PBAC and broken access control: what IAM teams need to know

TL;DR: Broken access control remains the dominant application authorization risk, and the article argues that policy-based access control is re-emerging because modern systems now need context-aware decisions across microservices, human users, and machine identities, according to Cerbos. The practical shift is away from scattered code checks toward centralized policy evaluation that can support least privilege, auditability, and real-time decisioning.

NHIMG editorial — based on content published by Cerbos: Policy-based access control is back for modern authorization

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should teams implement policy-based access control in modern applications?

A: Start by identifying the highest-risk authorization checks, then externalize those decisions into a central policy engine.

Q: Why does PBAC work better than hardcoded role checks in distributed systems?

A: Hardcoded role checks spread authorization logic across codebases, which makes drift and missed checks more likely.

Q: What do security teams get wrong about policy-based access control?

A: They often treat PBAC as a feature choice rather than a governance model.

Practitioner guidance

• Centralise authorization decisions Move high-risk permission checks out of application code and into a policy decision point so access logic is visible, versioned, and reviewable across services.
• Model access around subject, resource, action, and context Define policies that include attributes such as department, data sensitivity, device state, and session risk, rather than relying only on coarse roles.
• Test policies before deployment Store authorization rules in version control and add unit tests for allow and deny cases so policy changes do not introduce regressions.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

• A concrete walk-through of replacing scattered if statements with a policy decision point in application flows.
• Examples of policy-as-code structure for roles, attributes, and context conditions across services.
• Implementation guidance for fail-closed behaviour, caching, and integration patterns in microservice environments.
• Practical tooling notes on policy testing, simulation, and incremental rollout in existing stacks.

👉 Read Cerbos's analysis of policy-based access control for modern authorization →

PBAC and broken access control: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →