Skip to main content

The Authorization Gap

Authentication answers who is signing in. Authorization answers what they are allowed to do once inside — at runtime, in context, for humans, services, and AI agents.

Most enterprises still stitch together:

  • IAM roles in cloud consoles
  • Per-app RBAC tables
  • Embedded if checks in services
  • A separate OPA bundle here and there

That fragmentation is the Authorization Gap. It widens audit cost, slows Policy-as-Code adoption, and leaves AI workloads without a single enforcement story.

What EnforceAuth adds

EnforceAuth is the authorization control plane above your policy engines (OPA today; Cedar and Zanzibar on the roadmap). You:

  1. Define policy once — Rego in Git, reviewed like application code
  2. Enforce everywhere — bundles to every PEP/PDP you operate
  3. Audit continuously — immutable decision logs prove who accessed what, when, and why

This is continuous authorization: decisions at the point of access, not stale role caches.

Who this documentation is for

RoleStart with
Business / security architectOPA vs EOPAPolicy as Code journey
Platform engineerOPA vs EOPAQuickstart
Compliance officerContinuous complianceAudit evidence

Embedded authorization in code? Run Zift to inventory what to extract before you deploy.

Next steps