Notifications
Clear all
Topic starter
09/06/2026 11:27 pm
TL;DR: Teams keep rewriting application authorization logic, and open source, centralized policy management, and audit logging are being positioned as the answer for cloud-native and on-prem environments, according to Cerbos. The deeper issue is that access control is no longer an app detail, but a governance layer that now shapes security, scalability, and operating model decisions.
NHIMG editorial — based on content published by Cerbos: an interview with CEO and Co-Founder Emre Baran on authorization management and scalable access control
Questions worth separating out
Q: How should security teams govern application authorization across multiple services?
A: Security teams should centralise policy decisions where possible and keep enforcement consistent across applications.
Q: Why does hardcoded authorization become a governance problem?
A: Hardcoded authorization becomes a governance problem because each application team can implement rules differently, creating drift, review gaps, and inconsistent enforcement.
Q: How do access decision logs help IAM and audit teams?
A: Access decision logs give IAM and audit teams evidence of who requested access, what was approved, and which policy produced the result.
Practitioner guidance
- Inventory hardcoded authorization paths Map every application where access logic lives in code rather than in a shared policy service.
- Separate policy ownership from application delivery Assign explicit ownership for rules, approval workflow, testing, and rollback so policy changes do not depend on application release timing.
- Require decision logging for all access checks Ensure the authorization layer records requester, resource, outcome, and policy reason so audit, incident response, and certification processes can use the same evidence set.
What's in the full article
Cerbos' full interview covers the operational detail this post intentionally leaves for the source:
- How the Cerbos PDP model separates policy from application code in practice
- How centralized policy updates are pushed across distributed instances
- How decision logging is exposed for security and audit workflows
- How embedded policy support works in browser and edge-style runtimes
👉 Read Cerbos' interview on scalable authorization management and policy control →
Authorization management for modern apps: what IAM teams need to know?
Explore further
10/06/2026 1:46 am
Authorization is becoming an identity control plane, not an application detail. The article shows a familiar pattern: developers keep rebuilding access logic because it is treated as code, then rediscover that code-based authorization does not age well. That is not just a developer productivity issue, it is a governance issue because the organisation loses a stable place to inspect and enforce access policy. Practitioners should treat embedded authorization as a sign that policy ownership is too close to implementation.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the same report.
A question worth separating out:
Q: What is the difference between application logic and policy-based authorization?
A: Application logic mixes access rules into the product code, while policy-based authorization keeps the rules in a shared control layer. The difference matters because policy can be reviewed, tested, and updated without rewriting each application. That reduces drift and gives security teams a clearer place to govern access across environments.
👉 Read our full editorial: Authorization management is becoming core infrastructure for developers
