TL;DR: B2B SaaS feature flags increasingly function as entitlement controls, with org-level claims embedded in access tokens and used to switch features on for specific customers, support cases, and phased rollouts, according to WorkOS. The governance issue is not the toggle itself but the lifecycle of customer-specific access, which must stay aligned to contracts, environments, and cleanup.
At a glance
What this is: This is a practical guide to organization-level feature flags in B2B SaaS, showing how per-customer entitlements and rollout flags are represented in tokens and managed across environments.
Why it matters: It matters because feature flags can become a de facto access control layer, affecting entitlement governance, lifecycle cleanup, and consistency across human, NHI, and platform-driven access decisions.
👉 Read WorkOS's guide to organization-level feature flags for B2B SaaS
Context
In B2B SaaS, feature access is often treated like a product decision, but it behaves like access control. Once a flag determines whether a customer can reach analytics, admin functions, or beta capabilities, the programme is governing entitlements, not just UX. That makes lifecycle, auditability, and environment separation part of the security model.
The primary identity question is simple: who or what is allowed to see which capabilities, under which contract, and in which environment. For IAM and NHI teams, the interesting part is that application-level flags can start to resemble policy enforcement when they are embedded in tokens and used at runtime. That is a governance boundary, not just a development convenience.
Key questions
Q: How should security teams govern organization-level feature flags as access controls?
A: Treat organization-level feature flags as entitlement-bearing controls, not just release toggles. Define ownership, approval, and review for every flag that changes customer capability. Keep a clear mapping between contract state, environment state, and runtime enforcement so the application does not outlive the business justification for access.
Q: Why do token-backed feature flags create governance risk?
A: Token-backed flags turn access state into a claim that the application trusts at runtime. That is efficient, but it also means stale or overbroad entitlement data can persist until the token is refreshed. The risk is misaligned access, especially when the flag reflects a customer agreement that has already changed.
Q: What breaks when rollout flags are left in place after launch?
A: Unused rollout flags create code-path clutter, obscure which access is intentional, and increase the chance that old experiment settings keep influencing production behaviour. They also make audits harder because teams can no longer tell whether a flag is still temporary or has become an implicit entitlement.
Q: How do you know if feature flag governance is actually working?
A: You should be able to answer which flags are long-lived entitlements, which are temporary rollouts, who owns them, when they were last reviewed, and which customer agreements they reflect. If that inventory is missing or inconsistent, the governance model is not functioning as a control.
Technical breakdown
Org-scoped feature flags as entitlement claims
Organization-level feature flags work by binding feature availability to an org identifier, often inside a session or access token. In the article, the flag list is embedded in JWT claims, so the application can make a runtime decision without a separate entitlement lookup. That design reduces latency and simplifies application logic, but it also means the token becomes part of the access control decision chain. If the entitlement state is wrong, stale, or overly broad, the application will faithfully enforce the wrong outcome. The technical model is closer to federated entitlement propagation than to a simple UI toggle.
Practical implication: treat token-backed flags as security-relevant claims and govern their issuance, refresh, and revocation with the same discipline as other access-bearing artefacts.
Environment-specific rollout rules and drift risk
The article separates feature flag rules by environment, which is the right architectural pattern for testing and staged release. The risk is that the same org can have different effective entitlements in staging and production, and teams may lose track of which environment reflects the customer agreement. This creates drift between product intent, support expectations, and security posture. Environment separation is useful, but only if the rules are continuously reconciled against change management and customer lifecycle events.
Practical implication: reconcile flag state across environments during release and contract reviews, especially where production entitlements must mirror commercial agreements.
Flag lifecycle management is the hidden control plane
The article distinguishes between long-lived entitlement flags and short-lived rollout flags, and that distinction matters operationally. Entitlement flags behave like persistent access grants and should be removed when contracts change, while rollout flags should be retired after launch. If teams leave old flags in place, they accumulate policy debt, increase code-path complexity, and make it harder to know which features are intentionally exposed. In practice, the flag inventory becomes a control plane that needs its own governance model, not just developer ownership.
Practical implication: classify flags by purpose, assign an owner, and retire them on a defined schedule so stale entitlements do not become permanent access.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Organization-level feature flags are entitlement governance, not just release engineering. Once a flag determines who gets access to a product capability, the control becomes part of the identity model. That means contracts, approval paths, and removal rules matter as much as code implementation. Practitioners should stop treating feature exposure as a purely product-side decision and govern it like a lifecycle-controlled entitlement.
Customer-specific access without lifecycle discipline creates entitlement drift. Long-lived flags tied to plans, contracts, or support overrides can outlive the business justification that created them. That is especially dangerous when flags are embedded in tokens and refreshed silently across sessions. The control failure is not technical complexity, it is the absence of a reliable offboarding and recertification process for feature access.
Feature flags can blur the boundary between application policy and access control policy. When the application reads a flag claim directly and gates functionality at runtime, the token becomes a policy carrier. That is manageable only when ownership, audit trails, and environment separation are explicit. Otherwise, product teams inherit an IAM problem without the governance language to see it.
Flag inventory is a governance asset with a measurable cleanup burden. The article’s advice to review active flags quarterly reflects a broader truth: stale flags create hidden privilege paths and operational ambiguity. A named concept here is entitlement flag debt, the accumulation of unused or misaligned flags that weakens control clarity over time. Practitioners should manage that debt as part of access governance, not as housekeeping.
The strongest control is alignment between commercial state and runtime access state. If CRM, billing, support, and product flags do not converge, the organisation will eventually grant capabilities that no longer match the agreement. That creates audit, support, and security exposure in the same failure. Teams need a single accountable owner for that alignment, because distributed ownership is where entitlement errors persist.
From our research:
- Average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- For lifecycle alignment, review the NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that translate cleanly to entitlement flag governance.
What this signals
Entitlement flag debt: feature flags that remain after the commercial or rollout need has passed become a hidden policy layer. That debt is often invisible until audit time, because the application still works while the governance model slowly decays. Teams should expect more pressure to connect product state, billing state, and runtime state under one control model.
The article’s model fits the wider zero-trust pattern only if access state is continuously validated against current context. A useful reference point is the NIST Cybersecurity Framework 2.0, especially where access governance must be observable, reviewable, and tied to accountable ownership. Feature flags that cannot be recertified are access decisions that have drifted outside governance.
For practitioners, the next step is usually not more flags but better inventory discipline. The combination of environment-specific rules, token-based delivery, and customer-level entitlements means flag sprawl can grow quietly until it becomes a release, support, and security issue at once. That is the point where clean-up becomes a programme requirement, not an optimisation task.
For practitioners
- Classify flags by entitlement type Separate long-lived customer entitlement flags from short-lived rollout flags, and assign each type a distinct owner, review cadence, and retirement rule.
- Reconcile flag state with contract data Tie feature enablement to CRM or billing events so upgrades, downgrades, and beta participation update access without manual drift.
- Audit token-backed feature claims regularly Review the feature_flags claim and the downstream logic that consumes it, especially where session refresh determines when changes take effect.
- Retire completed rollout flags quickly Remove temporary flags after the release or experiment ends so inactive toggles do not remain as permanent access paths in code and policy.
- Separate staging and production entitlement checks Validate that environment-specific rules do not diverge from customer agreements, and test promotion paths before flags reach production users.
Key takeaways
- Organization-level feature flags become access controls the moment they determine who can use a capability, which makes governance and lifecycle discipline mandatory.
- Token-backed entitlement delivery is efficient, but stale flag state can persist long enough to create audit, support, and access drift.
- The practical control is not more flagging, but stronger ownership, cleanup, and alignment between commercial state and runtime enforcement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived customer flags behave like persistent entitlements and need lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | Feature flags control who gets access to capabilities, aligning with least-privilege access governance. |
| NIST Zero Trust (SP 800-207) | AC-3 | Runtime flag enforcement is an access decision that should be continuously validated. |
Ensure feature access is enforced through explicit, reviewable policy decisions and not hidden defaults.
Key terms
- Feature Flag: A feature flag is a runtime control that turns a capability on or off for a specific user, organization, or environment. In identity terms, it behaves like an entitlement claim when it decides what a customer can do, and it must be governed with ownership, review, and retirement rules.
- Entitlement Flag: An entitlement flag is a long-lived feature flag tied to a customer contract, plan tier, or special agreement. It is not a temporary release switch. Because it governs access over time, it should be treated as part of the access control lifecycle, including recertification and clean-up.
- Runtime Access State: Runtime access state is the effective permission picture the application uses at the moment a request is made. It may come from a token, session, policy engine, or database. When it diverges from contract or environment state, the organisation has an entitlement drift problem.
- Entitlement Flag Debt: Entitlement flag debt is the accumulation of unused, misaligned, or poorly retired feature flags that continue to influence access decisions. It creates governance ambiguity, increases audit effort, and leaves old access paths active long after their original purpose has ended.
Deepen your knowledge
Organization-level feature flags, entitlement lifecycle, and runtime access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance model for customer-specific feature access, it is worth exploring.
This post draws on content published by WorkOS: How to enable B2B SaaS features for specific customers. Read the original.
Published by the NHIMG editorial team on 2025-08-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
