Cerbos PDP updates: performance gains, JWT hardening, and what to check

TL;DR: PDP performance, JWT verification hardening, CEL path functions, and bug fixes that remove a risky verification cache and a query plan regression are the focus of Cerbos v0.52.0 and v0.53.0, according to Cerbos release notes. The lesson for IAM teams is that policy engines need both throughput headroom and token-handling discipline because decision quality, not just speed, is part of the control plane.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams handle JWT verification changes in a policy engine?

A: Treat JWT verification as part of the authorisation trust boundary, not a performance detail.

Q: When does PDP performance become an IAM governance issue?

A: It becomes a governance issue whenever latency or resource pressure changes whether policy is enforced consistently at production scale.

Q: What should teams validate when policy languages add path functions?

A: Validate normalization, prefix matching, relative path handling, and platform-specific separators.

Practitioner guidance

• Re-benchmark PDP capacity after upgrading Measure decision latency, CPU, and memory under production-like request volume before and after the release.
• Recheck token verification assumptions Confirm that every request carrying JWT claims is revalidated on the authoritative path and that no downstream component treats reused token state as trusted evidence for policy decisions.
• Test path-based rules with normalization edge cases Add coverage for absolute paths, relative paths, extension handling, and cross-platform separators so the new CEL path functions do not mask authorization errors in file or object-storage policies.

What's in the full announcement

Cerbos' full release notes cover the operational detail this post intentionally leaves for the source:

• Exact change notes for the PDP performance work in v0.52.0 and how the engine data structures were tuned
• The JWT verification cache removal rationale and the expected request-path impact if your deployment depended on caching
• The full list of CEL path functions added for policy authors working with file and object-storage paths
• The OpenTelemetry semantic convention changes that may require dashboard and alert updates after upgrade

👉 Read Cerbos’ release notes on PDP performance, JWT hardening, and bug fixes →

Cerbos PDP updates: performance gains, JWT hardening, and what to check?

Explore further

View Full Forum →  |  NHI Foundation Course →