Authorization evidence gaps in access control audits: what teams miss

TL;DR: Access control audits increasingly fail at the authorization layer, where enterprises can document roles and policies but still cannot prove who could do what, when, and why, according to Cerbos and the 2025 OWASP and Verizon findings cited in the article. The real governance gap is evidence of enforcement, not policy intent, and that gap spans human users, non-human identities, and AI agents.

NHIMG editorial — based on content published by Cerbos: access control audit blind spots and authorization governance

By the numbers:

• Broken access control has held the number-one spot on the OWASP Top 10 for two consecutive releases.
• The Verizon 2025 DBIR found that 22% of breaches began with stolen or compromised credentials.
• 88% of basic web application attacks involved stolen or compromised credentials.

Questions worth separating out

Q: How should security teams prove who had access to what in a regulated environment?

A: Security teams should prove access with runtime evidence, not just policy documents.

Q: Why do access reviews miss real authorization risk?

A: Access reviews often miss risk because they validate role labels instead of actual permissions.

Q: What breaks when non-human identities are authorized without oversight?

A: When non-human identities are left on standing privileges, access outlives the task, the owner, and sometimes the vendor relationship.

Practitioner guidance

• Inventory where authorization decisions actually occur Map each sensitive application, API, and data layer to the system that makes the access decision, the system that enforces it, and the system that logs it.
• Require proof of enforcement for critical systems For your most sensitive applications, verify that every decision records the requesting identity, resource, action, outcome, policy version, and timestamp.
• Rework access reviews around actual entitlements Stop validating only role names.

What's in the full article

Cerbos's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step authorization inventory methods for applications, APIs, data layers, and machine identities
• Implementation detail on externalized policy enforcement and auditable decision logging across systems
• Practical guidance for handling non-human identities and AI agent tool calls in regulated environments
• Cerbos's operating model for centralized policy management and decentralized enforcement

👉 Read Cerbos's full analysis of access control audit blind spots →

Authorization evidence gaps in access control audits: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →