Blog
Demos, implementation guides, product updates and broader takes on authorization, identity and security. Written for the engineers, architects, security, identity and product leaders shaping how their teams ship and govern access.
Identity security in 2026
Identity security explained. The pillars most vendors cover (authentication, IGA, PAM, ITDR, ISPM, identity fabric), the shift to machine and AI agent identities, and the runtime authorization layer where most identity security programs still have a blind spot.
EIC 2026 takeaways: the identity stack built for humans will not hold up for AI agents
The identity stack built for humans does not hold up for AI agents and ephemeral workloads. Takeaways from EIC 2026 on signal-driven authorization, action-based provisioning, delegation chains, token issuer risk, and the four questions every CISO should ask about agent identity in the next 12 months.
Already have authentication? Here's the authorization layer you still need.
Identity providers cover authentication, not fine-grained access control. See the authorization gaps they leave and how to evaluate a solution.
Tokens are authorization decisions: a guide to policy-driven token issuance
Tokens are authorization decisions, and most identity teams don't manage them like one. This article explains policy-driven token issuance, the three patterns Gartner calls Authorization Management Platforms, what AuthZEN changes, and how to govern AI agent tokens without hardcoding logic into the IdP.
What is a Runtime Authorization Platform
Runtime Authorization Platforms explained. What runtime authorization actually means, how it differs from admin-time and event-time controls, why attacks land on the runtime layer, and what separates a real runtime platform from a policy engine. Covers architecture, deployment shapes, AuthZEN, and continuous evaluation.
It's a dimmer switch, not a kill switch. How CISOs are rethinking AI agent governance
AI agent drift needs more than a kill switch. CISOs and IAM leaders in regulated industries are moving to a dimmer switch model, fine-grained runtime authorization that narrows agent access without breaking the workflow, with a complete audit trail of every decision and policy change.
From maps to bitmaps (and from bitmaps to bitmaps)
Inside the Cerbos PDP performance rewrite that took authorization decisions from 43.8 µs to 6.6 µs. This post walks through three iterations of the rule table index, why roaring bitmaps weren't the right fit, and how a custom bitmap with a meta layer beat both the previous index and roaring.
AuthZEN, Shared Signals, SCIM Events, IPSIE: Notes from the OpenID Enterprise Panel
Notes from the OpenID Foundation enterprise panel on how Shared Signals, AuthZEN, SCIM Events and IPSIE fit as a stack, the missing reference architectures between specs, and where AI agents land against existing OAuth and OIDC primitives. With Atul Tulshibagwale, Mike Kiser, Dick Hardt and Alex Olivier.
How do you update authorization policies without redeploying your application?
Authorization policy updates without redeployment, explained. Cerbos separates policy from application code so permission changes become configuration updates, not code changes. Covers YAML policies, Cerbos Hub distribution, Git-based workflows, and customer results from 4G Capital, Human Managed, 9fin, BarrierSystems, and Utility Warehouse.
IIW42 recap: Where agent authorization got real
IIW42 was the unconference where agent authorization stopped being theoretical. This recap covers what changed in agent identity, why the principal model is breaking, intent drift, the cross-trust-domain problem, and why identity matters more for accountability than for the policy decision itself.
Cerbos PDP v0.52.0/v0.53.0: Engine performance, security hardening, and CEL path functions
Cerbos PDP v0.52.0 and v0.53.0 bring engine performance optimizations, new CEL path functions, and tighter JWT security. This release recap covers faster decision generation, the new cerbosctl hub auth command, audit log version metadata, query plan scope fixes, and the OpenTelemetry Semantic Conventions 1.39.0 breaking change.
Authorization Management Platforms: what they do, how they work, and where they fit
Authorization Management Platforms. What an AMP actually does, the PAP, PDP, PEP, PIP and POP architecture, integration modes, and where the category fits alongside IGA, PAM, and access management in the identity stack.
PocketOS AI coding agent deleted a production database in 9 seconds
An AI coding agent on Cursor and Claude Opus 4.6 deleted PocketOS's production database in nine seconds, backups included. The fix isn't a smarter model. It's authorization that lives outside the agent. Here's what would have stopped it, and the authorization policy you can ship this week.
Non-Human Identity management still has a blind spot
Non-human identity management today focuses on discovery, inventory, and credential rotation. This guide covers why runtime authorization is the missing layer, how overprivileged NHIs create risk at scale, and how to enforce fine-grained, policy-based access control for every service-to-service request.
Supabase alternative in 2026: Best open source auth options
Compare open source Supabase Auth alternatives for authentication, identity, and authorization. See where SuperTokens, ZITADEL, Authentik, Keycloak, Hanko, and Cerbos PDP fit.
Benefits of on-premise authorization: Why enterprises are moving toward self-hosted
On-premise authorization gives security teams full control over policies, decision logs, and audit trails without data leaving the perimeter. This guide covers why regulated enterprises are moving to self-hosted, when cloud-hosted still makes sense, and what to look for in a deployment-flexible authorization platform.
Authorization policies: How to write, test, and validate them (faster with AI)
Writing authorization policies shouldn't take a week. This practical guide covers how to write, structure, and test authorization policies at enterprise scale, the common mistakes that ship security holes, and how to use an AI coding agent to draft full policy bundles while you handle the judgment calls.
Agent skill for writing authorization policies
Writing authorization policies from a blank file is slow. The Cerbos agent skill handles the drafting for you, asking clarifying questions in plain English before generating a full Cerbos policy bundle with schemas, roles, resource policies, and tests. Works with Claude Code, Cursor, Codex, and more.
Recommended content
Mapping business requirements to authorization policy
eBook: Zero Trust for AI, securing MCP servers
Experiment, learn, and prototype with Cerbos Playground
eBook: How to adopt externalized authorization
Framework for evaluating authorization providers and solutions
