Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PBAC and broken access control: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Broken access control remains the dominant application authorization risk, and the article argues that policy-based access control is re-emerging because modern systems now need context-aware decisions across microservices, human users, and machine identities, according to Cerbos. The practical shift is away from scattered code checks toward centralized policy evaluation that can support least privilege, auditability, and real-time decisioning.

NHIMG editorial — based on content published by Cerbos: Policy-based access control is back for modern authorization

By the numbers:

Questions worth separating out

Q: How should teams implement policy-based access control in modern applications?

A: Start by identifying the highest-risk authorization checks, then externalize those decisions into a central policy engine.

Q: Why does PBAC work better than hardcoded role checks in distributed systems?

A: Hardcoded role checks spread authorization logic across codebases, which makes drift and missed checks more likely.

Q: What do security teams get wrong about policy-based access control?

A: They often treat PBAC as a feature choice rather than a governance model.

Practitioner guidance

  • Centralise authorization decisions Move high-risk permission checks out of application code and into a policy decision point so access logic is visible, versioned, and reviewable across services.
  • Model access around subject, resource, action, and context Define policies that include attributes such as department, data sensitivity, device state, and session risk, rather than relying only on coarse roles.
  • Test policies before deployment Store authorization rules in version control and add unit tests for allow and deny cases so policy changes do not introduce regressions.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

  • A concrete walk-through of replacing scattered if statements with a policy decision point in application flows.
  • Examples of policy-as-code structure for roles, attributes, and context conditions across services.
  • Implementation guidance for fail-closed behaviour, caching, and integration patterns in microservice environments.
  • Practical tooling notes on policy testing, simulation, and incremental rollout in existing stacks.

👉 Read Cerbos's analysis of policy-based access control for modern authorization →

PBAC and broken access control: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

PBAC is becoming necessary because broken access control is an authorization governance failure, not just a coding bug. When teams distribute permission checks across services, the control surface becomes impossible to reason about at scale. That is why the same access pattern can be denied in one app and accidentally allowed in another. The practitioner conclusion is straightforward: authorization needs a central governance model, not a patchwork of local implementation choices.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most machine-identity estates remain difficult to govern in practice.

A question worth separating out:

Q: How do you know if authorization policy is actually improving least privilege?

A: Look for fewer embedded access checks, fewer exceptions that bypass the policy path, and clearer audit evidence for who can access what and why. If teams still need to inspect application code to explain access, the policy model is not yet governing the system effectively.

👉 Read our full editorial: Policy-based access control is back for modern authorization



   
ReplyQuote
Share: