Identity & Policy / Policy Information Point (PIP)
FR EN

Identity & Policy

Policy Information Point (PIP)

Supplies the PDP with decision context: attributes, posture, risk score, data sensitivity.

Plane
Identity & Policy
Flow steps
4
Frameworks
NIST 800-53 · 800-207 · NIST AI 600-1

Technology

Why use it

Gather and present to the PDP the signals needed for a context-aware decision, instead of deciding on identity alone.

Why it matters to security

A decision is only as good as the context feeding it; the PIP makes authorization sensitive to risk and to the real sensitivity of the data.

Implementations CMDB / CDMEntra risk signalsEDR (posture)SIEM (Splunk, Sentinel)Feature store

The PDP decides, but it only knows what the PIP tells it: poor context yields a poor decision.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Collect basic identity attributes (role, group).
    NIST 800-53 AC-16
    Without reliable attributes, the PDP can do no better than all-or-nothing.
  • Single, trusted attribute source.
    NIST 800-53 AC-16 · AC-2
    Attributes that diverge across sources lead to inconsistent decisions.
  • Claims available at decision time.
    NIST 800-53 AC-16
    An unavailable attribute forces either a denial or a dangerous permissive default.

Enterprise

Enterprise standard
  • Enriched context signals: posture, geolocation, resource sensitivity.
    NIST 800-53 AC-16 · RA-3
    The same action carries different risk on public data versus a regulated secret.
  • Risk score computed and exposed to the PDP.
    NIST 800-53 RA-3 · SI-4
    An aggregate score enables graduated decisions rather than binary ones.
  • Attribute freshness guaranteed (controlled cache).
    NIST 800-53 SI-4
    A stale attribute (role revoked yesterday, still cached) produces a dangerous decision.

Advanced

High-assurance / regulated
  • Real-time risk feeds from SIEM and abuse detection.
    NIST 800-53 SI-4NIST 800-207 §3.3
    Risk context follows the event, not the quarterly review cycle.
  • Agentic context: provenance, tool chain, intent.
    NIST 800-53 AC-16OWASP LLM06:2025
    For an agent, 'where did this request come from and via which tools' is as decisive as 'who'.
  • Context re-queried during the session (continuous evaluation).
    NIST 800-207 §3.3
    Risk changes mid-session; context must be refreshed, not frozen at login.

Architecture notes

  • Bring data sensitivity into the context.details ▸
    Authorization is not only about the user.
    Classifying and labeling data lets the PDP modulate the decision by what is actually at stake.

References

NIST SP 800-207
§3.1 (the PIP feeds the policy engine), §3.3 (continuous diagnostics).
NIST SP 800-53 Rev5
AC-16 (Security & Privacy Attributes), RA-3 (Risk Assessment), SI-4 (System Monitoring).
NIST AI 600-1
MP-5.1 — threat profiling that feeds context signals.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone