TL;DR: Authorization policy now renders as a permissions grid that maps roles to actions and exposes allowed, denied, and conditional outcomes in a format business, compliance, and support teams can read without parsing policy files, according to Cerbos. The shift matters because authorization drift and wildcard grants become visible before they reach production.
At a glance
What this is: This is a product announcement about a permissions grid that turns compiled authorization policy into a role-by-action matrix with explicit conditional cells and wildcard visibility.
Why it matters: It matters because IAM and governance teams need a way to review authorization decisions without relying on policy authors, especially where human review, delegated support, and sensitive-data access intersect.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
👉 Read Cerbos' announcement on the permissions matrix for authorization policy
Context
Authorization policy becomes a governance problem the moment more than engineers need to answer who can do what. Product, compliance, and support all ask the same question in different words, but policy files are rarely readable to non-authors, which creates avoidable risk around access to sensitive data and customer-facing features.
A permissions matrix solves that translation problem by showing effective access as a grid of roles and actions instead of as raw policy rules. That matters for identity governance because authorization drift usually hides in complexity, not in intent, and shared review views help bring policy back into business-readable form.
Key questions
Q: How should teams review authorization policy when business users cannot read policy files?
A: Teams should review the effective permissions, not only the policy source. A matrix view lets product, compliance, and support staff verify who can do what without learning policy syntax. That reduces the risk of undocumented access assumptions and makes approval decisions easier to challenge before they reach production.
Q: When does a permissions matrix add more value than reading authorization rules directly?
A: A permissions matrix adds the most value when policies contain derived roles, layered conditions, or wildcard rules that are difficult to evaluate mentally. In those environments, the matrix turns complex policy logic into a reviewable access picture and helps teams spot drift, overreach, and exceptions earlier.
Q: What do security teams get wrong about conditional authorization rules?
A: Teams often treat conditional rules as a minor exception, when they are usually the core of the access decision. If the condition is not visible to reviewers, the organisation may approve access that only looks safe on paper. Conditional logic needs explicit review, ownership, and revalidation.
Q: How can organisations stop authorization drift from accumulating over time?
A: Organisations should review effective access on a recurring basis, not only after incidents or audits. That means checking wildcard reach, revalidating conditional rules, and removing temporary access paths that outlived their business purpose. Drift falls when policy changes are treated as governance events.
Technical breakdown
Source rules versus effective permissions
Authorization systems often separate policy definition from policy evaluation. The source view shows the compiled rules as written, while the effect matrix renders the effective outcome for each role and action combination. That distinction matters because a policy can look small in source but still create broad access after roles, inheritance, and conditions are applied. The matrix is therefore a governance lens, not a replacement for evaluation. It helps reviewers see what an access decision would resolve to without asking them to mentally execute policy logic.
Practical implication: give reviewers the effective permissions view, not just the policy source, when access decisions affect sensitive data.
Conditional access in ABAC-driven policy
Most real authorization decisions are not binary. Attribute-based access control allows the outcome to depend on request context such as tenant, value, ownership, or resource state. In practice, that means a role may be allowed only when a condition evaluates true at request time. A permissions grid that marks these cells as conditional preserves the actual decision logic instead of flattening nuance into an inaccurate allow or deny. That makes the policy reviewable by business stakeholders while keeping the underlying authorization logic intact.
Practical implication: preserve conditional outcomes in review workflows so exception logic is visible before it becomes an access problem.
Wildcard rules and authorization drift
Wildcards widen the surface area of a policy faster than most teams expect. A rule written for a broad pattern can reach into more cells than the original author intended, especially as roles and actions evolve. The important architectural detail is not just that a wildcard exists, but that its reach can be shown explicitly in a matrix. That makes over-permissive grants easier to spot during review rather than after a release or audit finding.
Practical implication: inspect wildcard coverage in every policy review cycle and treat broad matches as a change-control event.
NHI Mgmt Group analysis
Policy readability is now an authorization control, not just a usability feature. When business teams cannot read effective permissions, they outsource judgement to engineers or tickets. That creates a governance gap because the organisation can no longer verify whether access intent matches access reality. A matrix view does not change the policy model, but it changes who can challenge it before risk hardens into production behaviour.
Conditional access is where governance discipline either stays precise or becomes symbolic. The hardest policy decisions are the ones that depend on request context, because they resist simple yes-no summaries. A view that exposes conditional cells keeps the real logic visible to reviewers and prevents conditionality from being mistaken for ambiguity. Practitioners should treat that distinction as a control issue, not a presentation issue.
