Access control breaks down at scale — here's why

Access control models often start simple — a few roles, clear boundaries — but break down as systems grow. One system with just 15 roles became unmanageable when context-aware decisions were needed, exposing the limits of role-based access control (RBAC) [devto].

The problem isn’t just scale — it’s attribution. Every access decision must record who requested it, what they were allowed to do, and what was decided. At high volume, this creates heavy write load on audit systems [devto]. Binary permissions (allow/deny) work early on, but real-world needs demand nuance: time-based access, data sensitivity, or user behavior patterns.

Evaluating access is harder than granting it. Pushing authorization closer to data helps, but isn’t enough. The author argues that access decisions are not just technical — they’re product decisions. Teams must document them proactively so security owners know the rules before incidents happen.

RBAC fails when roles multiply to cover edge cases, creating sprawl. The shift isn’t about replacing roles with attributes — it’s about designing systems where decisions are explicit, auditable, and tied to business logic. One misaligned permission can cascade; the cost isn’t just technical debt, but risk.