TL;DR: Modern authorization is increasingly being externalised from application code into policy layers, with Cerbos arguing that this improves speed, consistency, and compliance while reducing permission logic buried in services, according to Cerbos. The governance question is no longer whether teams can enforce access checks, but whether they can manage policy lifecycle, visibility, and drift across environments.
At a glance
What this is: This is a Cerbos podcast discussion on modern authorization, with the key finding that access control is moving from embedded application logic to externally managed policy governance.
Why it matters: This matters because IAM teams need consistent authorization across human, NHI, and application-layer access paths, not just stronger authentication at the front door.
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
👉 Read Cerbos' ShipTalk discussion on modern authorization and policy governance
Context
Modern authorization is the policy decision that determines what an identity can do after authentication succeeds. In DevOps environments, that decision has often lived inside application code, which makes it harder to audit, standardise, and reuse across teams and services.
Cerbos frames the problem as one of governance as much as implementation. When permissions are embedded inside multiple applications, security teams inherit inconsistent logic, developers duplicate effort, and access policy becomes harder to align with zero-trust operating models and compliance requirements.
Key questions
Q: How should security teams centralise authorization without losing control?
A: Security teams should centralise authorization by separating policy from code, defining ownership for rule changes, and keeping exceptions visible in one approval path. The goal is not to remove engineering autonomy, but to make access decisions reviewable and consistent across applications, APIs, and service workflows. That is what turns authorization into governable infrastructure.
Q: Why do embedded authorization checks create governance problems?
A: Embedded checks create governance problems because each application can implement access rules differently, even when the business intent is the same. Over time, that produces policy drift, duplicated logic, and audit gaps that are hard to reconcile. A central policy layer reduces those inconsistencies and makes access decisions easier to evidence.
Q: When should organisations move to externalized authorization?
A: Organisations should move to externalized authorization when permissions are being rebuilt repeatedly, when microservices multiply access logic, or when compliance review becomes difficult because policy is scattered. The right trigger is not scale alone, but repeated friction in maintaining consistent access decisions across systems.
Q: What is the difference between authentication and authorization in practice?
A: Authentication proves who or what a subject is, while authorization determines what that subject can do after identity is established. In practice, teams often over-focus on authentication controls and leave authorization buried in code. That gap matters because access risk usually appears at the decision point, not the login screen.
Technical breakdown
Externalized authorization and application-layer policy
Externalized authorization moves access decisions out of application code and into a dedicated policy layer. The application asks a policy engine whether an action is allowed, then enforces the result at runtime. This separates identity context from business logic, which improves reuse across services and reduces the chance that permissions drift as applications change. In practice, this is most useful where resource ownership, role membership, and contextual conditions all shape access outcomes. It also makes authorization easier to test, version, and review than scattered code-level checks.
Practical implication: define authorization centrally and consume it consistently across applications instead of hard-coding access logic in each service.
Role-based and attribute-based authorization in DevOps
Role-based access control assigns permissions through named roles, while attribute-based access control evaluates conditions such as resource ownership, environment, or request context. Modern application authorization often blends both, because pure role models are too coarse for engineering workflows and pure attribute models can become difficult to govern. The technical value is not just finer granularity. It is the ability to express policy in a way that security and engineering teams can both understand, review, and update without rewriting application code every time business rules change.
Practical implication: use roles for stable entitlements and attributes for contextual decisions, then keep both under a single reviewable policy process.
Centralised policy management and standardisation
Centralised policy management allows one authoring model to serve multiple applications, environments, and integration points. Cerbos argues that standardisation matters because modern stacks are fragmented: microservices, SaaS tools, and infrastructure controls often all need access decisions, but not through the same implementation pattern. Standardisation reduces rework and makes policy portability more realistic. The broader direction is toward reusable authorization interfaces that can sit alongside identity standards such as federated authentication, while keeping approval logic separate from the code that performs the action.
Practical implication: treat authorization policy as a governed shared asset, not as a one-off implementation inside each application.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Authorization is becoming a governance layer, not just an application feature. The central shift in this discussion is that access decisions are moving out of scattered code paths and into a managed policy surface. That matters because authorization logic is where identity intent becomes enforceable action, and unmanaged duplication across services creates drift that IAM teams cannot see cleanly. Practitioners should treat authorization policy as part of identity governance, not just software architecture.
