Notifications
Clear all
Topic starter
09/06/2026 11:05 pm
TL;DR: Embeddable policy decision points move authorization into the application runtime, cutting network hops and simplifying deployment while creating new trade-offs around policy distribution, token enrichment, and auditability, according to Cerbos's analysis. For IAM teams, the architectural win only holds if governance, context handling, and logging keep pace with where decisions now happen.
NHIMG editorial — based on content published by Cerbos: Embeddable Policy Decision Points and runtime authorization
Questions worth separating out
Q: How should security teams implement embedded authorization without losing policy consistency?
A: They should treat embedded authorization as a distributed control plane, not a developer convenience.
Q: Why do embeddable PDPs increase the importance of token design?
A: Because the PDP can only evaluate what the application gives it.
Q: When does an embeddable PDP design fail in practice?
A: It fails when teams assume the policy engine can compensate for incomplete application context.
Practitioner guidance
- Map every local decision input Inventory which claims, resource attributes, and request fields the embedded PDP needs, then verify each one is available before the policy runs.
- Govern policy distribution like code deployment Track policy bundles, runtime versions, and rollout paths so embedded instances do not drift.
- Enrich tokens with decision-grade attributes Carry roles, tenancy, and other stable attributes in tokens where they are needed for local authorization.
What's in the full article
Cerbos's full analysis covers the operational detail this post intentionally leaves for the source:
- Concrete examples of embedded PDP integration in browser, mobile, and edge runtimes
- The JavaScript SDK workflow for loading local policy bundles and evaluating permissions
- Deployment patterns for hybrid models that keep a server PDP alongside embedded checks
- Practical guidance on audit logging callbacks and policy auto-update flows
👉 Read Cerbos's analysis of embeddable PDPs and runtime authorization →
Embeddable PDPs and runtime authorization: what changes for teams?
Explore further
10/06/2026 1:18 am
Runtime authorisation is no longer a separate infrastructure problem. It is an identity governance problem at the point of execution. Once the PDP lives inside the application, authorization quality depends on the claims, attributes, and resource facts the app can already present. That moves control from a managed service to code paths, token design, and policy packaging. The implication is that IAM teams can no longer treat authorization as a back-end utility detached from application behaviour.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: What should IAM teams do before moving authorization into application runtime?
A: They should validate which applications can supply all decision inputs locally and which cannot. Then they should define policy ownership, bundle distribution, logging, and rollback procedures before the first embedded deployment. The move works best when governance, not just code, is ready for a distributed decision model.
👉 Read our full editorial: Embeddable PDPs shift authorization closer to application runtime
