Episode 181 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Catalyzing Authz-Aware Developers
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Eli Israel, Managing Partner @ Gartner
Channels
Description
In this episode of Identerati Office Hours, we explore how modern development teams are evolving scalable authorization (authz) as software architectures shift toward microservices, APIs, and increasingly agentic systems. Joining us is a Gartner analyst focused on developer productivity, who helps organizations build faster, happier engineering teams while reducing the cost of quality and accelerating time-to-market. Together we examine why authorization is becoming a developer productivity problem as much as a security one, and how new approaches—policy-as-code, decentralized enforcement, and better governance models like GovOps—can help teams ship secure systems without slowing innovation.
Homework
- AuthZ at scale in platform environments
- The Psychology of Software Teams
- Enterprise Security needs Brains, Body, Eyes, and Muscles
Takeaways
-
⚡ Centralized policy management is recognized as a best practice, but it's inconsistently implemented across organizations. Even experienced software teams show wide variance in how they handle authorization and considerations about how it may connect to enterprise-wide risk management and goverance.
-
⚡ In the past, enterprises have assumed predictable software behavior (enumerable actions/resources). Modern agents on a "mission" pursue goals, making static policy models insufficient.
-
⚡ You cannot prevent all undesirable agent behavior. Effective governance instead requires "Risk Management" (prioritizing based on risk/reward of capability), "Transparency" (observability of actions), "Accountability" (linking actions to responsible entities)". Governance needs to become more geered toward operational response than strict control.
-
⚡ Developers lack a clear model for building “governable” software. There is no standardized guidance for how developers should design systems that are governable at the enterprise level. As a result, governance failures are often structural—not just operational—because security and authorization are not “designed in” from the start.