diff --git a/app/controlplane/pkg/authz/authz.go b/app/controlplane/pkg/authz/authz.go
index d4299f258..88590e209 100644
--- a/app/controlplane/pkg/authz/authz.go
+++ b/app/controlplane/pkg/authz/authz.go
@@ -375,7 +375,7 @@ var ServerOperationsMap = map[string]*OperationPolicy{
 	// CAS Backend listing
 	"/controlplane.v1.CASBackendService/List":       {Policies: []*Policy{PolicyCASBackendList}},
 	"/controlplane.v1.CASBackendService/Revalidate": {Policies: []*Policy{PolicyCASBackendUpdate}},
-	"/controlplane.v1.CASBackendService/Create":     {Policies: []*Policy{PolicyCASBackendCreate}},
+	"/controlplane.v1.CASBackendService/Create":     {Policies: []*Policy{PolicyCASBackendCreate}, ExternalAuthz: true},
 	// Available integrations
 	"/controlplane.v1.IntegrationsService/ListAvailable": {Policies: []*Policy{PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead}},
 	// Registered integrations
diff --git a/app/controlplane/pkg/authz/authz_test.go b/app/controlplane/pkg/authz/authz_test.go
index d9a2104bb..b06e6bae9 100644
--- a/app/controlplane/pkg/authz/authz_test.go
+++ b/app/controlplane/pkg/authz/authz_test.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024-2025 The Chainloop Authors.
+// Copyright 2024-2026 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -129,6 +129,36 @@ func TestDoSync(t *testing.T) {
 	assert.Equal(t, "delete", got[0][2])
 }
 
+func TestRequiresExternalAuthz(t *testing.T) {
+	testCases := []struct {
+		name      string
+		operation string
+		want      bool
+	}{
+		{
+			name:      "CAS backend creation is forwarded to the external authorizer",
+			operation: "/controlplane.v1.CASBackendService/Create",
+			want:      true,
+		},
+		{
+			name:      "operations without external authz flag are not forwarded",
+			operation: "/controlplane.v1.WorkflowService/List",
+			want:      false,
+		},
+		{
+			name:      "unknown operations are not forwarded",
+			operation: "/controlplane.v1.UnknownService/Unknown",
+			want:      false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.want, RequiresExternalAuthz(tc.operation))
+		})
+	}
+}
+
 func testEnforcer(t *testing.T) (*CasbinEnforcer, io.Closer) {
 	f, err := os.CreateTemp(t.TempDir(), "policy*.csv")
 	if err != nil {