with the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs.
Policy expressiveness can expose a new concept we call policy-path drift. That is the gap between the resource path a policy author intended to protect and the path shape the runtime actually evaluates. Teams should watch for this when CEL or similar rule languages replace brittle string logic, because cleaner syntax does not eliminate authoring error.
For practitioners
- Re-benchmark PDP capacity after upgrading Measure decision latency, CPU, and memory under production-like request volume before and after the release. Pay special attention to JWT-heavy paths and confirm the PDP has headroom without relying on cached verification shortcuts.
- Recheck token verification assumptions Confirm that every request carrying JWT claims is revalidated on the authoritative path and that no downstream component treats reused token state as trusted evidence for policy decisions.
- Test path-based rules with normalization edge cases Add coverage for absolute paths, relative paths, extension handling, and cross-platform separators so the new CEL path functions do not mask authorization errors in file or object-storage policies.
- Map audit fields to rollback and investigation needs Record which dashboards, alerts, and trace queries depend on renamed OpenTelemetry attributes, then update them before rollout so decision evidence remains usable after the upgrade.
Key takeaways
- Cerbos’ latest releases show that PDP performance, JWT verification, and auditability are governance issues, not just engineering housekeeping.
- Removing token-verification caching prioritises identity decision integrity over convenience, which is the right trade-off when claims drive authorisation.
- Teams should re-test throughput, token trust, and observability before upgrading so policy changes do not create invisible control regressions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | JWT handling and service-account trust directly affect NHI authentication controls. |
| NIST CSF 2.0 | PR.AC-1 | Access enforcement and identity evidence map to authorization control integrity. |
| NIST Zero Trust (SP 800-207) | SC-3 | Policy decisions on every request align with continuous verification and trust reduction. |
Verify token handling paths and remove any optimisation that weakens authoritative NHI validation.
Key terms
- Policy Decision Point: A policy decision point is the component that evaluates an access request and returns the authorisation outcome. In practical terms, it is part of the enforcement path, so its latency, token handling, and auditability directly shape whether identity policy is actually applied as intended.
- JWT Verification Cache: A JWT verification cache stores the result of token validation so later requests can avoid repeating the cryptographic work. That can improve speed, but it also creates a trust-reuse problem if stale or tampered token state can influence decisions based on claims or session context.
- CEL Path Function: A CEL path function is a built-in rule helper that lets policy authors inspect or combine file-like paths without manual string manipulation. It improves policy readability and reduces brittle expressions, but it still requires careful testing for normalization, prefix matching, and platform-specific path behaviour.
- Policy Artefact Traceability: Policy artefact traceability is the ability to tie a decision back to the exact bundle, commit, or version that produced it. This matters when multiple policy versions exist at once, because governance teams need evidence they can use for investigation, rollback, and post-change review.
Deepen your knowledge
Policy engine trust boundaries and runtime decision integrity are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are governing request-time authorisation at scale, it is worth exploring.
This post draws on content published by Cerbos: release notes for v0.52.0 and v0.53.0. Read the original.
Published by the NHIMG editorial team on 2026-05-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
