Identity & Policy
Policy Administration Point (PAP)
Where authorization policies are authored, versioned, reviewed and governed.
Plane
Identity & Policy
Flow steps
4
Frameworks
NIST 800-53 · XACML 3.0 · NIST AI 600-1
Technology
Why use it
Centralize policy authoring and governance, separated from enforcement (PEP) and evaluation (PDP).
Why it matters to security
Separates powers (author / decide / enforce), and makes policy testable, reviewed and auditable before it reaches production.
Implementations Open Policy Agent + StyraAWS CedarXACML 3.0 editorsGit + CI
An untested policy is not a policy: it is an intention.
Recommendations by maturity tier
Foundation
Minimum viable baseline
- Policies authored and stored centrally. NIST 800-53 AC-1Rules scattered through application code are invisible and uncontrollable.
- Policy versioning. NIST 800-53 CM-3Knowing who changed what and when is the minimum to investigate drift.
- Separation of author / approver roles. NIST 800-53 AC-5 · CM-5No one should be able to write and approve an access rule alone.
Enterprise
Enterprise standard
- Policy-as-code (XACML 3.0 / Rego / Cedar). XACML 3.0NIST 800-53 CM-3Policy-as-code makes rules diffable, testable and reviewed like software.
- Mandatory review and approval before publishing. NIST 800-53 CM-3 · AC-5Four-eyes control stops an over-broad rule from reaching production.
- Policies aligned to GAI risk tiers. NIST AI 600-1 GV-1.3-001Document the risk threshold that triggers an obligation (e.g. HITL) per use case.
Advanced
High-assurance / regulated
- Policy-as-code pipeline: automated tests + CI/CD. NIST 800-53 SA-11 · CM-3Every policy is validated against expected cases before deployment.
- Drift detection between declared and enforced policy. NIST 800-53 CM-6 · SI-4What is published is not always what each PEP actually enforces.
- Continuous governance with exportable audit evidence. NIST 800-53 AU-6NIST AI 600-1 GV-4.1-003Compliance requires proving, not just asserting, that policy is governed.
Architecture notes
- Tie every policy to a threat taxonomy.details ▸A rule with no threat addressed is noise.Referencing OWASP LLM or MITRE ATLAS on each policy justifies its existence and eases review.
References
XACML 3.0
Standard language and architecture for expressing authorization policies.
NIST SP 800-53 Rev5
AC-1 (Policy & Procedures), AC-5 (Separation of Duties), CM-3/CM-5/CM-6 (change & config), SA-11 (testing).
NIST AI 600-1
GV-1.3 (risk tiers), GV-4.1 (continuous governance improvement).
Abbreviations
PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone