We’ve all felt it—RBAC isn’t holding the line like it used to.
I had an interesting conversation with a CISO last week that crystallized something I’ve been thinking about for a while.
We were discussing their access governance challenges when she said:
“We have developers jumping between six different projects, each with different data sensitivity levels. Our marketing team is suddenly neck-deep in customer analytics tools. And don’t even get me started on all the service accounts and APIs spinning up daily. Role-based access control? What are roles anymore?”
That kind of frustration isn’t unique—it’s something I hear from security leaders all the time.
The way we work has fundamentally changed, but many organizations are still trying to secure modern enterprises with access control models designed for a different era.
Don’t get me wrong – RBAC isn’t bad.
It’s just not enough anymore.
Roles remain valuable as foundational controls in specific scenarios. When a new employee joins an organization, role-based templates provide an efficient way to establish their birthright access – the basic permissions they need to function in their position. Similarly, when someone changes jobs internally, role-based profiles can help quickly adjust their baseline access to match their new responsibilities.
Think of roles as a starting point, not an end state. They provide the initial scaffolding for access, but in today’s dynamic environment, that’s just the beginning. An employee who starts in marketing might quickly become involved in a customer data analytics project, requiring additional access that doesn’t fit neatly into their “marketing role.” A developer might rotate through different teams, each with varying levels of data sensitivity and infrastructure access needs.
The World Has Changed
Think about how most organizations operate today compared to even five years ago. Agile teams form and dissolve around projects. Employees wear multiple hats and switch contexts daily. Shadow IT has given way to sanctioned self-service provisioning. Non-human identities – from service accounts to AI agents – are proliferating. And everything is connected through increasingly complex permission chains spanning cloud, SaaS, and on-prem resources.
Now try mapping all that to a static set of roles. It doesn’t hold..
The reality is that traditional role-based access control was built for a world of clearly defined organizational hierarchies where roles were stable and responsibilities mapped cleanly to job titles. That world doesn’t exist anymore.
What happens when we try to force-fit RBAC to our new reality? Role explosion. Access drift. Security teams are drowning in access requests while simultaneously losing visibility into who actually has access to what. And the most dangerous part? A false sense of security because “we have the roles defined.”
A Better Way Forward
To be clear, we don’t need to throw out RBAC entirely. We need to evolve beyond it. Modern identity security requires understanding the full picture of effective permissions – not just assigned roles.
Think of it like this: RBAC tells you what access someone should have based on their role. But in today’s environment, you need to know:
- What access do they actually have (including inherited and nested permissions)?
- Are they actually using that access?
- Does that access make sense given their current project/team/responsibilities?
- How does their access compare to peers in similar positions?
- What risks does their cumulative access create?
Answering those questions takes a fundamentally different approach – one that:
- Maps complete authorization chains from identities through to resources
- Provides real-time visibility into actual access patterns
- Leverages analytics to identify risk and right-size access
- Enables dynamic access adjustments based on context
- Continuously monitors for permission drift and anomalies
The Technology Has Caught Up
The good news is that technology has evolved to make this possible. Modern identity security platforms can provide the comprehensive visibility and analytics-driven insights needed to secure access in dynamic environments. We can now see effective permissions across hybrid environments, spot unusual patterns, and make data-informed decisions about what access should stay and what shouldn’t.
The Challenge for Security Leaders
The technology exists, but driving this evolution requires security leaders to challenge status quo thinking about access control. It means acknowledging that while RBAC served us well, it alone cannot secure modern enterprises. It means embracing a more fluid, analytics-driven approach to identity security.
And we need to make that shift, because the stakes are too high not to. Every major breach nowadays involves identity compromise. The explosion of non-human identities and cloud services has created attack surfaces we couldn’t have imagined a decade ago. We can’t secure these modern environments with access models designed for a static world.
It’s time to evolve beyond “set it and forget it” access control. Our organizations already have. Our security needs to catch up.
What’s Next
If you’re still relying on static roles to manage access, you’re not alone—but it’s time to rethink that approach. If you’re ready to dig deeper, here are a couple of pieces where I’ve expanded on this topic:
- Securing Snowflake: A CISO’s Guide to Effective Access Control
I break down how we approached access governance for one of the most common data platforms in use today—and why the same old controls don’t cut it. - Identity Governance in the Cloud Era (Identity Radicals Podcast)
In this podcast, I talk through what’s broken in identity governance today, and how leaders can get ahead of it instead of playing catch-up.
Want to see how the tech actually works?
- Check out the Platform Overview
It’ll give you a clearer picture of how we’re tackling this—real visibility into permissions, real-time context, and actionable insights.
Or if you’re done reading and ready to move:
- Schedule a Demo
Let’s cut through the noise and show you how to move past RBAC, once and for all.
