2024 - An IAM Year in Review
What changed in 2024, and What's Coming in 2025
Hi everyone! Or Weis, CEO of Permit.io here.
After a short hiatus, we're back with another post!
Same as before, we’ll be using this Substack to dive into the intricate world of Identity and Access Management (IAM), share tips, insights, resources, and (hopefully) relatable memes 😉
As we wrap up 2024 and step into 2025, I wanted to take a moment to share some reflections on the past year, predictions for the coming year, and a behind-the-scenes look at what’s happening at Permit.io.
2024 in Permission Patterns
From day one, our goal has been not just to deliver the best IAM tech but also to help developers think about the nuances and complexities of access control in their space. We aim to help them manifest these as simple policies that product managers, security teams, compliance officers, and developers can all work with, discuss, and figure out the right balance for their products.
There have been a lot of common permission patterns emerging this year, which we've seen become commonplace amongst our customers. Here are some I believe to be the most prominent ones:
Ownership
From marketplaces to file management systems, banking, and healthcare, the ownership pattern is emerging as a basic requirement expected from even the simplest applications.
I believe the reason lies in the nature of modern software and its sharing requirements. Sharing and collaboration features directly translate into business value and are a fundamental expectation of most modern customers.
Users in modern applications rarely exist in their own separate bubbles, and the moment you start having cross-user interactions, ownership quickly floats to the top as a priority.
Conditions of Time and Space
In the B2B space, we’ve seen developments around conditional access, like time-based, geolocation-based policies and different organizational units.
Here, instead of ownership being assigned to an individual, it’s assigned to departments or groups.
Location and its organizational nuances are super important in the context of compliance - a company managed in Switzerland, for instance, might operate under Switzerland’s unique compliance framework, while users from other regions must adhere to different compliance rules.
Each territory in which companies operate introduces location-based access requirements.
Front-End Integration
Another challenge on the rise is the translation of access control into user experiences. There are two key elements here:
The first is adjusting the front-end experience according to back-end access control.
Access control isn’t just a back-end concern anymore—it’s a key part of user experience. We have many users asking for fine-grained feature flagging that adapts to what each user is authorized to see or do.
For example, it’s no longer just a question of whether a user can use the delete button; it’s about determining the specific cases and objects against which the user is allowed to perform the delete action.
All the granularity we’re seeing in the backend is starting to reflect more and more in the frontend.
Second, there’s a growing emphasis on filtering in the front-end experience. More and more applications want lists—such as lists of users or resources—that are filtered to reflect only what the user is authorized to interact with.
To support this, we’ve been providing various filtering options, including application-level and policy decision point (PDP)- level filtering.
We’ve observed that the most sought-after features are two key functionalities we offer: Get User Permissions and Get Authorized Users.
The first allows you to determine a user's permissions on certain resources, and the second identifies which users are allowed to access those resources.
These functionalities effectively act as reverse indices. Traditionally, within the IAM community, reverse indices like these are primarily used for auditing and compliance purposes. However, it turns out they provide significant value in building secure front-end experiences.
It’s important to mention this isn’t just a security thing - you can easily see how these two features can translate directly into business value.
AI-Native Applications
This year also marked the emergence of AI-native applications. It would be difficult for me to think of even a single customer who isn’t at least experimenting with building machine learning models, AI agents, or similar solutions. And with that comes new challenges in access control.
We've identified the four most critical parameters to secure AI apps.
RAG (Retrieval-Augmented Generation), AI’s own memory, and what it is allowed to share from that memory.
The resources and external services that the AI can utilize. This involves defining access control for what the AI can utilize within the context of the other users it’s acting on behalf of.
The AI agent’s input: what types of prompts it is allowed to accept
The AI agent's output: what types of responses it is allowed to return (This becomes especially important with structured responses (e.g., via https://ai.pydantic.dev/).
As these elements become more integrated and structured into software, there is a continuously growing need for granularity in their control.
The Future of Access Control - a Glimpse Into IAM in 2025:
The Challenge of Cascading Permissions
One of the most critical aspects we’re observing, which I predict will become one of the central pillars of access control, is the cascade of access on behalf.
At this point in time, most identities interacting with our applications are either human identities acting on their own behalf or services catering to specific users. However, we’re increasingly seeing more agents and services acting on behalf of other agents and services, creating a chain of delegation that ultimately (hopefully) originates from a human who triggered the initial request.
Now, consider the complexity of this scenario: It's common to have multiple different applications that are not part of the same company or suite—they’re entirely separate products. Each of these products has its own agents, and these agents interact with other agents.