Application-layer authorization is where human IAM and machine access models start to converge. The same policy discipline that constrains human users in business applications is increasingly needed for service-to-service access and automated workflows. Once access decisions are expressed centrally, the organisation can reason about who or what is allowed to do something in a consistent way across actor types. That makes authorization one of the few control planes that can span human, NHI, and automated access with a single governance model.
Policy sprawl is the named concept this conversation exposes. When every team implements its own access checks, the organisation does not just get more policies, it gets multiple incompatible interpretations of least privilege. That creates audit friction, inconsistent enforcement, and hidden exceptions that are difficult to retire. The practitioner takeaway is that standardisation is not a convenience feature, it is the difference between governable authorization and accumulated policy debt.
Externalized authorization reduces development friction, but it also raises ownership questions. Once policy is centralised, security, platform, and application teams must decide who authors rules, who approves changes, and who owns exceptions. If those responsibilities are unclear, the central policy layer can become a new bottleneck rather than a control improvement. The governance model must therefore be explicit before the tooling rollout expands.
The future signal here is toward reusable authorization interfaces across distributed systems. That direction aligns with broader zero-trust thinking, where access is continuously evaluated instead of assumed from network position or code location. Practitioners should expect more pressure to separate authentication from authorization operationally, and to standardise policy evaluation across applications, APIs, and downstream services.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A second finding from the same research shows that 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
- For a broader governance baseline, see NHI Lifecycle Management Guide for how access, rotation, and offboarding should be managed across non-human identities.
What this signals
Policy centralisation will only help if organisations can actually see the identities and integrations it governs. That is why the visibility gap matters so much. When 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the authorization layer may be cleaner than the identity graph underneath it.
Authorization governance is increasingly a cross-domain discipline. Human access, service accounts, and application permissions all end up in the same decision fabric, and that means policy changes will reverberate across IAM, NHI, and platform engineering. Teams should expect more pressure to align authorization review with lifecycle governance, not just login controls.
Policy sprawl is a hidden programme risk. If access rules are spread across codebases, the organisation cannot reliably certify them, retire exceptions, or explain entitlement decisions to auditors. The operating model should move toward shared authorization services, with explicit review points and reusable policy patterns.
For practitioners
- Separate policy from application logic Move access decision logic into a centrally governed policy layer so the same rules can be reviewed, versioned, and reused across services without code duplication.
- Define clear policy ownership Assign authorship, approval, and exception handling for authorization policy before centralising it, so the shared control does not become a queue with no accountable owner.
- Map roles and attributes to real decisions Use roles for stable access patterns and attributes for contextual decisions such as ownership or environment, then validate that each rule is understandable to auditors and developers.
- Test authorization before deployment Exercise policy changes in a non-production environment and verify the outcome against expected business scenarios before new rules reach customer-facing applications.
Key takeaways
- Authorization is moving from embedded application logic into a governed policy layer, which changes it from a developer convenience into an identity control.
- The biggest operational risk is not lack of policy, but policy sprawl, where each team implements least privilege differently and auditability breaks down.
- IAM and security teams should treat externalized authorization as shared governance infrastructure, with ownership, testing, and exception handling defined before adoption expands.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Centralised authorization supports least-privilege access decisions across systems. |
| NIST Zero Trust (SP 800-207) | AC-6 | Zero Trust requires continuous, context-aware authorisation decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Shared policy governance helps prevent unmanaged privilege and entitlement drift for service identities. |
Tie NHI entitlements to a governed policy process and review changes as part of lifecycle control.
Key terms
- Externalized Authorization: A design pattern where access decisions are made outside the application and consumed as a service or policy layer. This makes permissions easier to review, version, and reuse across systems, while reducing the hidden risk of embedding business rules directly into code paths.
- Policy Sprawl: The accumulation of separate, inconsistent authorization rules across multiple applications, teams, or platforms. It becomes a governance problem when no single owner can explain, certify, or retire those rules, and the organisation loses confidence that access is being enforced consistently.
- Application-Layer Authorization: Authorization decisions enforced within the application context rather than at the network or infrastructure edge. It is the point where identity, resource ownership, and business logic intersect, which makes it a critical control surface for modern IAM and NHI governance.
Deepen your knowledge
Authorization governance, policy centralisation, and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a consistent access model across applications and service identities, it is worth exploring.
This post draws on content published by Cerbos: the ShipTalk discussion on modern authorization and policy governance. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
