Notifications
Clear all
Topic starter
24/06/2026 8:56 pm
TL;DR: Static IAM models were built to approve access, not continuously decide whether access should still exist after login, according to Opal Security. The implication is that authorization, not authentication, is now the control layer that determines blast radius, revocation speed, and whether access remains enforceable in modern environments.
NHIMG editorial — based on content published by Opal Security: How leading teams are modernizing authorization to reduce risk and regain control
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams implement just-in-time access without weakening governance?
A: Security teams should define JIT as a revocable control, not a convenience layer.
Q: Why do static access reviews fail in fast-moving cloud environments?
A: Static reviews fail because they describe yesterday's access state, while cloud environments change faster than review cycles can keep up.
Q: What should organisations measure to know if authorization controls are actually working?
A: They should measure operational enforcement, not just policy existence.
Practitioner guidance
- Map standing access to runtime enforcement gaps Inventory where access is still granted through tickets, static roles, or manual approvals and identify which of those paths lack real-time revocation.
- Measure authorization maturity with enforcement metrics Track the percentage of JIT versus standing access, mean time to revoke stale or risky access, and mean time to deprovision NHIs.
- Move high-risk policies into code-backed controls Treat authorization rules as versioned infrastructure so they can be tested, peer reviewed, and rolled back.
What's in the full article
Opal Security's full blog post covers the operational detail this analysis intentionally leaves at the framework level:
- A six-pattern maturity model for modern authorization, including security-owned infrastructure and unified identity visibility
- Examples of the metrics teams can use to measure enforcement depth, not just policy adoption
- How teams are using entitlement usage and behavioural telemetry to reduce privilege sprawl in practice
- The ebook referenced by the article, which expands the authorization maturity curve into implementation detail
👉 Read Opal Security's analysis of authorization maturity and real-time access control →
Authorization maturity and real-time access control: what changes now?
Explore further
25/06/2026 5:49 am
Authorization maturity is now a control-plane problem, not an access-admin problem. The article is right to frame modern access control as something that must be enforced after login, because breaches increasingly exploit the gap between granted access and continued entitlement. That is true for human users and even more dangerous for non-human identities that can accumulate privilege silently. The practical conclusion is that entitlement governance must be treated as runtime enforcement, not annual housekeeping.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why access state tends to outlive business need.
A question worth separating out:
Q: Who is accountable when automated authorization decisions cause overexposure?
A: Accountability sits with the teams that own the policy, the enforcement path, and the exceptions process. If authorization is defined in one place and bypassed in another, no one truly governs the outcome. Mature programmes assign clear ownership for policy quality, runtime enforcement, and exception review.
👉 Read our full editorial: Authorization maturity is becoming the real access control plane
