Authentication is mature: we know who you are. We all resort to standard frameworks for authentication. We use SAML, OAuth, and OpenID Connect for single-sign-on, federation, and overall user management. The question, though, is what can you do? In other words, what about authorization or access control? How do we make sure only the right individuals (or agents or processes) get access to the right circumstances in an transparent, auditable, and accountable way? This is what fine-grained authorization aims to deliver. 
Fortunately, the past decade has seen a new model emerge based on NIST 800-162 Attribute-Based Access Control and NIST 800-207 Zero Trust Architecture. By using a loosely-coupled authorization architecture, it becomes possible to define authorization outside of apps and APIs in a consistent fashion based on a standard architecture which introduces the concept of a Policy Enforcement Point (PEP), Decision Point (PDP), and Administration Point (PAP).
In addition, the OpenID community has developed a new authorization standard, AuthZEN, that enables externalized authorization. This enables authorization requirements to be expressed as policies or graphs that are evaluated by an AuthZEN-compliant PDP to produce fine-grained context-aware runtime decisions. Those decisions can then be enforced consistently by the PEP.
As a result, it becomes possible to achieve consistent authorization across apps, APIS, and MCP servers.
 Externalizing authorization using standards allows teams to achieve the following key benefits:
More efficient, streamlined IAM: say goodbye to role explosion, opaque permissions, and the need for entitlement provisioning.
Consistent and secure access across all apps, APIs, and AI processes: eliminate authorization silos that arise from different configurations on different apps. Apply the same authorization checks across an entire IT landscape from home-grown apps to APIs and MCP.
More efficient developers: you wouldn't dream of reimplementing user authentication or cryptographic algorithms, would you? Delegate authorization checks to an externalized authorization service, eliminate spaghetti code that hard-codes entitlements checks, and focus on the business features you care about.

This session will provide an overview of today's authorization landscape, highlighting existing frameworks, patterns, and standards. We will focus on OpenID AuthZEN, its drivers and features. We will finish with a call to arms: require that your SaaS and COTS Providers adopt AuthZEN to eliminate authorization silos.