The Authorization Gap
Authentication answers who is signing in. Authorization answers what they are allowed to do once inside — at runtime, in context, for humans, services, and AI agents.
Most enterprises still stitch together:
- IAM roles in cloud consoles
- Per-app RBAC tables
- Embedded
ifchecks in services - A separate OPA bundle here and there
That fragmentation is the Authorization Gap. It widens audit cost, slows Policy-as-Code adoption, and leaves AI workloads without a single enforcement story.
What EnforceAuth adds
EnforceAuth is the authorization control plane above your policy engines (OPA today; Cedar and Zanzibar on the roadmap). You:
- Define policy once — Rego in Git, reviewed like application code
- Enforce everywhere — bundles to every PEP/PDP you operate
- Audit continuously — immutable decision logs prove who accessed what, when, and why
This is continuous authorization: decisions at the point of access, not stale role caches.
Who this documentation is for
| Role | Start with |
|---|---|
| Business / security architect | OPA vs EOPA → Policy as Code journey |
| Platform engineer | OPA vs EOPA → Quickstart |
| Compliance officer | Continuous compliance → Audit evidence |
Embedded authorization in code? Run Zift to inventory what to extract before you deploy.