Today, we hosted a live AMA with Abhishek Parmar, creator of Google Zanzibar and now VP and Technical Fellow at Airbnb. The session, moderated by Jacob Prall, brought together engineering leaders for a deep dive into how large-scale authorization systems are built and what lessons teams can take away when designing their own.
Here are some of the key takeaways:
How Zanzibar Started
Zanzibar was originally built to support Google+, where fine-grained privacy and access control were core to the product. The team needed to ensure users could share with specific groups without risking accidental exposure. That, combined with a growing need to centralize access control across Google’s ecosystem, led to the development of Zanzibar.
Before Zanzibar, authorization was handled independently by product teams, often inconsistently. Zanzibar introduced a centralized, scalable service that powered access control for products like Google Docs and Google Cloud.
Hard Problems and Lessons Learned
Abhishek shared some of the most difficult challenges the team faced and what they’d do differently in hindsight:
- Sequencing across systems. Managing consistency between data and access control metadata was non-trivial. Zanzibar introduced a mechanism called “zookies” to address this.
- Low-level configuration. The system was too flexible. As policies grew more complex, they became harder to manage and reason about.
- Missing higher-level abstractions. The system worked like an engine—powerful, but not ergonomic for most developers. Abhishek noted they would have benefited from layering on simpler, more verticalized tooling.
Centralizing Authorization: What to Get Right
For teams thinking about centralizing authorization, Abhishek emphasized the importance of:
- Designing a shared group structure up front
- Planning how metadata will be synced to the authorization system
- Thinking about governance features like reverse indexing and auditability early
Build vs. Buy
Abhishek was clear on this point: unless you are operating at the scale of a Google or an Airbnb, building your own authorization system is rarely worth it.
“You’re not in the business of building authorization, so why spend your energy doing it?”
He highlighted the hidden costs of in-house solutions, especially around maintenance and long-term policy complexity.
AI, Agents, and the Future of Authorization
As more companies bring AI into production, Abhishek pointed out that authorization still matters, but authentication may become the harder problem. Ensuring agents act with the right credentials and avoid cross-tenant confusion will be key.
Final Advice
Abhishek left us with one core principle for any authorization system:
“Keep it simple. Keep it understandable. “There is really easy access to a slippery slope (with a sufficiently sophisticated authz engine) I.e. the tendency to design overly complicated access control policies. Stay away from that.”
If you're designing or rethinking your authorization system, check out our Authorization Model Reviews for a free deep dive into your architecture and challenges.
To go deeper on everything we discussed today—including Zanzibar, policy design, and securing AI applications—explore our Authorization Academy, a series of technical guides for building application authorization.
Frequently asked questions
