Explore Cerbos
[eBook] The Authorization Maturity Model: A CISO's Benchmark for 2026

Most CISOs find the authorization gap after the breach, not before.

The gap between what your compliance documentation says your authorization program does and what actually runs in production is widening every quarter.

It is the part of the program a CISO defends in audit committee meetings and reconstructs when something goes wrong, and the part regulators are now asking pointed questions about.

NIS2, DORA, SEC cyber rules, and the EU AI Act all converge on the same question: what each identity actually did in production, and whether you can prove it.

This guide gives you a 4-stage model to place your program against, your exposure to every major regulator at each stage, and a 90-day plan to close the gap before the next deadline lands. Written by Alex Olivier, Cerbos Co-Founder and CPO, and OpenID AuthZEN co-chair.

Written for CISOs, security leaders, and identity teams

Built on hundreds of CISO conversations, public analyst work, industry conferences

4-stage maturity model graded across 9 major regulatory frameworks

56 pages, a self-assessment scorecard, and a 30/60/90
day plan

What's inside the ebook

  • The 4 stages of authorization maturity

    A model you can place your program against. Each stage covers how authorization actually runs in production, who owns it, what audit evidence looks like, and the kinds of incidents typical at that stage.

  • The regulatory exposure at every stage

    When the regulator asks where your program sits, your audit committee expects an answer. Every stage gets a Critical/High/Medium/Low rating against 9 major regulators, each backed by enforcement actions, audit findings, regulation text.

  • A 30, 60, and 90 day plan to move up

    When the board asks what you'll deliver this quarter, the typical plan oversells. This one lays out the first 30, 60, and 90 days, what Stage 4 looks like, and what 90 days cannot get you to.

Close the gap, chapter by chapter

The authorization blind spot

The authorization blind spot

Authorization is the layer between authentication and audit, and the part of the program where what is documented and what runs in production have drifted apart. We map the four shifts that put it there, from credential-driven breaches to AI agents acting on behalf of humans, and explain why this gap is the one regulators are now walking through.

Topics covered: Credential abuse, non-human identities, AI agents in production, NIS2 personal liability, SEC cyber rules, EU AI Act compliance, exposure velocity.

The four stages of authorization maturity

The model the rest of the guide is built on. Ad-hoc, Documented, Centralized, and Governed. Each stage describes how authorization actually behaves in production, who owns it, where audit evidence comes from, and the kinds of incidents typical at that stage. Built on leading, public analyst work.

Topics covered: Ad-hoc, Documented, Centralized, Governed, ownership models, audit evidence, typical incidents, board conversations by stage.

The four stages of authorization maturity
A self-assessment, where are you today?

Self-assessment, where are you today?

Fifteen questions across five sections to place your program against the four-stage model. Calibrated to surface the gap between documented controls and what actually runs in production, which is the part regulators have moved toward. Score yourself, then check your score against the typical pattern across regulated industries.

Topics covered: Coverage and ownership, policy and evidence, runtime behavior, non-human identities, response and governance.

Risks and regulatory exposure at each stage

When the regulator asks where your program sits, your audit committee expects an answer. Every stage gets a Critical/High/Medium/Low rating against nine major regulators, each backed by enforcement actions, audit findings, and the regulation text. The same regulators your audit committee already tracks.

Topics covered: Stage-by-stage exposure, enforcement actions, NIS2, DORA, SEC cyber rules, EU AI Act, HIPAA, PCI DSS 4.0, SOC 2, ISO 27001, GDPR.

Risks and regulatory exposure at each stage
Moving up the model

Moving up the model

What each transition demands beyond technology. Where programs stall at Stage 1-to-2, why most Stage 2-to-3 attempts fail on the operating model rather than the tool, and what changes for board reporting at Stage 3-to-4.

Topics covered: Stage transitions, visibility work, ownership models, operating models, board conversations, evidence as by-product.

What good looks like

Six outcomes a CISO can report on at Stage 4, from exposure duration and time-to-revoke to delegation reconstruction time. Each one is a number you can put in front of your board, anchored in Kara Sprague's Exposure Velocity Model. Targets included as starting points, not industry standards.

Topics covered: Exposure duration, time-to-revoke, policy coverage, decision log completeness, post-event analysis cadence, delegation reconstruction time.

What good looks like
Authorization for AI agents

Authorization for AI agents

Three layers of agent governance need to come together for Stage 4 to hold. Deterministic governance of what the agent can touch. Behavioral analysis of what it usually does. An audit chain that lets you reconstruct who delegated, to which agent, under which policy, with what context. The standard regulators are converging on.

Topics covered: Per-hop authorization, OAuth 2.0 token exchange, justifiable action, agent audit-readiness, delegation chain reconstruction, vendor evaluation questions.

A 30, 60, and 90 day plan

The first 30 days set up the scaffolding. Days 31 to 60 stand up the central decision point and migrate the first set of policies out of application code. Days 61 to 90 prove the approach and commit to the longer program. Honest about what 90 days can and cannot get you to.

Topics covered: Visibility actions, executive briefing, agent inventory, architectural decision, pilot deployment, board posture slide.

A 30, 60, and 90 day plan
Alex Olivier

About the author

Alex Olivier, Chief Product Officer at Cerbos and co-chair of the OpenID AuthZEN working group. He leads the Cerbos product, helps shape the AuthZEN standard, and works with CISOs and security architects in regulated industries on real authorization programs.

What’s inside the ebook

TOC 1
TOC 2

Authorize every identity. Govern every action.

Enforce fine-grained, contextual, and continuous authorization across applications, gateways, workloads, and AI agents.

Discover other ebooks on IAM, security and software architecture

How to adopt externalized authorization

How to adopt externalized authorization

A guide to multitenant authorization

A guide to multi-tenant authorization

Zero Trust for AI: Securing MCP Servers

Zero Trust for AI: Securing MCP Servers