Hey, <!channel>! 🎉 📖 We’re excited to share our new ebook “Securing Non-Human Identities in enterprise systems” This ebook breaks down: • NHI taxonomy • 20 NHI and AI agent risk vectors you need to know • 12 security principles and 35 actionable steps for NHI governance • Insights from NHI breaches (Okta, GitHub, and Microsoft) • Expert opinions from CISOs, security architects, and EMs working on IAM programs that include NHI security • A vendor landscape and evaluation checklist to guide your implementation strategy It’s actionable and built from real-world experience, designed to help IAM teams address the blind spots, over-permissioning, and security gaps that often come with AI agents, microservices, and automated workloads. Feel free to read the ebook and let us know what you think!

Happy Friday, community 😊 We wanted to share our case study with BarrierSystems with you! “BarrierSystems integrates Cerbos into smart vehicle access gates, cutting internal costs by 15%” The company used Cerbos to externalize authorization for easier policy management. As a result, they were able to: • Improve user experience, with a 15% decrease in customer issues • Simplify their own policy management workflows to enable consistent and reliable access control for their customers • Decrease associated internal costs by 15% as a result • Ship new features faster

Release - v0.45.0 New release published by github-actions[bot] ## Cerbos 0.45.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.45.0.html ## Changelog ### Bug fixes • 07adb2b fix: Handle multi-role planner precedence correctly (#2592) • adf9207 fix: Honour compile cache duration in rule table (#2602) • 1fd9668 fix: Protect against wildcards in policy names (#2593) ### Chores • 7fa8846 chore(ci): Remove deprecated

buf

actions (#2604) • 201601e chore(deps): Bump brace-expansion from 2.0.1 to 2.0.2 in /npm/test/registry (#2597) • abd1192 chore(deps): Update cerbos-sdk-go to 0.3.4 (#2606) • cbd9efd chore(deps): Update cerbos-sdk-go to v0.3.2 (#2589) • f5d113e chore(docs): Fix mistake related to compile.cacheSize configuration parameter (#2598) • 2a65d5b chore(release): Add 0.45.0 release notes (#2605) • eb97869 chore(release): Prepare release 0.45.0 • 6af3f42 chore(tracing): Fix names of tracing spans in engine (#2603) • ee97a59 chore(version): Bump version to 0.45.0 • 9e24d95 chore: More ASCII character class replacements (#2596) • 70c77ab chore: Replace ASCII character classes in validation regexes (#2595) cerbos/cerbos

Hey <!channel>! We wanted to share our latest blog with you, in which we explore two approaches to implementing 💡 hierarchy-based permissions in Cerbos, inspired by a real-world use case for a data analytics platform. Both methods leverage ABAC, but differ in their implementation strategy: 1️⃣ Policy-defined roles with attribute-based conditions. Defining explicit role policies for each tenant where hierarchical logic is hardcoded inside the policy. 2️⃣ Dynamic, attribute-driven generic policies. Shifting the hierarchical conditions entirely to the principal’s attributes and using a single, generic policy for interpretation. Feel free to check out the details here

Release - v0.45.1 New release published by github-actions[bot] ## Cerbos 0.45.1 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.45.1.html ## Changelog ### Bug fixes • 6808dae fix: Don't set bundleVersion when auto-configuring hub (#2608) ### Documentation • a4f2eea docs: Generate llm.txt and llm-full.txt (#2609) ### Chores • b0cc825 chore(ci): Fix

buf push

step (#2610) • 70766ee chore(deps): Bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 in /tools (#2611) • 549e877 chore(deps): Bump github.com/go-viper/mapstructure/v2 from 2.1.0 to 2.3.0 (#2618) • 7893eaf chore(deps): Update go deps (#2612) • 46458b5 chore(deps): Update go deps (#2619) • 3de8602 chore(deps): Update node.js deps (#2613) • 05e9783 chore(deps): Update node.js deps (#2620) • 6194038 chore(release): Add 0.45.1 release notes (#2621) • 47732be chore(release): Prepare release 0.45.1 • d9f01f8 chore(version): Bump version to 0.46.0 • 98d3145 chore: Pluggable schema resolver (#2614) cerbos/cerbos

hey <!channel>! 🙂 MCP servers are reshaping how AI agents interact with external tools and APIs. They unlock speed and flexibility, but can also punch holes in your security model if every agent can call every tool by default. Which why we are excited to share our guide on implementing dynamic authorization for AI agents and fine-grained permissions in MCP servers (and it doesn’t require a backend rewrite 😊).

