Runtime authorization in identity security: where the gap still is

TL;DR: Identity security now spans human users, workloads, service accounts, and AI agents, but most programmes still fail at the runtime authorization layer where each request is actually allowed or denied, according to Cerbos. The missing control is not more login logic but externalised, context-aware decisioning at the moment of access.

NHIMG editorial — based on content published by Cerbos: Identity security in 2026 and the runtime authorization gap

Questions worth separating out

Q: How should security teams implement runtime authorization in identity security programmes?

A: Security teams should move the final allow-or-deny decision out of application code and into a dedicated policy layer that evaluates identity, resource, action, and context at request time.

Q: Why does identity security become harder when workloads and AI agents are part of the access model?

A: Identity security becomes harder because workloads and AI agents create delegated access paths that are not fixed like a human login.

Q: What breaks when authorization is embedded inside application code?

A: When authorization lives inside application code, policy changes require redeployments, audit questions require code inspection, and access decisions can vary from service to service.

Practitioner guidance

• Externalize runtime authorization Move allow-or-deny decisions out of application code and into a dedicated policy layer so every service evaluates the same rules at request time.
• Model workloads and agents as governed principals Assign explicit identity objects, context attributes, and audit trails to service accounts, workloads, and AI agents instead of treating them as side effects of application access.
• Separate provisioning from decisioning Keep joiners-movers-leavers, PAM, and certification workflows in governance tools, but require a live authorization decision before sensitive actions are executed.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• How Cerbos models runtime authorization as a dedicated decision layer between applications and identity sources.
• How policy is written, versioned, and tested before it reaches production workloads.
• How Synapse enriches decisions with live identity context from IdPs, databases, and infrastructure systems.
• How the platform applies the same policy pattern to workloads, services, and AI agent tool calls.

👉 Read Cerbos' full analysis of identity security and runtime authorization →

Runtime authorization in identity security: where the gap still is?

Explore further

View Full Forum →  |  NHI Foundation Course →