Darran Rolls, Identity Innovation Labs
A recent IDPro article raised an important distinction: Policy-Based Access Control (PBAC) isn’t technically an authorization model like RBAC or ABAC — it’s an architecture for managing policy logic. That’s true in theory, but in practice, from a governance, controls, and audit perspective, they’re all doing the same thing: delivering entitlement to access data and business processes.
Whether those entitlements arise from roles, attributes, relationships, or externalized policies, the result is the same — a subject gains permission to act on a resource. The governance question isn’t what you call the model; it’s whether each access entitlement can be traced, explained, and provides assurance and providence.
In other words: models differ, but accountability does not.
As authorization models evolve, we should be very clear about what’s at stake. The further we abstract away from something that can be unwound to a set of business-relevant decisions, the harder it becomes to assure that the right entities have the right access to the right data. PBAC delivers agility — but assurance decays with abstraction unless we invest in stronger tooling, metadata, and observability around policy decisions.
PBAC may change the how, but governance must still prove the who, what, and why.
Key Takeaway
From a governance lens, they all deliver the same thing — entitlement to access. The real challenge: proving assurance as abstraction increases.
PBAC changes the how, not the who or why.
by Darran Rolls — Identity Innovation Labs