Hello, <!channel> ! We’re excited to share our latest ebook with you: 📘 The “How to adopt externalized authorization: Planning your path”! Over the years, we’ve worked with hundreds of engineering, IAM, and security teams - helping everyone from early-stage startups to global enterprises navigate the process of adopting externalized authorization. That experience became the foundation for our new ebook. It’s a hands-on, 10-chapter guide that walks through every stage of the journey, from foundational planning to externalized authorization rollout and long-term governance. If you’re interested, feel free to download it here. Let us know what you think once you have a chance to read it! 🙌

Hey, <!channel> 👋 Exciting news - Cerbos documentation is now LLM optimized! Use your favorite AI assistant to help build Cerbos policies and integrations. Check out the details here.

Hey <!channel>! We have a really big update today 😊 We’re very excited to share that we have 🚀🎉 just released the updated Cerbos Hub! Cerbos Hub is now the centralized control plane for every authorization decision across applications, AI agents, services, and workloads. All identities. Any architecture at any scale. All in one place. This update is the result of your feedback. Over the past year, hundreds of engineering and security teams shared their challenges, and this input shaped four powerful new use cases: 1. Fine-grained, tenant specific authorization 2. Dynamic policy management at scale 3. Scalable NHI permission management 4. Secure authorization for MCP servers This latest update brings new features across the entire authorization lifecycle. So now you can: • Create, update, and deploy policies programmatically • Scale your policies by tenant, team, environment, or use case with the new Policy Stores • Push and deploy policy updates from any Git provider, CI tool, or API, with real-time distribution and built-in testing • Get a complete audit trail of every access decision across all identities, tenants, and apps • And much more! If you haven’t tried Cerbos Hub yet, and you’re looking to manage authorization for every identity in your system with full visibility, consistent policy enforcement, and Zero Trust alignment - this is the time to check it out 🙂 We’re happy to walk you through the new features and explore how they can meet your requirements. Our engineer and Head of Product are happy to talk with you!

Happy Friday, community! We’re back with some more fun news! 😊 We are excited to share that Cerbos Hub has been named Best in Microservices Infrastructure at the 2025 API Awards! 🥇 Thank you for your continued support, and for being on this journey with us!

Hello, our awesome community! Do you want to learn best practices for multi-tenant authorization? Join our spotlight webinar on Jul 29 to see how to model and manage per-tenant access policies. Together with our CPO, @Alex Olivier (Cerbos), we’ll cover: • Real-world implementation examples • How to build tenant-specific Policy Stores with isolation and traceability • The architecture needed to scale per-tenant authorization • Supporting enterprise customers with custom roles and dynamic logic • Live demo of policy creation, deployment, and updates via API and Git Register here → https://zoom.us/webinar/register/WN_-U732lkoQLOdaCCyasJ_ag%20#/registration

Hey everyone 👋 We wanted to let you know about our next upcoming webinar, where we will dive into programmatic policy management for complex systems. We’ve heard from a number of you about issues with scaling manual permission updates. As your system grows with more tenants, services, and agents, keeping access control up to date gets messy. If you’d like to learn how to manage permission updates with code, join us on August 6. We’ll go through: • When to use programmatic updates (and when not to) • Static vs. dynamic policy models • Managing policies via CLI, API, and SDKs • Deploying from Git, CI, or external systems • Architectures for scaling real-time policy updates • Live demo: building dynamic policies and integrating with your systems You can register here ➡️ https://zoom.us/webinar/register/5317539696581/WN_SOGae5oqTSaJu28uiogCqA

Release - v0.46.0 New release published by github-actions[bot] ## Cerbos 0.46.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.46.0.html ## Changelog ### Features • 6cff78d feat: Include policy source in audit logs (#2624) ### Enhancements • e73ec4c enhancement: Add embedded PDP metadata to audit logs (#2625) • 8b4cbe3 enhancement: Stickier PDP IDs (#2641) ### Bug fixes • 8184fdf fix: Handle const false DENY nodes in role-level query planning (#2644) • 3b2f73c fix: Handle rule-less policies for multi-tenant fallthrough (#2649) ### Documentation • ede245a docs: Fix css for logo on hover (#2628) ### Chores • 3531121 chore(ci): Set MySQL tag (#2647) • 084ad71 chore(ci): Temporarily disable MySQL E2E tests (#2650) • 445ca4e chore(ci): Use official MySQL image in E2E tests (#2646) • 616d48d chore(deps): Bump form-data from 4.0.2 to 4.0.4 in /npm/test/registry (#2654) • e12847a chore(deps): Bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible in /tools (#2655) • 15b5edf chore(deps): Bump helm.sh/helm/v3 from 3.17.3 to 3.18.4 in /tools (#2632) • 664315c chore(deps): Update github actions deps (#2642) • 149a57d chore(deps): Update go deps (#2626) • 4abe304 chore(deps): Update go deps (#2635) • 4803489 chore(deps): Update go deps (#2643) • ded17ae chore(deps): Update go deps (#2651) • 8629867 chore(deps): Update node.js deps (#2652) • 3b6b8d3 chore(deps): Update pnpm to v10.13.1 (#2636) • 1b3690b chore(deps): Update sigstore/cosign-installer action to v3.9.1 (#2627) • 1a130aa chore(deps): update module helm.sh/helm/v3 to v3.18.4 [security] (#2633) • 031a3c5 chore(release): Add 0.46.0 release notes (#2657) • 2e55b6b chore(release): Prepare release 0.46.0 • 17d8000 chore(version): Bump version to 0.46.0 • 17e74dc chore: Enable gzip and increase response size limit for cerbosctl (#2631) • 4b09afc chore: Rename cerbosctl hub

like

filter to

contains

(#2623) • e8e7a86 chore: Use new Bitnami repository (#2640) cerbos/cerbos

hey <!channel>! 👋 We have launched the new Usage Dashboard in Cerbos Hub! 🙌 This new feature provides a comprehensive, real-time view of your authorization service, allowing you to monitor key metrics, analyze trends, and gain valuable insights into your policies and their consumers. The new usage insights, available on both the workspace homepage and its own dedicated “Usage” section, surface these key metrics into a quick reference dashboard. It provides a detailed breakdown of your Monthly Active Principals (MAPs), decisions, query plans, and more, allowing you to see exactly how your authorization policies are being used. Details can be found here.

Hey community! 🔥 During these hot summer days, we’re diving into an even hotter topic: securing MCP servers. If your AI agents are getting smarter and gaining access to tools, APIs, and sensitive systems via the Model Context Protocol, you already know the risks aren’t just theoretical. Join our free MCP security webinar on August 14: https://zoom.us/webinar/register/3017545640027/WN_lefbNhY7RmimAflP7xbTzg Can’t make it live? No worries - we’ll share the recording afterward. Check out the preview video below where Alex Olivier (our CPO & Co-Founder) gives you a taste of what we’ll cover! 👇

🎉 We just passed 4,000 stars on GitHub. A huge thank you to our amazing community for the support! Who wants to give us star number 4001? 😉

Hey <!channel>! 👋 Our next webinar is diving deep into non-human identity authorization on August 26th. Most teams have Zero Trust figured out for humans. But their service accounts, API keys, workload identities and agents? Still getting broad permissions. The reality is that Zero Trust architecture is only as strong as how teams handle these machine identities. We’ll start the webinar with the fundamentals (NHI types, common risks) then get into the architecture patterns you need for proper Zero Trust, and fine-grained, method-level authorization What we’re covering: • NHI fundamentals and risks • 5 common authentication methods for NHIs • Zero Trust principles applied to NHIs • Fine-grained, method-level authorization for workloads and agents • Delegated authorization and on-behalf-of identity handling • How to unify policies and audits across the stack • We’ll also touch briefly on broader NHI security strategies beyond authorization. *Register:* https://zoom.us/webinar/register/4117556840966/WN_OHDM3rveSZ-pBD5ApU6gsw Can’t make it live? No worries - register anyway and you’ll get the recording. Looking forward to seeing some familiar faces there! 🚀

Happy Friday, community 😊 Excited to share that we have just shipped some new features! Both came directly from customer feedback about debugging and monitoring: 1️⃣ Understanding why specific authorization decisions were made 2️⃣ Getting visibility into usage patterns across multiple teams. Details can be found here If you’re already using Cerbos Hub, head to the playground to try execution traces or check your dashboard for the new organization view. If you’re not using Cerbos Hub yet, you can sign up for free and see both features in action with your own policies.

Hey everyone, hope your week is off to a good start! We just published a technical guide on making application authorization context-aware with Cerbos outputs 📃 If you’ve ever had users confused by cryptic “access denied” messages, or struggled with audit trails that only tell you what happened but not why - this guide could be relevant for you. Cerbos outputs solve the above by providing contextual metadata that transforms binary allow/deny decisions into intelligent, actionable authorization responses.

Happy Monday, community 😊 We just published a guide on how to write schemas. Why care about schemas? Well, when you write Cerbos policies, you’re essentially making assumptions about the shape of data your application will send. Without schemas, those assumptions are just that: assumptions. Your policies become a house of cards waiting for the wrong payload to knock everything down. With schemas in place: • You can catch integration errors during testing, not in production; • Get documentation that can’t lie; • And prevent attribute injection attacks. Feel free to check the blog out, if it’s relevant for you. Have a great week!

👋 Some of you have asked how to filter database results. So we put together a detailed guide answering that question, the focus of which is the PlanResources API. You can check it out here.

Hey, <!channel>! After seeing so many of you registered for our MCP webinar (seriously, the response was amazing!), we knew there was a real appetite for diving deeper into MCP security. So, our co-founder Emre wrote a comprehensive ebook “*Zero Trust for AI: Securing MCP Servers*” covering what we couldn’t fit into the webinar: • Why MCP servers are becoming high-privilege security risks • How traditional RBAC fails in AI environments • The PEP/PDP architecture for Zero Trust AI systems • Ready-to-implement authorization policies and deployment patterns The guide draws from our work with customers implementing AI systems and covers real incidents like the recent Supabase and Asana vulnerabilities. Thanks for all the great questions during the webinar - they influenced what went into this guide. Hope you find it helpful for your MCP implementations! :books:Get access to the ebook here

Hey everyone! Some more news on the topic of MCP to start off the week 😊 We are excited to share that 🤖 we have introduced cerbos-fastmcp middleware. FastMCP is a popular Python framework for building production-ready Model Context Protocol servers. However, a default FastMCP implementation exposes all tools to all users, creating a significant security risk. The introduced middleware brings policy-based, fine-grained access control to FastMCP deployments. This allows teams to define authorization rules in human-readable YAML policies, completely decoupled from application code. Check out this blog for the details and a demo: https://www.cerbos.dev/blog/how-to-secure-your-fast-mcp-server-with-permission-management

Hey everyone 😊 We have a new guide out “Zero-Trust for microservices, a practical blueprint”! If you are moving from monoliths to distributed systems, you’ve likely hit the authorization wall. In the guide, we tackle the critical question modern architectures struggle with: “Is Service A allowed to access Resource X on behalf of User Y?” What we cover: → Why perimeter-based security fails in microservices, and creates lateral movement risks → Implementing workload identity for services, bots, and AI agents → The “on-behalf-of” authorization model for context-aware decisions → Real policy examples for service-to-service authorization and AI agent constraints → Observability through OpenTelemetry integration and centralized audit logs

Hey community 👋 Earlier this year, Cerbos co-founder and CPO Alex Olivier took the stage at DevDays Europe alongside experts Kenneth Rohde Christiansen, Paul Dragoonis, Romano Roth, and Victor Lyuboslavsky to speak on the topic of “*Building the Future: Trends in Modern Application Architecture*”. They tackled everything from AI’s impact on cloud infrastructure to the perennial microservices vs. monolith debate. If you’re curious, you can check out the recording and summary write-up here 👈 😊

Hello, everyone ☺️ We just published a new guide “Mapping business requirements to authorization policy for insurance” In it, we explore how authorization helps fight insurance fraud (which costs the industry $306B annually), and break down PBAC examples across auto, life, and property insurance. Complete with Cerbos policies you can use 💻

