Session Abstract: So we’ve solved strong user authentication for employees and consumers. The next major identity challenge to solve is authorization as we decide whether a user has the proper permissions and authority to perform a specific task or transaction. Dynamic authorization moves us beyond static rulesets like RBAC to consideration of the whole context of each individual request, incorporating risk signals from inside and outside the organization – considering factors such as device profile, malware, geolocation, and previous transactions. By combining such signals from multiple sources we can make intelligent authorization decisions and fulfill defined obligations before processing a request (for instance, stepping up authentication). Indeed dynamic authorization like this is already starting to be mandated by regionals such as the EU's revised Payment Services Directive, or PSD2) and is a central tenet of zero trust architecture. Implementing dynamic authorization for in-house applications development is one thing; doing so for COTS (commercial off-the-shelf) software or SaaS applications is significantly harder. In this session we’ll learn how to apply transactional, risk-signal-driven dynamic authorization to COTS applications in policy-based, extensible, and easy to manage. This enables organizations to secure all transactions regardless application type or current state.