As we close the books on 2024, let’s take a moment to reflect on all the progress we’ve made in modern authorization. If you’re in the trenches of access control, security, or identity management, you’ve probably seen the new energy around this space, from both existing players as well as startups.

This year, we’ve seen more recognition that authorization needs to be “done right” than the previous three years combined! At trade shows like IIW, Identiverse, EIC, Authenticate, KubeCon, and Gartner IAM, we’ve seen a significant uptick in attention around authorization.

Here’s our take on the highlights of 2024.

Fine-grained authorization is becoming a must-have

First and foremost, fine-grained authorization is no longer a nice-to-have—it’s a requirement for every application. The days of relying solely on broad, role-based access control (RBAC) are behind us. Modern applications demand more nuanced and context-aware permissions, enabling precise control over who can access what, and under which conditions. This shift isn’t just about better security; it’s about delivering tailored user experiences without compromising on safety. Companies across industries are recognizing this and investing heavily in fine-grained authorization frameworks to keep up with user and business needs.

OPA and Zanzibar are the leading contenders

When it comes to implementation, OPA (Open Policy Agent) and Zanzibar have emerged as the leading contenders, each offering distinct architectural approaches. OPA shines with its policy-as-code framework, giving teams a powerful and flexible way to define and enforce rules programmatically. Zanzibar-based systems, on the other hand, bring a centralized and highly scalable solution for managing relationships and permissions. Both have their strengths and trade-offs, and the choice between them often depends on the specific requirements of the application. It’s been fascinating to see these two approaches gain traction and push the boundaries of what’s possible in authorization.

Topaz successfully combines OPA and Zanzibar

Speaking of combining strengths, Topaz has continued to shine in 2024 as the go-to solution for blending the best of OPA and Zanzibar. By integrating OPA’s policy engine with Zanzibar’s relationship-based access model, Topaz offers a unique way to tackle complex authorization challenges. This hybrid approach is helping teams get the scalability and flexibility they need without sacrificing simplicity.

The open-source community around Topaz has been thriving, with adoption and contributions from leading companies such as Roblox, RightData, UK MOD, Cosmonic, Flight Centre, and many others. It’s exciting to see companies capitalizing on Topaz to create practical solutions for real-world problems.

AuthZEN achieves implementer’s draft status

Another major milestone this year was the OpenID AuthZEN Working Group achieving Implementer’s Draft status. AuthZEN aims to do for authorization what OpenID Connect did for authentication: provide a standardized framework that simplifies and unifies how systems manage access. The release of this draft is a big step toward widespread adoption, promising a future where developers can rely on a universal standard to handle authorization across diverse platforms.

It's been gratifying for Aserto to be right in the middle of this effort. This achievement is a testament to the hard work and collaboration of the group, and it’s poised to have a lasting impact on the industry.

We predict that OpenID AuthZEN will reach Final Specification status in 2025, and will have native implementations in the majority of modern authorization systems.

API Authorization is an important enforcement point

Speaking of OpenID AuthZEN, one of the most important integration points for authorization is at the API gateway. Since many brown-field applications could benefit from finer-grained authorization, but the cost of re-platforming these applications is often prohibitive, many organizations are looking at implementing an extra layer of defense at the API gateway.

A good early demonstration of this is the work we did with Zuplo on enforcing API access via the Aserto / Zuplo integration. We predict that OpenID AuthZEN will find its way into many API gateways in 2025.

Access control for RAG is becoming a hot use-case

Lastly, with chatbots becoming the new UI paradigm, a new use case for authorization has emerged: access control for retrieval-augmented generation (RAG) systems. As AI continues to integrate into everyday applications, ensuring secure and context-appropriate access to underlying data sources has become a critical challenge.

RAG systems, which combine AI models with external knowledge bases, require fine-grained control to ensure that sensitive or proprietary information is only accessed by authorized entities. This intersection of AI and authorization is opening up new frontiers, and 2024 has seen a surge in tools and frameworks designed to address these unique needs. We're proud of the work that we did with Pinecone earlier this year to explore the art of the possible, and building a more complete solution around this in Q4.

In 2025, we believe that this may become as important a use-case as fine-grained authorization for multi-tenant SaaS has been in 2024.

Summary

So, as we close the book on 2024, here’s to the progress we’ve made and the challenges we’ve overcome. Authorization is a deceptively hard problem, and we’ve seen significantly more awareness in 2024 around solutions that help engineering teams deal with the inherent complexities.

Externalized authorization, which was rare to find before 2020, is quickly becoming the default architecture for new projects. As an industry, we’re past the tipping point of delivering externalized authorization that’s not only more secure, but also more manageable and as highly performant as home-grown solutions. Here’s to an even brighter 2025!