Release - v0.47.0 New release published by github-actions[bot] ## Cerbos 0.47.0 View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.47.0.html ## Changelog ### Features • 1b8e12d feat(helm): allow specififying service.trafficDistribution (#2693) • 3ea4971 feat: Add AWS Lambda support (#2661) • ac53850 feat: Decouple rule table (#2653) ### Enhancements • d1e01d8 enhancement: Add upload-git cmd and change details from git to replace-files cmd (#2695) • e82e409 enhancement: More detailed schema errors (#2663) • 46bf586 enhancement: Use default config if one not provided for Lambda (#2728) ### Bug fixes • d0edd70 fix: Batch dependents and deflake CI suites (#2677) • e89c9cc fix: Fix e2e blob test by guaranteeing policy existence (#2672) • 0e863bb fix: Fix e2e overlay test (#2671) • ce2c68d fix: Increase blob e2e sleep period (#2684) • 054159c fix: Use CollectT in EventuallyWithT (#2685) ### Documentation • a9f9af4 docs(lambda): Add AWS Lambda docs (#2740) • 2d8e7f6 docs: Add AI policy to contribution guidelines (#2710) • 353d188 docs: Fix broken link in README.md (#2658) • 7cfd150 docs: Fix broken links to Hub documentation (#2741) ### Chores • 2f6df1c chore(ci): Clean up .goreleaser.yml (#2670) • fdc383f chore(ci): Clean up deployment to AWS SAR (#2723) • 9f5baba chore(ci): Clear disk space quicker (#2692) • 26f5ead chore(ci): Increase E2E blob store update interval (#2720) • a72d22c chore(ci): Move all Minio images to bitnamilegacy (#2722) • f8559c9 chore(ci): Publish AWS Lambda extension to SAR (#2719) • 08ed41a chore(ci): Publish lambda handler to AWS SAR (#2707) • ada628e chore(ci): Rename lambda release directories for consistency (#2725) • 7cb7f74 chore(ci): Set minimum age for Renovate dependencies (#2708) • 1dca73d chore(ci): Test publishing to SAR (#2713) • 6ca5696 chore(ci): Use faster disk space reclaim action (#2694) • 124d4f8 chore(ci): Use legacy Bitnami registry (#2721) • f6bf465 chore(deps): Bump github.com/docker/docker from 27.2.0+incompatible to 28.0.0+incompatible (#2666) • e621d1f chore(deps): Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 (#2673) • 8705370 chore(deps): Bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 in /tools (#2731) • 7848eb4 chore(deps): Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 in /tools (#2678) • 0c1cc42 chore(deps): Update Buf dependencies (#2737) • 0bc938c chore(deps): Update GitHub Actions deps to v5 (major) (#2712) • 86df549 chore(deps): Update Go deps (#2711) • 27c8dbd chore(deps): Update Go deps (#2717) • 8133849 chore(deps): Update Go deps (#2727) • 617c1be chore(deps): Update Go deps (#2732) • b3dfff0 chore(deps): Update Go deps (#2739) • 4094281 chore(deps): Update Go deps (#2744) • aa5c201 chore(deps): Update No… cerbos/cerbos

Hey community 👋 We just published a technical guide on how to leverage JWT claims in Cerbos. Feel free to check it out if it’s relevant for you. Main takeaways: • Cerbos verifies JWTs using your JWKS and exposes claims directly to policy conditions. • You can configure multiple keysets, cache verified tokens, and handle rotation without restarts. • Claims like iss, aud, and sub can be enforced centrally in CEL expressions. • Gateways can pass tokens through; one policy set covers edge and service. • Stolen credentials remain a top initial action in breaches at 24 percent in 2024. Strong token verification helps reduce risk. • Disable verification only for controlled testing, not for production.

Hey everyone 🙂 Coming to you with some great news. You can now run Cerbos natively inside AWS Lambda. [Guide for reference] Depending on your preference, you can deploy Cerbos directly in AWS Lambda-either as a standalone function or as a lightweight extension layer-while using Cerbos Hub for centralized policy management and audit-logging.

Hey everyone, we got some requests asking for a possibility to automate Cerbos policy uploads. There is now a solution 🙌 The cerbos-store-action GitHub Action can be used for this purpose. Check out our guide for details. Have a great week!👋