Disclaimer: I'm the founder of an authorization company [1] & previously worked at a large, enterprise/SaaS company so basing my comment on my experiences.
Your considerations and things you need to worry about will vary greatly based on your stage (early-stage startup, late-stage startup, public, etc.), market (fintech, health-tech, etc.) and customers you target (early-stage startups or bigger, Fortune 100 types). As others have stated, it's important to figure out the go to market strategy first by talking to potential customers before building anything.
Assuming you've pressure-tested your idea and built an MVP/early product that shows some traction, you'll want to take care of app + data security basics (authn, authz). Guides like the OWASP Top 10 and your future customers will guide you in the right direction here.
On the authz side (since that's my area of focus) - multiple comments have mentioned RBAC (role based access control) which most enterprise/SaaS companies end up implementing but it's rarely where authz stops. As products evolve and grow more complex over time, you'll need to implement some form of fine-grained (object/resource based) authorization (ex. attribute based, relationship based access control) as well as auditing capabilities, all of which customers will ask for at some point.
In an ideal world, you'd have all of these capabilities already built but that's rarely the case. In reality, you prioritize and implement these over time based on security needs, risk and customer requirements.
Your considerations and things you need to worry about will vary greatly based on your stage (early-stage startup, late-stage startup, public, etc.), market (fintech, health-tech, etc.) and customers you target (early-stage startups or bigger, Fortune 100 types). As others have stated, it's important to figure out the go to market strategy first by talking to potential customers before building anything.
Assuming you've pressure-tested your idea and built an MVP/early product that shows some traction, you'll want to take care of app + data security basics (authn, authz). Guides like the OWASP Top 10 and your future customers will guide you in the right direction here.
On the authz side (since that's my area of focus) - multiple comments have mentioned RBAC (role based access control) which most enterprise/SaaS companies end up implementing but it's rarely where authz stops. As products evolve and grow more complex over time, you'll need to implement some form of fine-grained (object/resource based) authorization (ex. attribute based, relationship based access control) as well as auditing capabilities, all of which customers will ask for at some point.
In an ideal world, you'd have all of these capabilities already built but that's rarely the case. In reality, you prioritize and implement these over time based on security needs, risk and customer requirements.
[1] https://warrant.dev/