Token checking can happen literally at the DB layer, or storage layer if you have such a system (like Google or AWS or whatever).

And I don't know why, you're the only who responded to my reply to 'What specifically do you have issues with when it comes to IAM?'

Haha

Well the use case wasn't clear to me 'up there', I thought you were arguing against IAM in general, or for cases where others do use it.

Essentially I suppose I disagree that it's only good for human users with long-lived roles, but I'm not saying it's the right tool for per-request granular authn, and I'd be surprised to learn that anyone is saying or (trying to be) using it like that. IAM's not even for end human users, (as in of your application) nevermind breaking further down into different types of request from them or on their behalf.

I wasn’t referring to end users? I was referring to admins, employees of the company, etc, which is what IAM is a good fit for.

Using that as the sole way to Scope process/machine access though IS a weird fit in an automated environment for the reasons I laid out. You either come up with a broad scope that covers everything the job/process/machine could ever need to do or access (and then hope there is no exploit or bug that results in it accessing more), or build something like a token system that lets you get/scope access or permission in the context of the work it is doing on behalf of someone else. Which requires investment, but fits what should really be happening better. That is more of the ‘zero trust’ model, but certainly not all of it.