Notifications
Clear all
Topic starter
27/06/2026 1:28 pm
TL;DR: As cloud estates grow, role-based, ticket-driven access breaks down and leaves excessive permissions behind, while attribute-based access control uses identity and data attributes to calculate access dynamically across human and agent identities, according to Collibra. Least privilege becomes a policy outcome instead of an audit backlog, but only if the underlying attributes are governed well.
NHIMG editorial — based on content published by Collibra: Attribute-Based Access Controls, right data, right users
Questions worth separating out
Q: How should security teams implement attribute-based access control for cloud data?
A: Start by defining the identity and data attributes that represent real policy intent, then write rules that evaluate those attributes at request time.
Q: Why does ABAC matter when AI agents and humans share the same data platform?
A: Because the access decision needs to reflect who or what is acting, what data is being requested, and why the request exists.
Q: What breaks when access governance depends only on static roles?
A: Role-only models accumulate stale grants, duplicate roles, and exceptions that nobody has time to review.
Practitioner guidance
- Map access decisions to governed attributes Define which identity and data attributes actually express policy intent, then retire role logic that only exists to compensate for missing metadata.
- Align masking and access grants to the same classification source Use one classification and tagging model for both visibility and entitlement so access and masking cannot diverge across platforms.
- Scope AI agent access by task, owner, and intent Treat AI agents as non-human identities that need just-enough access for a bounded task, not permanent entitlement.
What's in the full article
Collibra's full post covers the operational detail this post intentionally leaves for the source:
- The exact attribute model used to drive access, masking, and policy evaluation across cloud data platforms.
- How native enforcement works in Snowflake, Databricks, and BigQuery without relying on a proxy layer.
- Examples of request-time access rules for sales, marketing, and regulated data use cases.
- How the same policy pattern is applied to AI agents that need just-enough access for a specific task.
👉 Read Collibra's analysis of attribute-based access control for cloud data →
Attribute-based access control: are your access controls keeping up?
Explore further
27/06/2026 2:50 pm
Role sprawl is now an access-risk problem, not just an admin burden. In cloud data platforms, manual role design cannot keep pace with the number of users, projects, data sets, and policy exceptions. Each extra role increases the chance of stale privilege, and each stale privilege expands future breach impact. For IAM and IGA teams, the operational symptom is permission backlog, but the security failure is accumulated over-entitlement.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How do teams know whether ABAC is actually improving governance?
A: Look for fewer one-off access tickets, fewer duplicate roles, and tighter consistency between classification, masking, and entitlement decisions. If attribute quality is weak or policies are full of exceptions, the control may be automated but not trustworthy.
👉 Read our full editorial: Attribute-based access control exposes the limits of role sprawl
