Access controls should map to how your organization works — not the other way around. Organizations generally grant access based on department, based on reporting chain, and based on projects. Use what works for your org. oblique.security/blog/org-str...

Our engineering team is cooking 🍳 and sharing great tidbits recently that you might have missed 🧵

In other parts of security, we’ve learned that fixing classes of problems is the only way we can address them for good — but we haven’t had that mindset shift yet in access management. We need better controls, so that we can get to fewer tickets, not faster tickets. oblique.security/blog/access-...

It’s 2025 and many teams still can’t reliably enforce strong authentication across their app stack. That’s the real SSO tax: not paying to have SSO, but paying to enforce it. Read more about how we’re approaching practical enforcement at Oblique: oblique.security/blog/real-ss...

What you really want to control access to is data, not systems — so why are we stuck thinking in systems? Our cofounder @mayakaczorowski.com shares what she learned researching tiered controls for our latest report on Modern Access Controls.

Authentication failures from the last five years at Okta, Snowflake, and Twitter show very similar attacks, from credential theft, to MFA bypass, to session hijacking. Dive deeper into these incidents and avoid repeating the same mistakes: oblique.security/blog/authn-f...

Don't rely on managers for access approvals — they don't work, for either security or speed. Instead, get approvals from app owners who actually understand the systems and risks, and automate approvals that are always granted.

We see it all the time: internal security tools “work” but hurt to use—so people route around them. We break down why teams underinvest in UX and how to build tools users actually adopt. Treat security like a product. https://oblique.security/blog/security-ux/

We interviewed IT and security teams on what actually works in access control: shared ownership, data-first controls, enforce at change time, route approvals to app owners or automate, pre-approved groups for JIT access. https://oblique.security/blog/policies-report/

What *really* works in access control? We asked modern IT and security teams how they define and improve their policies — in reality, not in theory. Read the report: oblique.security/blog/policie...

The biggest scaling challenge for IT and security teams isn't technical — it's organizational. When you're managing access for thousands of employees and hundreds of applications, you need to know: who owns what? Read more in our latest post: oblique.security/blog/delegat...

You shouldn't build your internal tools in git unless you hate your users. Stop making me learn git. Stop trying to make git happen 💁‍♀️ oblique.security/blog/git-int...

If you're interested in learning more about what's happening in the IAM market — and who's competing with Okta and why — then you should read our cofounder @mayakaczorowski.com's latest post.

Your job title makes a bad RBAC role: what access does a Chief Happiness Officer need, anyways? A role in RBAC should represent what someone actually does in your environment. Your job title is your position, not your job function. Read more in our latest blog post: oblique.security/blog/rbac-ro...

Comms groups map to how people actually work, and often, access groups don't (but they should). But comms groups always become access groups. It's not a matter of if, but when. Read more in our latest post: oblique.security/blog/comms-a...

Check out our cofounder @mayakaczorowski.com's post on @frankw.bsky.social's Frankly Speaking on how modern security teams are scaling. Read the post for the new commandments of security teams: franklyspeaking.substack.com/p/the-new-co...

Check out the latest from our cofounder @ericchiang.bsky.social to learn about a neat Go type trick to avoid query injection in SQL builders.

Over the past 60 years, we've gone from reusing the same password everywhere to advanced biometric authentication like FaceID. Dive into the history of authentication in just 2 minutes!

Authentication has evolved from simple passwords to federated systems with passwordless logins, with a constant push and pull to balance security and usability. Deep dive into the evolution of authentication in our latest blog post! oblique.security/blog/history...

Instead of minting long-lived API keys, you can use GitHub Actions' OpenID Connect support for workload identity. Here's how we authenticate config-as-code workflows in Oblique without secret management headaches. Better security + Better developer experience 💟 oblique.security/blog/github-...

Check out this interview with our co-founder @mayakaczorowski.com on finding and solving problems that have real security impact - like why access management is a perennial issue for organizations. thesecuritywing.com/making-iam-l...

Most access request justifications are useless. "Please give me access" doesn't give you any context, it's just someone trying to get back to work. oblique.security/blog/justifi...

IT teams are afraid of removing access — what if something breaks? Even if you don't know why someone has access, you should be able to figure out if they're using it. Removing unused access isn't risky — never removing access is. Read more in our latest blog post: oblique.security/blog/chester...

Identity management has quietly become the primary security perimeter. But it's a mess — identity requires constant manual work that security teams burn out from. At Oblique, we're helping organizations make their access controls actually maintainable. Full post: oblique.security/blog/identit...