Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Entitlements to Capabilities

4 min readOct 3, 2025
Press enter or click to view image in full size
Will Entitlement Centrality Fade?

For two decades, enterprises have built their access management strategies around entitlements catalogs. These catalogs — lists of roles, groups, and permissions tied to individuals — have been the backbone of identity governance and administration (IGA). They reflect the prevailing paradigm of person-centric access control. An entitlement by definition is associated with a human.

But as enterprises face increasing interconnection, the limitations of human-centric entitlements catalogs are becoming painfully clear. To unlock trust between domains, organizations must shift from an Entitlements Catalog to a Capabilities Catalog.

The Limits of Entitlements

Entitlements catalogs were designed for an era when access management was mostly about humans using enterprise systems. They map people to systems: Who is in this group? Who has this role?

While this model works within a single enterprise, it becomes brittle when stretched across organizational boundaries. Entitlements assume that identities are the atomic unit of trust, but in practice:

  • Identities are domain-specific. A “Manager” in Enterprise A means nothing to Enterprise B.
  • Entitlements grow endlessly, leading to catalog sprawl and governance fatigue.
  • Cross-domain trust collapses when one side tries to translate its internal roles into another’s context.

In short, entitlements reflect how people are organized, not what can actually be done.

What are Capabilities?

Instead of describing access in terms of people and their entitlements, capabilities describe actions on resources within a domain.

A capability is a statement of what can be done:

  • “Unlock car”
  • “Transfer $5,000”
  • “Read document X”

Notice what’s missing: the person. Capabilities are domain-centric — they belong to the enterprise, the system, or the resource, not to an individual. Entitlements, rooted in local HR structures and group memberships, cannot travel. Capabilities can.

Why Interdomain Trust Demands Capabilities

The modern enterprise doesn’t operate in isolation. Cloud services, APIs, partners, contractors, and now AI agents must all interact under controlled conditions.

Imagine trying to establish interdomain trust using entitlements:

  • Enterprise A says, “Alice has the entitlement Database Admin.”
  • Enterprise B asks, “What does that mean in my context? Do I trust your definition of Database Admin?”

The translation problem is insurmountable. Entitlements are subjective, person-centric, and context-bound.

With capabilities, the conversation is different:

  • Enterprise A says, “This token carries the capability read-only access to dataset Y.”
  • Enterprise B can evaluate the capability in its own policies, without caring how Alice was entitled in Enterprise A.

This creates a foundation for least privilege, auditable, and portable trust across domains.

Why We Can’t Shoe-Horn Identity Into Every Challenge

One of the core mistakes of modern IAM is trying to force every access problem through the lens of identity-centric control.

Identity matters — but not as the sole axis of decision-making. Many challenges — data sharing, cross-organization collaboration, AI delegation — are not primarily about who you are, but about what is being requested, under what conditions.

Capabilities let us model access in a way that is independent of individual identities. Policies can still require cryptographic proof of origin, binding capabilities to trustworthy issuers. But the focus shifts away from managing endless lists of entitlements and toward evaluating verifiable statements of action and context.

The Shape of a Capabilities Catalog

So, what does a Capabilities Catalog look like in practice?

  • Domain-Centric: Each enterprise defines its own capabilities, scoped to its resources and policies.
  • Composable: Capabilities can be combined to express higher-level permissions (e.g., “Approve purchase order” = “Read PO” + “Sign PO”).
  • Portable: Capabilities can be issued, transferred, and evaluated across domains using cryptographic proofs (e.g., signed tokens, attestations).
  • Analyzable: Unlike sprawling entitlements, capabilities are finite, structured, and easier to audit for risk.

This catalog doesn’t replace identity — it complements it. But it creates a stronger foundation for governance, because it speaks in the language of actions and resources, not roles and people.

The Business Impact

Moving from entitlements to capabilities is not just a technical refactoring; it is a strategic shift. Organizations that make this move can:

  • Reduce complexity: Shrink sprawling entitlement catalogs into manageable sets of capabilities.
  • Enable trust: Create portable, auditable statements that can cross organizational boundaries.
  • Support AI and automation: Empower non-human agents to act safely, with cryptographically bound capabilities.
  • Strengthen governance: Audit what can be done, not just who is in what group.

Conclusion

The entitlements catalog was built for yesterday’s enterprise. In today’s interconnected, multi-domain world, it is an anchor holding us back.

Capabilities offer a new foundation: domain-centric, portable, and auditable. They allow enterprises to reason about access in terms of what can be done rather than who someone is.

If we want to build interdomain trust, scale secure collaboration, and prepare for a future where AI agents act on our behalf, the shift is clear.

It’s time to retire the entitlements catalog and embrace the Capabilities Catalog.

--

--

Mike Schwartz
Mike Schwartz

Written by Mike Schwartz

433 followers
558 following

Founder of Gluu and host the “Identerati Office Hours” Livestream twice a week! Mike resides in Austin TX with family and pigeons.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech