We spent a week at EIC 2026 and came back with two things worth passing on. AuthZEN, the open authorization standard our CPO Alex Olivier co-chairs, picked up an Outstanding Project award, and the main takeaway from the floor was that teams need to stop inventorying AI agents and start protecting what they can actually reach.
That point ran through a lot of what we published this month. The Meta AI breach was the clearest example, where one prompt was enough to pull an agent into data it should never have reached because the agent was making its own access calls. We looked at why agents shouldn't decide access, what to have in place before the EU AI Act deadline, and how to treat agent governance as a dimmer switch rather than a kill switch so you can pull access back without taking everything down. On enforcement, we covered fine-grained authorization for AI gateways and how it works with Cerbos and agentgateway.
For security and identity leaders, we mapped where identity security is heading in 2026 and why the runtime authorization layer is where most programs are thin. We looked at the gap left when you have authentication but nothing governing what users can actually do, and broke down how to pick a deployment model for enterprise authorization when compliance and data residency are in play.
Two product notes to close. We launched Cerbos Hub Insights, which gives users a live view of what their authorization layer is doing in production, and wrote up how reworking the Cerbos PDP's rule index from maps to bitmaps cut decision latency from 43.8µs to 6.6µs.
🌎 We will be at Identiverse in Las Vegas, June 15-18
Stop by our booth #925 to talk through anything authorization related. Alex Olivier, Emre Baran, and Aram Andreasyan will be there, and you can catch Alex speaking across three sessions (scroll down for more details).
Product Updates
Cerbos Hub
We have launched Cerbos Hub Insights, which turn the decisions flowing through your PDPs into charts and rankings, so you can see at a glance what your authorization layer is actually doing in production.
You can track allows and denies over the last seven days by the hour or across 30 days for the longer trend, watch active principals grow as adoption spreads, and see which principals, resource kinds, and action pairs show up most.
Anything that looks off, like a sudden jump in denials, links straight into the audit logs pre-filtered to what you're looking at, so you can investigate without searching through raw logs.
Adopting externalized authorization is an architectural change that requires careful planning. Our ebook provides a structured, 10-chapter approach to navigating this transformation.
Inside, you will find:
Frameworks, policy examples, and lessons learned from guiding hundreds of teams through externalized authorization adoption.
Externalized authorization foundations, in the form of: Authorization requirements, different role types & their implementation, data sources, ownership matrix, and everything about PDP, PEP, and PAP.
Instructions to stand up a minimal PDP and PEP, author and test policies with real data, choose deployment and enforcement models.
Upcoming Events
Visit our booth at:
Identiverse, Las Vegas, June 15-18. Stop by the Cerbos booth 925 for a proper chat about all things authorization. Three sessions to add to your schedule:
Meet our team members and check out their talks to get valuable insights:
WeAreDevelopers World Congress, Berlin, July 8-10. Drop by Alex’s talk “The day the chatbot asked for sudo” if you are anywhere near AI security work right now.
You are receiving this email because either we have met, chatted, or you've visited our websitecerbos.devand asked us to keep you up-to-date. If you have been forwarded this email, you cansubscribeand receive future updates directly from us. If you prefer not to receive these updates, you can unsubscribe below, but we hope you stay!
-1.png?upscale=true&width=1200&upscale=true&name=cerbos-newsletter-banner-2024%20(17)-1.png)
