An Interview With Or Weis
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space.
Or Weis is the CEO and co-founder of Permit.io and is the co-maintainer and author of the open source project OPAL.ac. He is a serial entrepreneur who is passionate about developer tools, previously founding the production debugging solution Rookout. Or is a software engineer by training, and an avid science-fiction reader and author.
I’m excited to hear Or’s views on CIAM, identity, authorization and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Or: Customer identity and access management (CIAM) is all about balancing security and user experience—something every business has to get right. If security is too strict, users get frustrated. If it’s too loose, you’re exposed to risks. CIAM helps businesses find that sweet spot.
One of the biggest headaches CIAM solves is making access secure at scale. When companies grow, they’re faced with more users, more systems, and more complexity. That’s where Permit.io steps in. We focus on the "permissions" part of CIAM, connecting seamlessly to authentication systems (via JWTs) and identity providers (using SCIM or JWTs). This lets businesses handle permissions without adding unnecessary complexity.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Or: CIAM also boosts operational efficiency. Without it, companies often waste time and resources building custom access control systems from scratch—systems that are notoriously hard to get right. Permit.io removes that hassle. We help developers easily add fine-grained, dynamic permissions into their apps, so they can stop worrying about access control and get back to building great products.
Another challenge we often see is how CIAM fits into the software development lifecycle (SDLC). Managing permissions across environments and ensuring smooth integration into CI/CD pipelines can be tricky. We help here by providing authorization for authorization, GitOps workflows, and environment management tools and APIs. These features make it easier to build and maintain CI/CD pipelines, ensuring secure and consistent permission management throughout the SDLC.
But we don’t stop at the basics. For example, our Terraform provider and no-code policy editor let non-technical team members create policies as code. And with Permit Elements, our ready-to-use UI components for permissions, developers save time while delivering polished user experiences.
Many of our customers work in industries like healthcare, fintech, and cybersecurity—places where CIAM isn’t just a nice-to-have; it’s a legal and operational must-have. These businesses rely on us not just for the tech but also for our expertise. A key example of this is policy modeling - when it comes to complex scenarios many customers struggle even with just thinking about their problem space and boiling it down to concepts like ReBAC, RBAC, ABAC, PBAC, and more. We love to educate people.
CIAM isn’t just a technical solution; it’s a tool for growth. We’re helping businesses solve today’s problems while setting them up for secure, efficient scaling in the future. That’s what we’re here to do—make permissions simple, scalable, and effective.
Dan: What excites you about the future of CIAM? Any predictions?
Or: What excites me most about the future of CIAM is how it's evolving to meet new and fascinating challenges. One of the most pivotal moments we’re heading toward is the point where machine identities outnumber human ones. Think about it: as more organizations embrace automation, AI, and microservices, the "users" of applications won’t just be people—they’ll increasingly be bots, services, and other machine identities. Managing these effectively is going to redefine what CIAM looks like.
This shift is going to force organizations to adopt fine-grained permissions in a way many haven’t fully grasped yet. Even if a company isn’t directly using AI, they’re likely engaging with vendors, partners, or systems that are. LLMs and AI agents introduce a whole new level of complexity, not just in terms of what they can access, but in tracking and understanding the chain of actions they initiate. It’s not just "Who is allowed to do this?" anymore—it’s also "Who or what is doing this on behalf of someone else, and under what conditions?"
To address these challenges, we’ll need to start treating machine identities with the same rigor we use for human ones. Policies and permissions will have to seamlessly cover both, while also accounting for agency and derived access relationships. For example, if an AI bot or a service is making a decision or taking an action on behalf of a user, the system must be able to audit and enforce policies around those relationships. This ability to reason about agency and delegation is going to become the bread and butter of every modern application.
At Permit.io, we’re already seeing these trends unfold, and it’s thrilling to be at the forefront. The tools and frameworks we’re building today are designed to make this complexity manageable. The future of CIAM isn’t just about scaling for more users or more data—it’s about adapting to fundamentally new types of "users" and interactions. That’s the challenge, and the opportunity, that has me excited the most these days.
Thanks again to Or for sharing his perspective, and thanks to you for reading!
Dan