Authorization in days or weeks: what changes for IAM teams?

TL;DR: Production deployments that reached production in days to weeks, with some teams running authorization checks in under 10 minutes, show that authorization speed is now a governance variable, according to Cerbos research. The message is that enterprises like Utility Warehouse and NTWRK needed far more time to untangle existing logic than to deploy the control itself, because the real cost sits in integration debt, policy maintainability, and time diverted from product work.

NHIMG editorial — based on content published by Cerbos: implementation speed as a critical factor when evaluating authorization solutions

By the numbers:

• Cerbos says some teams have running authorization checks in under 10 minutes from first deployment.
• Utility Warehouse manages 4,500 services and reached production deployment within weeks.
• IDC research shows developers spend approximately 19% of their time on security tasks, averaging $28,000 in cost per developer per year.

Questions worth separating out

Q: How should teams implement externalized authorization without slowing delivery?

A: Teams should begin by identifying the access decisions already embedded in code, then move them into a centralized policy layer one domain at a time.

Q: Why does authorization implementation time vary so much between organisations?

A: Implementation time varies because the real bottleneck is often legacy policy sprawl, not the authorization system itself.

Q: What breaks when access rules are scattered across application code?

A: Governance becomes slow, inconsistent, and expensive to change.

Practitioner guidance

• Map all embedded authorization logic first Inventory permission checks, exception branches, and role decisions across application code before selecting an externalized model.
• Separate policy change from application deployment Establish a policy workflow that lets access rules change independently of code releases.
• Start with the smallest viable model Use RBAC where it is sufficient, then extend to attribute or relationship-based rules only where business complexity requires it.

What's in the full article

Cerbos' full blog post covers the operational detail this analysis intentionally leaves in summary form:

• Production deployment examples across startups and enterprises, including how teams moved from evaluation to live use.
• Implementation patterns such as sidecar, service-based PDP, and hybrid deployment, with the trade-offs between latency and rollout complexity.
• How teams handled technical debt cleanup, policy authoring, and the shift from in-code checks to centralized authorization.
• Examples of how YAML policies and CEL conditions reduced the learning curve for engineering and security teams.

👉 Read Cerbos' analysis of deployment speed for centralized authorization →

Authorization in days or weeks: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →