Notifications
Clear all
Topic starter
24/06/2026 7:32 pm
TL;DR: Event streaming teams still rely on coarse topic-level ACLs, fragmented identity models, and complex mTLS setups even as Kafka underpins financial transactions and AI inference pipelines, according to Kong. The security gap is no longer theoretical: event systems need identity-aware policy enforcement, not just infrastructure controls.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams enforce least privilege for Kafka event consumers?
A: Security teams should enforce least privilege by mapping trusted identity claims into event authorization, then restricting publishers and consumers to the smallest usable stream scope.
Q: Why do event-driven systems create identity governance problems for IAM teams?
A: Event-driven systems create identity governance problems because they often expose data through broker-level controls that do not understand user, tenant, or workload context.
Q: What breaks when Kafka access is managed only with static ACLs?
A: Static ACLs break down when multiple business units, partners, or AI consumers need different levels of access to the same stream.
Practitioner guidance
- Map identity claims into event policy decisions Inventory the claims your IdP already issues for roles, tenants, and scopes, then define which ones should govern publish and consume rights at the event edge.
- Centralise mTLS trust and certificate lifecycle ownership Move trusted certificate bundles into one governed control point and make certificate issuance, rotation, and revocation visible to the team enforcing event access.
- Separate broker transport from authorisation logic Use the gateway to validate the connection and decide access, then leave Kafka to do what it does best as a stream processor rather than a policy engine.
What's in the full announcement
Kong's full post covers the operational detail this post intentionally leaves for the source:
- How OAuth claim mapping is configured for roles, scopes, and tenant identifiers in event policies
- How native mTLS trust stores are maintained centrally in Kong Konnect for Kafka-linked environments
- How the gateway extracts certificate principals and applies per-client policy and audit logic
- How teams can test OAuth-based policies and mTLS configurations in an existing Kafka setup
👉 Read Kong's post on identity-aware security and policy enforcement for event streaming →
Event streaming identity controls: what changes for IAM teams?
Explore further
25/06/2026 4:53 am
Event streaming has reached the point where identity controls must move with the data path. Kafka and similar platforms now carry financial transactions, partner integrations, and AI inference workflows, which means topic-level ACLs are too blunt for real governance. The identity problem is no longer whether a system can connect, but whether it can carry enough context to make a decision at the point of access. Practitioners should treat event security as part of IAM and NHI governance, not as a separate broker-hardening exercise.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How should organisations govern non-human consumers of event streams?
A: Organisations should govern non-human consumers with the same discipline used for other machine identities: scoped access, certificate or token lifecycle control, and full auditability. The key difference is that event consumers may act at high speed and at scale, so entitlements must be explicit and continuously reviewable before data is exposed.
👉 Read our full editorial: Identity-aware policy enforcement is arriving in event streaming
