EnforceAuth releases open-source Zift to map authorization logic in code

By AI, Created 10:34 AM UTC, May 20, 2026, /AGP/ – EnforceAuth released Zift, an open-source scanner that finds authorization decisions embedded in application code and emits Open Policy Agent-ready policy stubs. The launch targets enterprise security teams facing faster AI-driven systems, tighter compliance demands, and hard-to-audit authorization logic spread across modern codebases.

Why it matters: - Zift aims to expose the authorization logic that often stays buried inside application code instead of a centralized policy engine. - The tool is intended to help enterprises measure how much of their access control is already externalized and how much still depends on scattered code paths. - EnforceAuth argues that the shift to agentic AI systems and machine-speed actions makes static authorization checks harder to defend. - The release also speaks to compliance pressure from SOX, PCI-DSS, GDPR, HIPAA, the EU AI Act, and SEC cybersecurity disclosure rules, which increasingly demand evidence for authorization decisions.

What happened: - EnforceAuth announced the open-source release of Zift on May 5, 2026. - Zift scans multi-language codebases, discovers authorization decisions, and emits Rego policy stubs for Open Policy Agent. - The repository is live at the Zift repository. - Zift is licensed under Apache 2.0 with no feature gating, no telemetry by default, and no contractual obligation.

The details: - Zift is designed around what EnforceAuth calls the Authorization Gap: the space between externalized authentication and authorization that remains embedded in application code. - The scanner looks for role-based checks, attribute predicates, framework middleware, business-rule guards, ownership filters in ORM queries, feature gates, and custom per-application policy languages. - In an internal benchmark scan of a small financial application, Zift found that 20% of enforcement points already consulted a policy engine. - The other 80% of authorization decisions were embedded in source code across files, frameworks, and local conventions. - EnforceAuth chose that codebase because it expected a high externalization rate. - Zift installs in two commands and can produce a baseline externalization percentage in one scan. - The repository includes the full scanner, standard parsers, the core rule corpus, the Rego emission engine, and an optional deep-mode integration for local large language models. - Cedar policy emission is on the published roadmap. - Installation commands include brew install enforceauth/tap/zift and cargo binstall zift. - The first scan command is zift scan ./your-codebase.

Between the lines: - Zift is also a distribution play for EnforceAuth: free discovery tooling on one side, commercial runtime products on the other. - Rogge said the company could have kept the scanner proprietary, but chose Apache 2.0 because the discovery step should not sit behind procurement. - EnforceAuth says the non-human-to-human identity ratio in modern enterprises is about 82 to 1, which it views as evidence that machine principals need more dynamic policy controls. - The company is trying to turn authorization externalization into a measurable metric instead of a qualitative audit exercise. - EnforceAuth plans to publish the scanning methodology with the v0.1 release and invites anonymized scan results from the security community.

What’s next: - EnforceAuth plans to add Cedar policy emission. - The company wants outside contributors to submit anonymized scan results so the industry can compare real externalization distributions. - The published methodology is meant to make the externalization percentage a repeatable benchmark for security teams. - More information