Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cerbos Hub Insights: are your authorization decisions readable now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Teams can see denies, active principals, and busy resource-action pairs instead of reading individual log lines as Cerbos Hub Insights adds aggregated charts and rankings on top of Cerbos PDP audit decisions, according to Cerbos. The real change is not visibility alone but the ability to spot authorization drift before it turns into production friction.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams use authorization analytics in production?

A: Security teams should use authorization analytics to spot drift, concentration, and malformed request patterns before they become user-facing incidents.

Q: Why do authorization logs alone fail to show governance risk?

A: Authorization logs show individual decisions, but governance risk emerges from patterns across many decisions.

Q: What signals show that authorization policies are drifting?

A: Look for rising denies after policy changes, a sharp drop or spike in active principals, and unusual concentration in a few resource-action pairs.

Practitioner guidance

  • Track denials as a production signal Review hourly and daily deny trends alongside recent policy changes, application releases, and resource renames so you can separate expected tightening from accidental breakage.
  • Rank the principals that drive most traffic Use active principal rankings to identify whether one service, client, or integration is carrying too much authorization load and deserves closer governance review.
  • Validate resource-action pair concentration Inspect the most common resource and action combinations to see whether access patterns are healthy or whether a narrow set of operations is masking over-reliance on a few paths.

What's in the full announcement

Cerbos's full documentation covers the operational detail this post intentionally leaves for the source:

  • Step-by-step walkthrough of how the Insights page is populated from PDP decision data.
  • Exact filtering behaviour that links charts back into the underlying audit log.
  • Workspace role requirements for viewing audit logs and Insights content.
  • The available chart views for hourly and daily decision trends across the last seven and thirty days.

👉 Read Cerbos's documentation on Hub Insights for authorization decision analytics →

Cerbos Hub Insights: are your authorization decisions readable now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Authorization is becoming an observability problem, not just a policy problem. When teams cannot see decision patterns, they miss the operational signals that show policy drift, misrouted calls, or a resource model that no longer matches production reality. That is especially true in environments where services and principals multiply faster than manual review cycles can keep up. The implication is that authorization governance now depends on trend visibility, not only on correct policy syntax.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who should be allowed to see authorization decision analytics?

A: Only the same roles that are trusted to review audit logs should see authorization decision analytics, because those charts reveal application structure and access behaviour. Treat the analytics layer as governed identity data. If visibility is broader than audit-log access, the monitoring surface becomes a new exposure rather than a control.

👉 Read our full editorial: Cerbos Hub Insights exposes authorization patterns teams were missing



   
ReplyQuote
Share: