Rethinking Authorization for the Age of Agentic AI
Examines how authorization frameworks must evolve for autonomous AI agents, covering dynamic policy enforcement, delegation chains, and the shift from static IAM to context-aware authorization.
Dispatch
Securing AI Agents: The Defining Cybersecurity Challenge of 2026
Venture capital perspective on why 48% of cybersecurity professionals identify agentic AI as the top attack vector, and how authorization and identity controls must adapt.
How Uber Reinvented Access Control for Microservices
Deep dive into Uber's attribute-based access control system Charter, which separates authorization logic from application code across thousands of microservices.
Accelerating the Adoption of Software and AI Agent Identity and Authorization
NIST concept paper exploring how identity standards like OAuth 2.0 can be applied to AI agents, covering authorization delegation and audit logging for non-human entities.
State of AI Agent Security 2026: When Adoption Outpaces Control
Survey of 900+ practitioners finding that 88% of organizations reported AI agent security incidents, yet only 22% treat agents as independent identity-bearing entities.
How Google Manages Trillions of Authorizations with Zanzibar
System design walkthrough of Google Zanzibar's architecture, explaining how it stores trillions of permission records and serves millions of requests per second.
AI Agents Are Becoming Authorization Bypass Paths
How AI agents operating with broad shared credentials create unintended privilege escalation paths, since authorization is evaluated against the agent's identity rather than the requesting user's.
Authorization API 1.0 Final Specification Approved
The OpenID Foundation approved AuthZEN Authorization API 1.0 as a Final Specification, standardizing PEP-PDP communication the way OpenID Connect standardized authentication.
Request for Information: Security Considerations for AI Agents
NIST formally seeks public input on securing AI agent systems, including authorization controls, identity management, and prompt injection defenses.
The Looming Authorization Crisis: Why Traditional IAM Fails Agentic AI
Identifies seven limitations of legacy IAM frameworks for AI agents and proposes two new architectures for agent-native authorization.
OWASP Top 10: Broken Access Control Still Tops App Security List
Covers the OWASP Top 10 2025 release where broken access control maintains the number one position, with 100% of tested applications exhibiting some form of access control failure.
OpenFGA Becomes a CNCF Incubating Project
The CNCF advances OpenFGA to Incubation status, recognizing the Zanzibar-inspired authorization engine now used by 37 companies in production.
Top 10 Identity Security Insights from Forrester's 2025 Security Summit
Forrester research shows IAM spending will nearly double to $27.5B by 2029, with dynamic authorization replacing static entitlements.
A01:2025 Broken Access Control
The official OWASP Top 10 2025 entry documenting how broken access control affects 100% of tested applications, with 40 mapped CWEs.
Security for AI Agents: Protecting Intelligent Systems
Comprehensive guide to AI agent security threats including prompt injection and token compromise, advocating for dynamic authorization policies.
97% of Organizations with AI Breaches Lacked Proper AI Access Controls
IBM's 2025 Cost of a Data Breach Report reveals organizations with shadow AI face $670K in additional breach costs, and 97% of AI-related breaches lacked proper access controls.
Open Policy Agent: Best Practices for a Secure Deployment
Seven best practices for securing OPA deployments, including separating policy from application code, using GitOps for policy storage, and CI/CD pipeline validation.
How to Build Scalable Access Control for Your Web App
Developer handbook comparing RBAC, ABAC, and ReBAC access control models with practical implementation guidance.
Implementing a Zero Trust Architecture (SP 1800-35)
NIST's practice guide demonstrating 19 zero trust implementations, emphasizing authentication and authorization as discrete functions before resource access.
Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization
Academic paper presenting Amazon's open-source authorization policy language with formal verification capabilities supporting RBAC, ABAC, and ReBAC models.
How to Implement ReBAC with Amazon Verified Permissions and Neptune
Demonstrates implementing relationship-based access control using a graph database for relationship storage combined with Cedar policies for authorization decisions.
Common Expressions for Portable Policy and Beyond
Google introduces cel.dev, the official home for Common Expression Language, used in Kubernetes and Cloud IAM for fine-grained authorization with nanosecond evaluation.
How to Implement Relationship Based Access Control (ReBAC)
Developer tutorial explaining ReBAC fundamentals including graph-based permission models, ownership, and hierarchical relationships with practical examples.
Attribute-Based Access Control at Uber
Uber's Charter authorization system uses Google CEL for policy conditions, now adopted by 70 services for fine-grained access control across APIs, databases, and infrastructure.
NIST SP 800-207A: Zero Trust Access Control for Cloud-Native Applications
Guidance on zero trust access control for distributed microservices, shifting focus from network perimeters to identity-based authentication and authorization.
How We Built Cedar with Automated Reasoning and Differential Testing
Amazon's verification-guided development process for Cedar, using Dafny formal modeling and differential random testing to prove authorization policy correctness.
Adventures in Authentication and Authorization
Netflix staff security engineer presents lessons from implementing ubiquitous authentication and authorization in a microservice zero-trust ecosystem.
Using ABAC to Solve Role Explosion
How ABAC eliminates role explosion in microservice architectures by dynamically evaluating user attributes against policies.
Authorization at Netflix Scale
Netflix senior engineer describes how Netflix handles 3 million authorization requests per second, evolving from distributed rules to a centralized Product Access Service.
Himeji: A Scalable Centralized System for Authorization at Airbnb
Airbnb's Zanzibar-inspired authorization system stores tens of billions of relations and serves nearly a million authorizations per second with 12ms p99 latency.
Airbnb Builds Himeji: A Scalable Centralized Authorization System
Technical analysis of Airbnb's three-layer Himeji architecture for centralized authorization, covering orchestration, caching, and data layers.
Edge Authentication and Token-Agnostic Identity Propagation
Netflix's Access and Identity Management team describes moving authentication to the edge and creating cryptographically-verifiable identity propagation across microservices.
User and Device Identity for Microservices at Netflix Scale
How Netflix manages user and device identity for 158 million subscribers across 2 million requests per second using edge authentication.
Zanzibar: Google's Consistent, Global Authorization System
The foundational paper describing Google's global authorization system handling trillions of access control lists across Calendar, Cloud, Drive, Maps, Photos, and YouTube.