TL;DR: IAM programmes are still buckling under approval fatigue, privilege creep, and fragmented governance, while policy-based access control and just-in-time access offer two complementary ways to reduce standing privilege and improve auditability, according to Cerbos. The deeper issue is that access decisions must remain deterministic and explainable, even as AI is used around them, not inside them.
NHIMG editorial — based on content published by Cerbos: Beyond approvals - automating IAM for compliance, security, and business agility
By the numbers:
- 80% of organizations have moved to an identity-first security model.
- 4,500 microservices in their architecture
Questions worth separating out
Q: How should security teams implement just-in-time access without creating new governance gaps?
A: Security teams should use just-in-time access to remove standing privilege, but only where the approval criteria, task scope, and expiration conditions are defined up front.
Q: Why does policy-based access control matter more than traditional role-based access in modern IAM?
A: Policy-based access control matters because it evaluates each request using current context instead of relying on broad roles that can drift out of date.
Q: What breaks when access decisions are embedded inside each application?
A: Governance breaks down because security teams lose a single place to test, version, and explain access logic.
Practitioner guidance
- Map standing privileges by task and owner Inventory the accounts and roles that remain permanently active, then classify which of them can be converted to task-scoped elevation or request-time policy checks.
- Externalise critical authorisation rules from code Move high-risk access logic into a central policy layer so every decision can be versioned, tested, and audited.
- Define the context signals your policies truly need Check whether identity, resource, device, HR, and risk systems can supply the attributes your policies depend on.
What's in the full article
Cerbos's full blog post covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of how to implement JIT across privileged admin paths without relying on manual approval queues.
- A deeper example of how policy-based access control is wired into application services, gateways, and enforcement points.
- The panel's full discussion of AI-assisted recertification and where AI should stop short of enforcement.
- The agent identity discussion and standards references that show how this model may extend into AI-driven workflows.
👉 Read Cerbos's analysis of JIT, PBAC, and AI-assisted IAM governance →
JIT vs PBAC in IAM: what should security teams prioritise?
Explore further
JIT reduces exposure, but it does not erase the standing-privilege assumption. The article is right to treat JIT as a way to shrink the approval queue and the attack window, but it still grants access for a bounded period. That means the governance model is still built around the assumption that privilege can be safely pre-authorised for a task window. Practitioners should recognise that JIT narrows the risk, but does not change the underlying access model.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: How should organisations use AI in access governance without letting AI make access decisions?
A: Organisations should use AI for recommendations, anomaly detection, policy tuning, and recertification support, but keep the actual allow or deny decision deterministic. Access decisions need to be reproducible and defensible, especially when auditors or incident responders ask why access was granted. AI should improve the process around the decision, not replace the decision itself.
👉 Read our full editorial: Beyond approvals: policy-based IAM and JIT for compliance