An agent follows its access, not its instructions. That's how one Identiverse 2026 session put it, and the rest of the week backed it up. AI agents are forcing authorization to become deterministic and explicit, and the standards work is moving in the same direction. AuthZEN, Shared Signals, and Transaction Tokens are emerging as the common foundation. Our recap covers what that looks like in practice, and where cross-organizational delegation still falls short.
Most of what we published this month was for teams building, and the common thread is getting authorization logic out of application code. That's the case whether you're securing microservices without scattering permission checks across every service, or working out fine-grained access control once plain roles stop covering the requirements. We also continued our series on mapping business requirements to policy, this time for a multi-vendor ecommerce platform.
If you are at the evaluating stage rather than the building one, our authorization POC guide is worth a read before you start. Most POCs stall on scoping and unclear success criteria, not the technology, so it keeps the timeline to a few weeks and gives you six measurable criteria to judge the result.
For security leaders, we released an 📘 ebook on benchmarking authorization maturity. It includes a 4-stage model to find where your authorization program stands today. From there, it maps your exposure at each stage to regulations like NIS2, DORA, and the EU AI Act, and gives you a 90-day plan to close the gaps before they are exploited. Written by Alex Olivier, Cerbos Co-Founder and CPO, and OpenID AuthZEN co-chair.
Finally, we shipped the Effect Matrix in Cerbos Hub. It is a grid of your policies with roles on one axis and actions on the other. Using it, product managers and compliance reviewers can see who can do what, and check the conditions behind each decision, without opening a policy file.
🌎 We will be at Identity Week America in Washington DC, September 2-3
Stop by booth #720 to talk through anything authorization related. Alex Olivier and Emre Baran will both be there. We also have afew VIP guest passes to give away. If you'd like one for yourself or a colleague, email aram@cerbos.dev and he'll let you know if any are still available.
Product Updates
Cerbos Hub
We shipped the Effect Matrix, which turns policies into a permissions grid, roles down one side, actions across the top, with each cell showing whether an action is allowed, denied, or conditional.
Clicking into a cell reveals the rules and conditions behind that decision.
It lives in the Policies tab of Cerbos Hub, so anyone reviewing permissions can answer who can do what without reading a single line of YAML.
The gap between what compliance documentation says a team's authorization program does and what actually runs in production widens every time a service, workload or an agent is added.
It usually surfaces during an audit or an incident - the worst time to find it.
Our new ebook, built on our work with hundreds of CISOs, public analyst research, and the latest news from industry conferences, gives security leaders a 4-stage benchmark and a self-assessment to see where their program actually stands, an exposure rating across NIS2, DORA, SEC, the EU AI Act and more, and a 90-day plan to close the gap.
It also covers what good looks like at each stage, and what changes once AI agents are in production.
Upcoming Events
Visit our booth at:
Identity Week America, Washington DC, September 2-3. Stop by the Cerbos booth 720 for a proper chat about all things authorization. We also have a few VIP guest passes to give away. If you'd like one for yourself or a colleague, email aram@cerbos.dev and he'll let you know if any are still available.
Meet our team members and check out their talks to get valuable insights:
You are receiving this email because either we have met, chatted, or you've visited our websitecerbos.devand asked us to keep you up-to-date. If you have been forwarded this email, you cansubscribeand receive future updates directly from us. If you prefer not to receive these updates, you can unsubscribe below, but we hope you stay!