When organizations first embraced role-based access control (RBAC), it felt like a game changer. It made things simple to bundle a set of permissions into a role, assign the role to a user, and tick the compliance boxes. But fast forward to today’s world, full of cloud apps, Application Programming Interfaces (APIs), remote work, and constantly shifting responsibilities, those tidy roles no longer match how work gets done. The number of roles starts to explode, and exceptions become the norm. The quarterly access reviews turn into a frustrating exercise for managers and resource owners.