Authorization build vs buy: what does it mean for IAM teams?

TL;DR: Customers have seen seven-figure lifetime costs, at least £200,000 in developer time, and 3 to 6 months of saved build time when they avoid building authorization in-house, according to Cerbos. The core issue is not initial access logic but the long tail of policy drift, audit burden, and maintenance overhead that compounds as systems grow, while IDC research puts developer security work at roughly 19% of time.

NHIMG editorial — based on content published by Cerbos: the build-versus-buy case for application authorization

By the numbers:

• IDC research found that half of developers surveyed spend roughly 19% of their time on security-related tasks.

Questions worth separating out

Q: How should security teams decide whether to build authorization in-house or buy it?

A: Teams should compare total lifecycle cost, not just first-release effort.

Q: Why does in-house authorization become more expensive over time?

A: Authorization cost compounds because each new service, tenant type, and exception creates more policy paths to maintain.

Q: What breaks when authorization logic is scattered across application code?

A: Scattered logic breaks consistency, traceability, and change control.

Practitioner guidance

• Map all authorization decision points Inventory every place where permission checks are enforced in application code, middleware, and service edges.
• Quantify the full lifecycle cost of internal auth Include developer time, maintenance, audit prep, regression testing, and release delays in the business case.
• Separate policy logic from product logic Move authorization rules out of feature code where possible so engineers can change access policy without rewriting business logic.

What's in the full article

Cerbos's full guide covers the operational detail this post intentionally leaves for the source:

• Customer-by-customer cost breakdowns showing how lifetime authorization spend was estimated
• Implementation detail on Cerbos PDP, Hub, PEP SDKs, and Synapse for teams comparing architectures
• Practical examples of how policy authoring, testing, and distribution work in distributed environments
• The source article's discussion of when building in-house can still make sense for niche requirements

👉 Read Cerbos's guide to build-versus-buy decisions for authorization →

Authorization build vs buy: what does it mean for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →