Role-based access control made sense when humans were the only ones asking for data. But agents don’t work that way, and trying to define every possible permutation of access across an entire organization, for every agent, for every question, isn’t just difficult. It’s not feasible.
In this video, Immuta Co-Founder and CTO Steve Touw makes the case for a different model entirely – one built on attribute-based and purpose-based access control, where policies are defined dynamically based on who the user is, what the data is, and what they’re actually trying to do.
The shift goes deeper than tooling. Steve argues that agents fundamentally flip the security model: instead of managing everything a human can or can’t access, the question becomes what questions can be asked of what data, and by whom. That reframe takes the burden off endless recertification reviews and replaces standing access with real-time, governed access at the moment it’s needed.
If your access model was designed for humans on human timelines, this one’s worth three minutes of your time.