JIT vs PBAC in IAM: what should security teams prioritise?

TL;DR: IAM programmes are still buckling under approval fatigue, privilege creep, and fragmented governance, while policy-based access control and just-in-time access offer two complementary ways to reduce standing privilege and improve auditability, according to Cerbos. The deeper issue is that access decisions must remain deterministic and explainable, even as AI is used around them, not inside them.

NHIMG editorial — based on content published by Cerbos: Beyond approvals - automating IAM for compliance, security, and business agility

By the numbers:

• 80% of organizations have moved to an identity-first security model.
• 4,500 microservices in their architecture

Questions worth separating out

Q: How should security teams implement just-in-time access without creating new governance gaps?

A: Security teams should use just-in-time access to remove standing privilege, but only where the approval criteria, task scope, and expiration conditions are defined up front.

Q: Why does policy-based access control matter more than traditional role-based access in modern IAM?

A: Policy-based access control matters because it evaluates each request using current context instead of relying on broad roles that can drift out of date.

Q: What breaks when access decisions are embedded inside each application?

A: Governance breaks down because security teams lose a single place to test, version, and explain access logic.

Practitioner guidance

• Map standing privileges by task and owner Inventory the accounts and roles that remain permanently active, then classify which of them can be converted to task-scoped elevation or request-time policy checks.
• Externalise critical authorisation rules from code Move high-risk access logic into a central policy layer so every decision can be versioned, tested, and audited.
• Define the context signals your policies truly need Check whether identity, resource, device, HR, and risk systems can supply the attributes your policies depend on.

What's in the full article

Cerbos's full blog post covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of how to implement JIT across privileged admin paths without relying on manual approval queues.
• A deeper example of how policy-based access control is wired into application services, gateways, and enforcement points.
• The panel's full discussion of AI-assisted recertification and where AI should stop short of enforcement.
• The agent identity discussion and standards references that show how this model may extend into AI-driven workflows.

👉 Read Cerbos's analysis of JIT, PBAC, and AI-assisted IAM governance →

JIT vs PBAC in IAM: what should security teams prioritise?

Explore further

View Full Forum →  |  NHI Foundation Course →