After two years of development, the AuthZEN Working Group reached a significant milestone at this month's Gartner Identity & Access Management Summit in Grapevine, Texas, with enterprise practitioners signalling clear readiness for implementation.

The main AuthZEN session drew nearly 100 attendees whose questions revealed an important shift in market maturity. Rather than asking whether standards based authorization works, practitioners wanted to understand implementation specifics for their own environments - a clear indication that AuthZEN has moved from concept to viable technology.

From specification to implementation

The core presentation brought together OpenID Foundation AuthZEN Working Group Chairs Omri Gazitt (Aserto Co-founder and CEO), David Brossard (Axiomatics CTO), and Alex Olivier (Cerbos Co-founder and CPO), along with Gartner VP analyst Homan Farahmand. Each addressed a specific dimension: the milestone context, business case, technical architecture, and interoperability capabilities.

Omri noted: “AuthZEN focuses on standardizing the way we ask the most important questions in authorization: can this user perform this action on this resource? For the first time, we have a specification that can easily be implemented by all authorization systems,  regardless of their architecture or philosophy. RBAC, ABAC, and ReBAC systems can answer the same authorization queries in the same way, enabling true software interoperability.”

Questions from major e-commerce and insurance organizations focused on practical deployment. This included integration with transactional tokens and emerging standards, token enrichment approaches, and compatibility with existing identity providers. The specificity of these questions indicated serious technical evaluation rather than general inquiry.

Alex said : "The timing of this interop was spot on. With the specification approaching 1.0, discussions in the room shifted away from theory toward how enterprises, large and small, are actually designing and rolling out standards based fine-grained authorization in production."

Vendor participation demonstrates maturity

Five hands-on interoperability sessions showed working implementations across multiple vendors, demonstrating that the specification delivers practical interoperability between different systems. The demonstrations focused on a fundamental capability - when a user authenticates, the identity system can check current authorization policies to determine appropriate access, enabling organizations to build dynamic access controls on their existing identity infrastructure.

Eight implementers participated in the demonstrations, with identity providers including EmpowerID, Gluu, Curity, and Thales, and policy decision platforms including Axiomatics, EmpowerID, Cerbos, SGNL, WSO2, and Topaz. A further nine policy decision points and nine identity providers participated in the broader interoperability program.

Integration with broader security architecture

During the conference, Shared Signals Framework  Working Group Co-Chair Atul Tulshibagwale joined Gartner analyst Erik Wahlström to describe how various standards including Shared Signals, CAEP, AuthZEN, and Transaction Tokens enable modern security architectures.

“Identity standards are the only way disparate cloud services, bespoke apps, varied devices, and AI agents can work together to secure global enterprises”, said Atul Tulshibagwale, CTO of SGNL and Corporate Board Member of the OpenID Foundation.

The session addressed a practical question for enterprise security teams: how do these specifications work together? Rather than implementing isolated solutions, organizations are building comprehensive security frameworks where multiple standards must interoperate effectively. Strong attendance and positive feedback indicated clear interest in understanding these integration patterns.

Market readiness indicators

The number of attendees asking how to join the AuthZEN Working Group provided another positive signal. Many expressed interest in contributing to future development work, suggesting growing enterprise commitment beyond passive observation.

With the AuthZEN 1.0 specification voting concluding in early January, the two year development process has established working foundations - a complete specification, successful interoperability testing across multiple implementers, and demonstrated enterprise interest.

As one attendee observed, the industry is developing "awareness and understanding of where AuthZEN fits overall, and interest from the community about how these new specifications - Shared Signals, AuthZEN, transactional tokens - can contribute to better security architectures."

The response at the Gartner Summit suggests organizations are prepared to begin evaluation and implementation planning as the specification reaches completion.

Gartner's formal recommendations from the summit validate what the AuthZEN demonstrations showed in practice. In their 2025 Executive Summary of the Identity & Access Management Summit, Gartner stated that customers should:

“...adopt standards like AuthZEN to reduce vendor lock-in and enhance interoperability”. 

David added: “Standards have been the driving force behind our customers’ decision to adopt externalized authorization. We have seen a strong evolution since the early days of XACML 20 years ago to today with modern standards such as AuthZEN and ALFA. It is helping customers stay secure more efficiently.”

Roadmap

The AuthZEN Working Group has identified key areas for 2026 which include:

• integration with additional standards such as the Shared Signals Framework 
• integration with vertical-specific standards such as HL7 and Open Banking
• specific profiles to address integration with API gateways, identity providers and MCP-based AI architectures. 

With regards to AI, David notes: “The design proposals put forward by the Model Context Protocol working group are very much in line with NIST Zero Trust and ABAC architectures which AuthZEN enables. As a result, it is straightforward to apply AuthZEN APIs to secure MCP-based AI flows.”

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the FAPI standard for interoperable, high security, OAuth2 has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

To learn more about conformance testing and self-certification, please visit the OpenID Foundation’s FAQ section.