Enterprise authorization is fragmented. Your PDP handles app access. Your IGA handles governance. Your IdP handles tokens. Your search tool has hardcoded visibility rules. Your AI agents get a duct-tape safety layer on top. Each system owns a piece of the identity puzzle—but nobody owns the whole picture.
The Fragmentation Problem
This architecture worked when applications were the only tenants. But AI agents changed the game. Agents don't follow the same auth patterns. They ask authorization questions across the entire identity fabric—not just app access, but membership rules, SoD constraints, temporal guardrails, and delegation policies—all in real time, often without a human in the loop.
Fragmentation becomes a security problem when your agent has to stitch together answers from five different systems, each with different semantics, audit trails, and decision logic.
How the Industry Typically Works
Most vendors sell you a PDP as an application authorization engine. Everything else gets delegated:
Governance rules (SoD, birthright, access reviews) live in your IGA tool. Authorization rules live in your PDP. They don't talk.
What users can see in search results is baked into the search tool. No connection to your authorization policies.
Deciding what claims go into tokens happens in custom code. Authorization policies don't influence token composition.
Agents get a safety layer bolted on top. Not integrated into the fabric, just patched into the edges.
Our Architecture: One PDP, Entire Identity Fabric
We built our PDP as the authoritative decision point for the entire identity fabric. Five critical surfaces all call the same PDP:
Frontend API gateway checks every request against the PDP before it reaches downstream services.
AI agent tool calls go through the gateway. PDP evaluates whether the agent can invoke each capability.
IGA policy checks (SoD, birthright, temporal guardrails) are authorization policies evaluated by the PDP.
Token issuance and delegation decisions consult the PDP for what claims belong in the token.
Baseline membership policies for multi-tenant platforms are enforced through PDP policies.
All of them speak one language:
AuthZEN evaluate or AuthZEN search against one JSON policy language, one fact model, one audit format.
How It Works Technically
Policy Information Points (PIPs) supply live context. They feed facts into the policy decision engine—never decisions, always facts. The PDP evaluates those facts against your policies. AuthZEN's standard fields handle constraints and obligations in the response context.
Example: An agent asks "Can I execute this workflow?" PIPs supply: user role, user department, user tenure, workflow constraints, SoD matrix state. PDP evaluates policy. Response: "Yes, with obligation: log_sensitive_access, obligation: notify_manager."
IGA Rules Are Authorization Policies
Your IGA governance rules aren't separate from authorization. They are authorization policies under an identity-governance PDP application. SoD, birthright, and temporal guardrails become first-class policies:
IGA.CheckSoD — Can this user hold both roles simultaneously?
IGA.CheckBirthright — Does this user automatically get this access based on their job?
IGA.CheckGuardrail — Are temporal or tenure constraints violated?
What This Means for Your Organization
One PDP as the identity fabric brain gives you:
No translation layer. Authorization, governance, and delegation all use the same semantics.
Every decision is logged in one place. Compliance auditors see the complete decision path.
Your security team manages one PDP, not five systems arguing about who owns what.
AI agents, apps, and services all get consistent answers. No divergence in decision logic.
Prove compliance by showing the exact policy that made the decision, who wrote it, when it changed.
The Graph-Anchored Advantage
Our fact model is graph-anchored. The identity graph (patent U.S. 63/798,201) sits at the center. PIPs fetch facts directly from the graph. This means:
Relationships are facts, not interpretations. User-to-role, role-to-permission, role-to-constraint are all graph edges. The PDP evaluates the actual topology, not a flattened view. Temporal constraints, delegation chains, and derived relationships all flow from the graph.
Why This Matters Now
AI agents are first-class platform tenants now, not an afterthought. They ask authorization questions at runtime, across the entire identity fabric, with decisions that affect the business in seconds. Fragmentation is no longer a tech debt issue. It's a security issue. One PDP as the fabric brain gives you the consistency, auditability, and runtime control your organization needs.
EmpowerNow's PDP is built on OpenID AuthZEN 1.0. Explore the architecture →