Skip to main content

The AI Security Fabric & the Authorization Gap

Overview

The foundational Associate course. It explains the problem EnforceAuth exists to solve, the Authorization Gap, and the vocabulary you need for everything that follows: the four domains, authentication versus authorization at runtime, the PEP/PDP/PIP request flow, the Define, Enforce, Audit operating model, and where the four products (Zift, Writ, Herald, Verdict) fit at a high level. A runnable OPA lab grounds it in a real authorization decision.

Who this is for

Anyone starting the Associate track, both EnforceAuth customers and open-source OPA users. The lab has you author a small Rego policy, so first work through the Rego material in OPA & Enterprise OPA Fundamentals (default deny, allow rules, the in operator, and writing tests). A "Rego in a nutshell" callout in Lesson 2 recaps just enough to attempt the lab.

Outcomes

By the end of this course you will be able to:

  • Explain the difference between authentication and authorization at runtime, and name the four domains the AI Security Fabric covers.
  • Trace a request through the PEP, PDP, and PIP, and map it to Define, Enforce, Audit.
  • Say what Zift, Writ, Herald, and Verdict each do without confusing their roles, and which component is actually the PDP.
  • Read a default-deny OPA policy and predict its allow and deny decisions.

Lessons

  1. The Authorization Gap and the four domains
  2. PEP, PDP, PIP and the Define, Enforce, Audit loop
  3. Where Zift, Writ, Herald, and Verdict fit

Hands-on lab

This course includes a hands-on lab in lab/ that models the decision a PDP returns for one request. It ships RED: policy.rego is a default-deny starter with a # TODO(learner) where the decision rules belong. You implement the three allow rules (in Lesson 2) until the suite is green:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/foundations-authorization-gap -v

You start at PASS: 3/6 and finish at PASS: 6/6. Keep iterating until opa test is green; the tests are the source of truth.

Certification

Counts toward the Associate track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.