Authorization governance in tokens: what IAM teams need to know

TL;DR: Static tokens turn authorization into a snapshot problem, leaving claims, scopes, and roles trusted for an hour or more even when context changes, according to Cerbos. Policy-driven token issuance shifts that decision into a governed policy layer, making authorization auditable, revocable, and fit for human and non-human identities alike.

NHIMG editorial — based on content published by Cerbos: policy-driven token issuance and authorization governance

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams govern claims and scopes inside access tokens?

A: Security teams should treat claims and scopes as governed authorization outputs, not as simple IdP mappings.

Q: Why do static tokens create authorization risk for both users and NHIs?

A: Static tokens create risk because they remain trusted after the context that justified them has changed.

Q: How can organisations tell whether token-based authorization is actually working?

A: Look for a clear decision log, a named owner for authorization policy, and evidence that token contents change when entitlement or risk state changes.

Practitioner guidance

• Define a single authorization policy owner Assign one governance owner for claims, scopes, group membership, and role-to-token mapping so the decision can be reviewed, audited, and changed centrally.
• Move context checks into issuance policy Feed current entitlement state, tenant scope, device signals, and risk exceptions into the policy that builds the token so the issued claims reflect the moment of access.
• Separate authentication from authorization in architecture Keep identity proofing and session validation in the IdP, but place access decisions in policy so downstream systems trust governed output rather than static directory mappings.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step architecture for token-facilitated authorization in OAuth2, OIDC, and SAML estates
• How externalized authorization and policy orchestration differ at the decision-point and proxy layers
• Standards context for AuthZEN and the IETF drafts shaping actor profiles and client instances
• Implementation traps to avoid when integrating policy into IdP token mapping and validation flows

👉 Read Cerbos's analysis of policy-driven token issuance and authorization governance →

Authorization governance in tokens: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →