TL;DR: WebAssembly is reshaping Kubernetes authorization by making policy decision logic embeddable at the edge, in clusters, and on client devices, while keeping the same policy interface across runtimes, according to Cerbos. The governance question is no longer where policy lives, but how consistently access decisions are enforced as identity logic moves across execution environments.
NHIMG editorial — based on content published by Cerbos: an interview on WebAssembly, Kubernetes, and authorization at the edge
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
Questions worth separating out
Q: How should security teams govern authorization when policy runs in Kubernetes and at the edge?
A: They should treat policy as a distributed identity control, not a single central service.
Q: Why do distributed authorization models increase IAM governance complexity?
A: Because the same access rule can be enforced in several runtimes, which creates drift risk if policy artifacts are not synchronised.
Q: What breaks when authorization is embedded inconsistently across runtimes?
A: Auditability breaks first, followed by policy consistency and least-privilege assurance.
Practitioner guidance
- Inventory every authorization execution point Map where policy decisions happen today across Kubernetes services, edge runtimes, and embedded components.
- Version-control policy artifacts across runtimes Treat embedded policy decision points like deployable identity controls, with explicit versioning, rollback, and validation before promotion into production clusters or device runtimes.
- Trace authorization decisions end to end Require traces, logs, and metrics for every decision path so teams can prove which policy version made the call and where it executed, especially when authorization moves closer to the workload.
What's in the full article
Cerbos' full article covers the implementation detail this post intentionally leaves at the architecture level:
- How the embedded Policy Decision Point is packaged for Kubernetes, edge runtimes, and client devices
- How the WASM component model affects deployment compatibility across different runtime environments
- How Cerbos Hub generates artifacts for backend and embeddable execution paths
- How the AuthZEN alignment and CNCF runtime examples shape interoperability
👉 Read Cerbos' discussion of WebAssembly authorization in Kubernetes →
Wasm-based authorization in Kubernetes: what changes for IAM teams?
Explore further
Wasm-based authorization exposes a runtime governance gap, not just a deployment preference. Moving policy decision logic into Kubernetes components, edge functions, and devices changes where identity enforcement happens, which means the control surface becomes distributed. That distribution improves locality, but it also makes consistency, auditability, and policy drift the real governance concerns. Practitioners should treat authorization placement as an identity architecture decision, not a packaging choice.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Which frameworks help teams evaluate runtime authorization governance?
A: NIST Cybersecurity Framework 2.0 and zero trust architecture are the most relevant starting points because they focus on access control, continuous verification, and governance evidence. For workload identity, teams should also align authorization placement with the lifecycle of the service or workload.
👉 Read our full editorial: Wasm-driven authorization changes how Kubernetes policy is deployed