See you at Identity Week America | 📘 Free ebook on benchmarking authorization maturity | Cerbos Hub Effect Matrix now available
View in browser

An agent follows its access, not its instructions. That's how one Identiverse 2026 session put it, and the rest of the week backed it up. AI agents are forcing authorization to become deterministic and explicit, and the standards work is moving in the same direction. AuthZEN, Shared Signals, and Transaction Tokens are emerging as the common foundation. Our recap covers what that looks like in practice, and where cross-organizational delegation still falls short.

 

Most of what we published this month was for teams building, and the common thread is getting authorization logic out of application code. That's the case whether you're securing microservices without scattering permission checks across every service, or working out fine-grained access control once plain roles stop covering the requirements. We also continued our series on mapping business requirements to policy, this time for a multi-vendor ecommerce platform.

 

If you are at the evaluating stage rather than the building one, our authorization POC guide is worth a read before you start. Most POCs stall on scoping and unclear success criteria, not the technology, so it keeps the timeline to a few weeks and gives you six measurable criteria to judge the result.

 

For security leaders, we released an 📘 ebook on benchmarking authorization maturity. It includes a 4-stage model to find where your authorization program stands today. From there, it maps your exposure at each stage to regulations like NIS2, DORA, and the EU AI Act, and gives you a 90-day plan to close the gaps before they are exploited. Written by Alex Olivier, Cerbos Co-Founder and CPO, and OpenID AuthZEN co-chair.

 

Finally, we shipped the Effect Matrix in Cerbos Hub. It is a grid of your policies with roles on one axis and actions on the other. Using it, product managers and compliance reviewers can see who can do what, and check the conditions behind each decision, without opening a policy file.

🌎 We will be at Identity Week America in Washington DC, September 2-3 

Stop by booth #720 to talk through anything authorization related. Alex Olivier and Emre Baran will both be there. We also have a few VIP guest passes to give away. If you'd like one for yourself or a colleague, email aram@cerbos.dev and he'll let you know if any are still available.

Product Updates

Cerbos Hub

 

We shipped the Effect Matrix, which turns policies into a permissions grid, roles down one side, actions across the top, with each cell showing whether an action is allowed, denied, or conditional.

Clicking into a cell reveals the rules and conditions behind that decision.

 

It lives in the Policies tab of Cerbos Hub, so anyone reviewing permissions can answer who can do what without reading a single line of YAML.

 

Learn about Cerbos Hub

Get started with Cerbos Hub

Helpful Content

[eBook] The authorization maturity model: A benchmark for 2026

 

The gap between what compliance documentation says a team's authorization program does and what actually runs in production widens every time a  service, workload or an agent is added. 

 

It usually surfaces during an audit or an incident - the worst time to find it.

 

Our new ebook, built on our work with hundreds of CISOs, public analyst research, and the latest news from industry conferences, gives security leaders a 4-stage benchmark and a self-assessment to see where their program actually stands, an exposure rating across NIS2, DORA, SEC, the EU AI Act and more, and a 90-day plan to close the gap.

 

It also covers what good looks like at each stage, and what changes once AI agents are in production.

Upcoming Events

Visit our booth at: 

  • Identity Week America, Washington DC, September 2-3. Stop by the Cerbos booth 720 for a proper chat about all things authorization. We also have a few VIP guest passes to give away. If you'd like one for yourself or a colleague, email aram@cerbos.dev and he'll let you know if any are still available.

Meet our team members and check out their talks to get valuable insights:

  • WeAreDevelopers World Congress, Berlin, July 8-10. If you caught Alex Olivier's talk earlier today, “The day the chatbot asked for sudo” - we hope it was useful, especially if AI agents are already part of your stack.
  • TailscaleUp, San Francisco, August 26. Check out Alex’s presentation “Every tool call is a trust boundary: Authorization for AI agents” which includes a live demo built on Aperture and Cerbos.
  • ISC2 Security Congress, Gaylord Rockies, October 24-28. Check out Alex's talk “Identity as the control plane for software supply chain security” on October 28, co-presented with Vatsal Gupta of Apple.

Stay connected

    • Struggling with fragmented authorization or audit readiness? Talk to our solutions team → Book a free workshop
    • Learn more about Cerbos Hub, a complete authorization management system for authoring, testing and deploying policy
    • Browse our documentation
    • Experience policy writing via an in-browser Playground
    • Join our Slack Community to keep up-to-date with latest developments
    • Explore more of our content: Framework for evaluating authorization providers, practical solutions to critical challenges CISOs face in 2026, guidance on maintaining compliance.

     

    You are receiving this email because either we have met, chatted, or you've visited our website cerbos.dev and asked us to keep you up-to-date. If you have been forwarded this email, you can subscribe and receive future updates directly from us. If you prefer not to receive these updates, you can unsubscribe below, but we hope you stay!

     

     

    X X
    LinkedIn LinkedIn
    YouTube YouTube
    Email Email
    GitHub Git Hub

    Cerbos, 86-90 Paul Street,  London, UK, EC2A 4NE, United Kingdom.

    Unsubscribe  Manage Preferences