AI agents and NHIs are stretching authorization controls

TL;DR: Demand for authorization management platforms grew 4x in 2025 as enterprises pushed into AI agents, MCP servers, and non-human identities that inherit human-era permissions, making runtime authorization, auditability, and least privilege harder to sustain according to Cerbos. The real shift is that access decisions are now happening too fast, too often, and too contextually for static role models to keep up.

NHIMG editorial — based on content published by Cerbos: A year of growth, focus, and enterprise adoption

By the numbers:

• 4x in 2025., Cerbos' authorization management platform grew 4x in 2025.
• Cerbos shipped 11 PDP updates and more than 20 product releases in total.
• Cerbos published 130+ guides helping engineers and security leaders understand emerging security risks.

Questions worth separating out

Q: How should security teams govern AI agent authorization in enterprise systems?

A: Security teams should govern AI agent authorization with runtime policy evaluation, not static roles alone.

Q: Why do non-human identities complicate least-privilege design?

A: Non-human identities complicate least privilege because they often inherit permissions across services, workflows, and environments that were never designed around a single accountable user.

Q: What breaks when authorization is still handled through static RBAC for AI systems?

A: Static RBAC breaks when access decisions depend on runtime context that roles cannot express, such as which tool an agent is calling or which dataset it is touching.

Practitioner guidance

• Separate runtime policy from static role assignment Move high-risk access decisions into context-aware policy evaluation so humans, services, and AI-driven workflows are judged on current conditions rather than inherited entitlements.
• Version and test authorization policies before promotion Treat policy changes like code changes, with review, testing, and rollback paths before deployment.
• Unify governance for human and non-human identities Map service accounts, workloads, and AI agents into the same entitlement review and exception process used for human access.

What's in the full article

Cerbos' full announcement covers the operational detail this post intentionally leaves for the source:

• How Cerbos Hub handles the full access control policy lifecycle across create, update, deploy, and audit phases.
• How Git-based workflows and CI integration are used to test and distribute policy changes in practice.
• How policy stores support tenant and environment separation without duplicating authorization logic.
• How the platform's audit trail captures who asked for what, under which policy version, and why it was allowed or denied.

👉 Read Cerbos' 2025 update on authorization management, AI, and NHI adoption →

AI agents and NHIs are stretching authorization controls?

Explore further

View Full Forum →  |  NHI Foundation Course →