Cascading permissions in access control introduce significant complexities as services, and AI agents increasingly act on behalf of other agents, creating intricate chains of delegation. For instance, an AI scheduling app might access calendars, send notifications via multiple channels, and interact with external services to make reservations, while downstream agents, such as one at a restaurant, might trigger further actions like preparing for additional guests. In enterprise settings, tasks like scheduling meetings, reserving rooms, or granting access to resources involve multiple interconnected agents, each with specific permissions. When a security incident arises, it becomes critical yet challenging to trace the chain of actions and triggers due to the limited context available in traditional audit logs. Without a comprehensive view of these interactions, organizations face increased risks of misconfigurations, unintended access propagation, and security vulnerabilities, exacerbating the complexity of managing modern access control systems.
The Solution? A Cascade of Audit Logs
The only way to get a proper picture of what is happening in this scenario is through a cascade of audit logs—essentially tracking who did what on behalf of whom. It’s no longer sufficient to simply record the identity performing the action. We also need to record the context of the identity on whose behalf the action is taking place.
Was it an AI agent? If it was a human, in what context were they operating? Were they acting on behalf of someone else?
These logs must be built to allow us to trace back to the original trigger point.
Only then would we be able to see the full picture—from the point where the user interacted with a system to the result of this interaction. This is already starting to happen, and within the next year or so, I think it will become one of the most troublesome aspects of auditing.
Who Handles Security and Compliance?
Another existing trajectory I believe will gain momentum is a growing number of non-technical people getting involved in access control and compliance. This will increasingly become a critical part of the business value and business requirements companies face.
We’ll see individuals from sales, professional services, and support demanding more ability to influence access control as part of their work.
For example, if I want my AI agent to set up everything needed for a meeting in my enterprise, I’ll need to enable it. If I can’t do that quickly and easily, I won’t be able to move as fast as my counterparts in another company.
This shift is about enabling business and staying competitive. Access control can’t just be about meeting compliance requirements or managing permissions for their own sake. It’s about leveraging technology, which is becoming pervasive, and staying on top rather than being sidelined—or worse, left behind entirely.
Permit.io in 2024
Permit.io has reached several amazing milestones this year that I think are worth highlighting:
First is the maturity of our product. We’ve really brought it up to a standard that caters to our thousands of customers and large enterprises.
The second is landing some incredible enterprise customers. While we can’t mention all of them, we’ve partnered with organizations across healthcare, fintech, and household name companies.
Third, we’ve enabled Permit to be accessible for everyone, scaling to support businesses of all sizes. We’ve made this possible by evolving our business model and pricing.
This includes launching a new startup tier that makes Permit affordable, accessible, and approachable to everyone from the smallest startup to the biggest corporations.
Another key achievement in 2024 has been fine-tuning our interfaces for managing access control. Unlike some of our competitors, we don’t just offer a policy engine and some APIs, telling developers to build the rest themselves. Instead, we provide an end to end solution out of the box.
We’ve put significant effort into improving and expanding these offerings. This includes adding:
The Permit CLI
Enhanced project and environment management, enabling CI/CD for policy
Permit for Permit: New “Policy Guard” Feature
Most recently, we’ve introduced policy guards, another innovative, recursive feature. Policy guards essentially represent policies for your policies, allowing you to define rules for policies created by others.
Our customers highly requested this feature, and we were thrilled to see their excitement. This just goes to show that it’s not just about building policies—it’s about managing them over the long term.
I believe this is a truly unique differentiator for Permit, and we’ll likely see a lot more demand for this kind of capability as we move forward.
Policy guards complement our other capabilities, such as Permit Elements and our recently launched approval flows and access requests.
We’re elevating the authorization experience both within and around the product, ensuring it meets developers' needs and helping organizations manage access control with the sophistication and usability they require.
A cool sub-point about policy guards is that it marks the first time we’ve done true dogfooding for Permit. To build policy guards, we used Permit to build Permit.
Previously, we couldn’t fully use our own product for our own access control. Much of our access control was built directly on top of OPA, using Rego. And like many others, we don’t particularly enjoy writing Rego.
Policy-as-code is a fantastic concept, but Rego is a cumbersome language that restricts its use to a very small subset of organizations.
By using Permit for Permit, we’ve unlocked new capabilities for building our own features and managing them with the granularity we need. Ironically, this granularity is especially critical as we continue to grow and innovate.
Potential Partnerships
Another exciting area we’ve started to explore is partnerships. We’re currently in conversations with several other players in the space and beyond who are interested in offering access control and access control authoring capabilities to their own customers.
We’d love to see more features or capabilities in other products powered by Permit, effectively making it a standard for building access control within products and ecosystems.
Wishing You a Happy 2025 ❤️
2024 was a difficult year. A lot of global turmoil and economic friction made this year not as sweet as we would have liked, but I think there are good signs that the winds are changing in 2025, and we might go on a path different from the one we set out to in 2020. Hopefully, this will bring growth and prosperity for everyone.
Wishing you a happy new year,
Or.