Glossary
Authorization has a vocabulary problem. Let's fix that.
A
ABAC
Attribute-Based Access Control. Access decisions based on attributes of the user, the resource, the environment, rather than just roles. More flexible than RBAC, but more complex to manage without the right tooling.
Access Control
The process of determining and enforcing what actions users can perform on resources. Encompasses both authentication (who are you) and authorization (what can you do).
Access Review
A periodic audit process where managers or resource owners verify that users still need the access they have. Often required for compliance but frequently becomes a checkbox exercise without proper authorization infrastructure.
Agentic AI
AI systems designed to operate with autonomy, planning, deciding, and acting across multiple steps rather than responding to a single prompt. Agentic systems raise authorization questions traditional access control was not built for: speed, volume, delegation chains, and real-time revocation.
AI Agent
An AI system that takes actions on behalf of a user or on its own initiative. Unlike a chatbot that only responds, an agent can call tools, retrieve data, and chain multiple actions together to accomplish a goal. Each action is an access decision.
Authentication
The process of verifying identity, proving you are who you claim to be. Typically handled by identity providers through SSO, MFA, passwords, or other credentials. Distinct from authorization.
Authorization
Deciding what a user can do: what resources they can access, what actions they can take, under what conditions. The gap in most organizations security architecture.
Authorization Debt
The accumulated cost of ad-hoc authorization decisions: hardcoded permissions, role sprawl, inconsistent policies across apps. Like technical debt, it compounds over time and becomes increasingly expensive to address.
C
Coarse-Grained Authorization
Access control at a high level, typically whether a user can access an application or feature at all. Contrast with fine-grained authorization, which controls access to specific resources or data.
Compliance
Adherence to regulatory requirements (HIPAA, SOX, GDPR, etc.) that often mandate specific access control capabilities like least privilege, audit trails, and access reviews.
Context-Aware Authorization
Access decisions that factor in real-time context: device type, location, time of day, risk score. A key capability for zero-trust architectures.
Continuous Authorization
Authorization as an ongoing process, not a one-time check at login. Policies are re-evaluated as context changes (risk signals, behavior, time, location) and access can be revoked mid-session. The destination most organizations are still moving toward, and critical for governing AI agents.
D
Decision Log
A record of authorization decisions: who requested access, to what, when, and why the decision was granted or denied. Essential for compliance and incident investigation.
E
Entitlement
A permission or access right granted to a user. Managing entitlements at scale is one of the core challenges of enterprise authorization.
Ephemeral Credentials
Short-lived credentials issued just-in-time for a specific action and automatically revoked after use. The antidote to standing access, especially important for agents, where a compromised long-lived credential could be used at machine speed.
Externalized Authorization
Moving access control logic out of application code and into a dedicated policy layer. The application asks can this user do this and gets an answer, rather than calculating it internally.
F
Fine-Grained Authorization
Access control at a granular level: specific records, fields, or operations. Can this user see this specific customer data, rather than can this user access the CRM.
G
Guardrails
Policy constraints applied to AI inputs and outputs: blocking sensitive prompts, filtering responses, preventing disallowed actions. A necessary complement to authorization: authorization decides what the agent can do; guardrails shape how it does it.
I
IdP
Identity Provider. A service that manages user identities and handles authentication. Examples include Okta, Azure AD, and Auth0. IdPs handle who you are; authorization handles what you can do.
J
Just-In-Time Access
Granting access only when needed and automatically revoking it after a set period. Reduces standing privileges and supports least privilege principles.
L
Least Privilege
The principle that users should have only the access they need, nothing more. Easy to say, hard to prove without fine-grained authorization and proper audit capabilities.
M
MCP
Model Context Protocol. An open protocol for connecting AI models to external tools, data sources, and services. MCP standardizes how agents discover and invoke capabilities, and creates a natural enforcement point for authorization between the agent and the tools it calls.
N
NHI
Non-Human Identity. A distinct identity assigned to a service, workload, or AI agent, not a human user. NHIs let you govern what an automated actor can do the same way you govern users: with owned credentials, defined permissions, and audit trails.
O
OBO
On-Behalf-Of. An authorization pattern where an agent or service acts in the context of a specific user, inheriting that user identity and permissions. The user is accountable for what the agent does while in OBO mode. Complements NHI rather than replacing it.
OPA
Open Policy Agent. An open-source, general-purpose policy engine that uses Rego as its policy language. Powerful but requires significant investment to build a complete authorization platform around it.
P
PBAC
Policy-Based Access Control. Access decisions driven by policies that can incorporate roles, attributes, context, and business rules. More expressive than RBAC or ABAC alone.
PDP
Policy Decision Point. The component that evaluates policies and returns access decisions. The brain of an authorization system. Can be centralized or distributed.
PEP
Policy Enforcement Point. The component that enforces access decisions, typically in the application, API gateway, or data layer. The gatekeeper that acts on PDP decisions.
Permission
A specific action that can be performed on a resource. Read customer record or approve transaction are permissions. Permissions are typically grouped into roles or policies.
Policy
A rule or set of rules that determines access. Can be simple (admins can access everything) or complex (users can access customer records in their region during business hours).
Policy Engine
Software that evaluates policies against requests and returns decisions. The core of any authorization platform. Examples include OPA, Cedar, and various commercial engines.
Policy Sprawl
The proliferation of inconsistent access policies across different applications and systems. A symptom of decentralized authorization that makes governance and compliance difficult.
R
RAG
Retrieval-Augmented Generation. An architecture where an AI model retrieves relevant information from external sources (databases, vector stores, documents) before generating a response. RAG pipelines are a critical authorization surface: what the agent retrieves should respect what the requesting user is allowed to see.
RBAC
Role-Based Access Control. Access decisions based on roles assigned to users. Simple and widely used, but limited when you need finer-grained or context-aware decisions.
Real-Time Authorization
Making access decisions at the moment of access, with current context, rather than relying on pre-computed permissions. Essential for dynamic, context-aware security.
Rego
The policy language used by OPA (Open Policy Agent). A declarative language for expressing policies. Powerful and flexible, but requires developer expertise to author and maintain.
Role
A named collection of permissions assigned to users. Admin, Editor, Viewer are common roles. Role explosion occurs when organizations create too many roles to manage.
Role Explosion
The uncontrolled growth of roles in an RBAC system, often to the point where roles become meaningless or unmanageable. A common symptom of trying to use roles for fine-grained access control.
Row-Level Security
Restricting access to specific rows in a database based on user context. Users can only see customers in their region is a row-level security policy.
S
SAML
Security Assertion Markup Language. An XML-based standard for exchanging authentication and authorization data between identity providers and service providers. Common in enterprise SSO.
Separation of Duties
A control principle requiring multiple people to complete sensitive tasks. Authorization systems must enforce SoD policies, for example preventing the same person from creating and approving a transaction.
SSO
Single Sign-On. Authentication mechanism allowing users to log in once and access multiple applications. SSO solves identity, not authorization: knowing who someone is does not tell you what they can do.
T
Tool Use
The pattern where AI agents invoke external functions, APIs, or services to accomplish tasks. Each tool invocation is an access decision, one that most environments do not authorize at a fine-grained level today. Also called tool calling or function calling.
Z
Zero Standing Privileges
An approach where users have no persistent access rights. All access is granted just-in-time based on need and automatically expires. The logical end-state of least privilege.
Zero Trust
A security model that requires verification for every access request, regardless of location or network. Never trust, always verify. Authorization is a critical component: you cannot verify without knowing what is allowed.
Missing a term?
Authorization is a deep topic. If there's a term you'd like us to add, let us know.
Contact PlainID →