Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
We're exploring how organizations adapt IAM to AI. Take the AI Identity and Risk Readiness Survey by September 5 →

"Set It and Forget It” Access Control is No Longer Enough

Published 08/20/2025

Home
Industry Insights
"Set It and Forget It” Access Control is No Longer Enough
Originally published by Veza.
Written by Mike Towers.

We’ve all felt it—RBAC isn’t holding the line like it used to.
I had an interesting conversation with a CISO last week that crystallized something I’ve been thinking about for a while.
We were discussing their access governance challenges when she said:
“We have developers jumping between six different projects, each with different data sensitivity levels.  Our marketing team is suddenly neck-deep in customer analytics tools.  And don’t even get me started on all the service accounts and APIs spinning up daily.  Role-based access control?  What are roles anymore?”

That kind of frustration isn’t unique—it’s something I hear from security leaders all the time.
The way we work has fundamentally changed, but many organizations are still trying to secure modern enterprises with access control models designed for a different era.

Don’t get me wrong – RBAC isn’t bad. 

It’s just not enough anymore.

Roles remain valuable as foundational controls in specific scenarios.  When a new employee joins an organization, role-based templates provide an efficient way to establish their birthright access – the basic permissions they need to function in their position.  Similarly, when someone changes jobs internally, role-based profiles can help quickly adjust their baseline access to match their new responsibilities.

Think of roles as a starting point, not an end state.  They provide the initial scaffolding for access, but in today’s dynamic environment, that’s just the beginning.  An employee who starts in marketing might quickly become involved in a customer data analytics project, requiring additional access that doesn’t fit neatly into their “marketing role.”  A developer might rotate through different teams, each with varying levels of data sensitivity and infrastructure access needs.

 

The World Has Changed

Think about how most organizations operate today compared to even five years ago.  Agile teams form and dissolve around projects.  Employees wear multiple hats and switch contexts daily.  Shadow IT has given way to sanctioned self-service provisioning.  Non-human identities – from service accounts to AI agents – are proliferating.  And everything is connected through increasingly complex permission chains spanning cloud, SaaS, and on-prem resources.

Now try mapping all that to a static set of roles. It doesn’t hold..

The reality is that traditional role-based access control was built for a world of clearly defined organizational hierarchies where roles were stable and responsibilities mapped cleanly to job titles.  That world doesn’t exist anymore.

What happens when we try to force-fit RBAC to our new reality?  Role explosion.  Access drift.  Security teams are drowning in access requests while simultaneously losing visibility into who actually has access to what.  And the most dangerous part? A false sense of security because “we have the roles defined.”

 

A Better Way Forward

To be clear, we don’t need to throw out RBAC entirely.  We need to evolve beyond it.  Modern identity security requires understanding the full picture of effective permissions – not just assigned roles.

Think of it like this: RBAC tells you what access someone should have based on their role.  But in today’s environment, you need to know:

  • What access do they actually have (including inherited and nested permissions)?
  • Are they actually using that access?
  • Does that access make sense given their current project/team/responsibilities?
  • How does their access compare to peers in similar positions?
  • What risks does their cumulative access create?

Answering those questions takes a fundamentally different approach – one that:

  • Maps complete authorization chains from identities through to resources
  • Provides real-time visibility into actual access patterns
  • Leverages analytics to identify risk and right-size access
  • Enables dynamic access adjustments based on context
  • Continuously monitors for permission drift and anomalies

 

The Technology Has Caught Up

The good news is that technology has evolved to make this possible.  Modern identity security platforms can provide the comprehensive visibility and analytics-driven insights needed to secure access in dynamic environments.  We can now see effective permissions across hybrid environments, spot unusual patterns, and make data-informed decisions about what access should stay and what shouldn’t.

 

The Challenge for Security Leaders

The technology exists, but driving this evolution requires security leaders to challenge status quo thinking about access control.  It means acknowledging that while RBAC served us well, it alone cannot secure modern enterprises.  It means embracing a more fluid, analytics-driven approach to identity security.

And we need to make that shift, because the stakes are too high not to. Every major breach nowadays involves identity compromise.  The explosion of non-human identities and cloud services has created attack surfaces we couldn’t have imagined a decade ago.  We can’t secure these modern environments with access models designed for a static world.

It’s time to evolve beyond “set it and forget it” access control. Our organizations already have. Our security needs to catch up.

Innovating from the cloudEnhancing cloud security strategyZero TrustIdentity and Access Management

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Register Now for CSA's Virtual AI Summit 2025
Secure IAM for Agentic AI Systems
Participate in the Data Security in AI Environments Peer Review
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Secure your cloud data with Zero Trust Training
Related Articles:
Securing the Agentic AI Control Plane: Announcing the MCP Security Resource Center

Published: 08/20/2025

Looking Back on a Successful Social Engineering Attack: Retool 2023

Published: 08/18/2025

The Definitive Catch-Up Guide to Agentic AI Authentication

Published: 08/18/2025

Why You Should Say Goodbye to Manual Identity Processes

Published: 08/13/2025