The day “access” stopped meaning “login” and started meaning “authorization”

In the context of modern security practices, the term "access" has evolved from simply meaning "login" to encompassing "authorization," which involves addressing who can do what once they have accessed a system. Shashwat Sehgal illustrates this shift by recounting a scenario where a company faced difficulties during an incident review not because of a lack of identity providers or multi-factor authentication, but due to inadequate clarity over what actions users could perform after logging in. While connectivity and authentication are well-managed with mature tools and practices, authorization remains complex as it requires balancing security, engineering, operations, and context-specific urgency. The core challenge lies in granting access with precise scope, enforcing boundaries while active, and reliably revoking it when no longer needed, as most systems were historically built under assumptions that no longer hold true in high-stakes production environments. Addressing this requires focusing on controlling actions and proving them later, rather than relying solely on improved login features.