Gartner carries a big megaphone in the identity & access management world. And Gartner IAM Summit is the signature event where organizations come to learn about the latest trends in IAM.

That’s why it’s good to see Authorization becoming a focus area at the conference. Here are some of our top takeaways from the event, organized into four categories: Standards, Externalized Authorization Architectures, API Access Control, and Authorization for GenAI / RAG.

Identity Standards

Gartner clearly recognizes OpenID AuthZEN as the next step in authorization standards. In the opening keynote, Felix Gaehtgens described the most important future identity standards.

Mehmet Yaliman expanded on the role of these emerging standards in his talk on Demystifying Identity Protocols.

Mehmet also described how AuthZEN (and OPA) fit within an identity architecture to perform API authorization.

Finally, Gartner invited me to give a talk about AuthZEN, wearing my co-chair hat. I was joined by David Brossard from Axiomatics and Gartner’s own VP Analyst, Homan Farahmand, to describe the goals, progress, current state, and futures of AuthZEN.

We also demonstrated the interop scenario (check out a recorded video!), and explained the various enforcement points / use cases for AuthZEN.

Externalized Authorization Architectures

Espen Bago’s Policy-Based Authorization talk described the various techniques of externalized authorization, and contrasted ABAC and ReBAC as the most popular ones.

He also did a good job listing the modern / cloud-native authorization vendors, and we loved seeing Aserto listed first 🙂

Mehmet’s talk on Authorization Architecture and Modernization was a nice complement, and did a good job differentiating admin-time and runtime authorization.

He also defined authorization granularity, and what’s driving the move to fine-grained authorization.

API Access Control

Mehmet’s talk also touched on some of the use-cases for externalized authorization, including access control for APIs.

Erik Wahlstrom’s talk on API Access Control expanded on externalizing authorization, and also made the point that the developer experience for API authorization has to improve.

Access Control for Retrieval-Augmented Generation

Finally, we loved seeing Homan Farahmand describe how Generative AI and IAM intersect. He described the pattern of applying access control to the RAG scenario.

And we loved seeing him credit Aserto as being one of the few vendors that delivers a solution in this space 🙂

Conclusion

Gartner IAM Summit was a big step forward for demystifying modern authorization for large organizations. We’re already looking forward to building on this momentum at Gartner IAM Summit 2025 in London, where we expect to expand on AuthZEN and hope to even hold some interoperability demos!

If you’d like to learn more about modern authorization, we can help! Contact us here.