TL;DR: Authorization policy now renders as a permissions grid that maps roles to actions and exposes allowed, denied, and conditional outcomes in a format business, compliance, and support teams can read without parsing policy files, according to Cerbos. The shift matters because authorization drift and wildcard grants become visible before they reach production.
NHIMG editorial — based on content published by Cerbos: permissions matrices for authorization policy review
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should teams review authorization policy when business users cannot read policy files?
A: Teams should review the effective permissions, not only the policy source.
Q: When does a permissions matrix add more value than reading authorization rules directly?
A: A permissions matrix adds the most value when policies contain derived roles, layered conditions, or wildcard rules that are difficult to evaluate mentally.
Q: What do security teams get wrong about conditional authorization rules?
A: Teams often treat conditional rules as a minor exception, when they are usually the core of the access decision.
Practitioner guidance
- Review effective permissions, not just source policy Use the matrix view for access reviews whenever policy complexity is high enough that non-authors cannot reliably interpret the source files.
- Flag conditional cells as decision points Treat conditional outcomes as governance hotspots that require explicit ownership, documented request context, and periodic revalidation.
- Inspect wildcard reach before release Make wildcard coverage part of change approval for policies that use pattern-based grants.
What's in the full article
Cerbos' full announcement covers the operational detail this post intentionally leaves for the source:
- A walk-through of how the Source and Effect matrix behave across compiled policy bundles and deployment views
- The specific ways conditional cells expose ABAC logic at request time, including how reviewers drill into the rule behind each outcome
- Examples of wildcard coverage in policy cells and how that reach appears in the hub interface during review
- The product workflow for using the permissions grid inside Cerbos Hub across existing deployments
👉 Read Cerbos' announcement on the permissions matrix for authorization policy →
Permissions matrices for authorization policy: are your reviews easier now?
Explore further