Wildcard expansion is the quietest form of authorization creep. Broad patterns often enter policy to unblock delivery and then survive long after the original use case has passed. Showing the cells a wildcard reaches makes the effective blast radius visible. The field should treat any mechanism that makes hidden breadth obvious as part of governance maturity, because drift is usually discovered too late by audits, not by authors.
Identity blast radius: A permissions matrix gives organisations a way to see how far a single rule reaches across roles and actions. That visibility matters because authorization risk is rarely about one rule in isolation; it is about how many access paths a review misses when policy is only legible to specialists. Practitioners should use that lens to narrow review scope before exceptions accumulate.
Shared authorization views bridge human IAM governance and non-human access control. The same question appears whether the subject is a customer support role, a service account, or a delegated operator: what can this identity actually do on this resource? That makes effective-permissions reporting useful across human and non-human programmes, because the governance problem is the same even when the subject changes.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs , Key Challenges and Risks.
- For the broader lifecycle context behind access review and offboarding, see NHI Lifecycle Management Guide, which maps provisioning, rotation, and revocation into one governance model.
What this signals
Identity blast radius: permissions visibility is becoming a practical control objective, not a reporting exercise. As teams mix human roles, service accounts, and delegated workflows, the real question is how far a single grant can reach before anyone notices. The NIST Cybersecurity Framework 2.0 remains a useful governance reference point for that review discipline.
A matrix view is most useful when it is paired with lifecycle discipline. If access can be understood clearly but not revoked or revalidated on a reliable cadence, the programme still carries hidden risk. That is why role readability, offboarding, and recertification need to be managed as one operating model rather than as separate tasks.
For teams building out policy governance, the next step is to connect readable authorization views to lifecycle controls and review cadence. The challenge is not just to answer who can do what today, but to ensure the answer stays accurate after roles change, exceptions accumulate, and temporary access becomes permanent.
For practitioners
- Review effective permissions, not just source policy Use the matrix view for access reviews whenever policy complexity is high enough that non-authors cannot reliably interpret the source files. Focus reviews on sensitive resources, destructive actions, and roles that span multiple business functions.
- Flag conditional cells as decision points Treat conditional outcomes as governance hotspots that require explicit ownership, documented request context, and periodic revalidation. Do not collapse them into allow or deny during review, because that hides the logic that actually governs access.
- Inspect wildcard reach before release Make wildcard coverage part of change approval for policies that use pattern-based grants. Validate which roles and actions the wildcard reaches so a broad match does not become accidental standing access.
Key takeaways
- A permissions matrix turns authorization from specialist syntax into business-readable access governance.
- Conditional logic and wildcard reach are the two places where effective access usually drifts beyond intent.
- Teams that review effective permissions regularly are better positioned to control authorization creep before it becomes an audit finding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Effective permissions views support least-privilege review and approval. |
| NIST Zero Trust (SP 800-207) | AC-2 | Zero trust depends on explicit, current access decisions that can be reviewed. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Broad or unclear access patterns in non-human identities increase governance risk. |
Apply NHI-03 review discipline to service accounts and other non-human actors with broad privileges.
Key terms
- Permissions Matrix: A permissions matrix is a visual representation of which roles can perform which actions on which resources. It translates policy rules into a table that makes effective access easier to review, especially when policy logic is too complex for non-authors to read confidently.
- Conditional Authorization: Conditional authorization is access control that depends on runtime facts such as tenant, ownership, value, or resource state. The decision is not simply allowed or denied. It is allowed only when the request satisfies the policy condition at evaluation time.
- Authorization Drift: Authorization drift is the gradual mismatch between intended access and actual access as policies accumulate exceptions, temporary grants, and pattern-based rules. It often appears slowly, then becomes visible only during audit, incident review, or access recertification.
- Wildcard Rule: A wildcard rule is an authorization statement that matches more resources or actions than a narrowly scoped rule would. Wildcards are useful for flexibility, but they also expand the effective access surface and need careful review because they can quietly over-grant privileges.
What's in the full article
Cerbos' full announcement covers the operational detail this post intentionally leaves for the source:
- A walk-through of how the Source and Effect matrix behave across compiled policy bundles and deployment views
- The specific ways conditional cells expose ABAC logic at request time, including how reviewers drill into the rule behind each outcome
- Examples of wildcard coverage in policy cells and how that reach appears in the hub interface during review
- The product workflow for using the permissions grid inside Cerbos Hub across existing deployments
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org