RBAC is breaking in SaaS authorization. What comes next?

TL;DR: As SaaS products add nested resources, custom roles, enterprise IdP mapping, and scoped AI workflows, traditional RBAC and schema-driven FGA models break down, according to WorkOS. The real issue is not authorization logic alone but an access model that assumes product structure stays stable long enough to fit a fixed schema.

NHIMG editorial — based on content published by WorkOS: FGA and how WorkOS is rethinking authorization for the next generation of SaaS

By the numbers:

• The design reflects direct feedback from more than 50 enterprise SaaS teams who outgrew flat RBAC.

Questions worth separating out

Q: How should security teams prevent role explosion as SaaS products grow?

A: They should design access around resource hierarchy, not around endlessly new role names.

Q: Why do fine-grained authorization models become hard to govern at scale?

A: They become hard to govern when the schema, resource graph, and application logic evolve at different speeds.

Q: What breaks when AI agents inherit a user's full access in SaaS applications?

A: The access boundary collapses, because the agent can act with more authority than the task requires.

Practitioner guidance

• Map authorization to resource hierarchy early Define the product's stable resource layers before the role list grows.
• Limit role variants before they multiply Review every new access exception and ask whether it creates a new role or should inherit from an existing scoped role.
• Keep high-cardinality resources local Avoid syncing every volatile object into a remote authorization layer.

What's in the full article

WorkOS's full post covers the operational detail this post intentionally leaves for the source:

• The resource hierarchy design patterns used to avoid role explosion across nested SaaS objects.
• The implementation details for high-cardinality resources that stay local instead of being synced into a remote graph.
• The enterprise identity mapping examples for Entra, Okta, SSO, and SCIM-driven access.
• The product-side rollout path for adopting hierarchical authorization without rewriting existing RBAC models.

👉 Read WorkOS's article on hierarchical authorization for SaaS products →

RBAC is breaking in SaaS authorization. What comes next?

Explore further

View Full Forum →  |  NHI Foundation Course →