diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go
index 5841c1132..e08c23786 100644
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@@ -293,7 +293,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
 		// secrets will be redacted
 		if authz, err = a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 			return err
-		} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+		} else if authz.ACLRead(&authzContext) != acl.Allow {
 			return acl.ErrPermissionDenied
 		}
 	}
@@ -358,7 +358,7 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext)
 	if err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -429,7 +429,7 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken
 	var authzContext acl.AuthorizerContext
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -835,7 +835,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
 	var authzContext acl.AuthorizerContext
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -924,7 +924,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
 	// merge the token default meta into the requests meta
 	args.EnterpriseMeta.Merge(&requestMeta)
 	args.EnterpriseMeta.FillAuthzContext(&authzContext)
-	if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1035,7 +1035,7 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo
 	var authzContext acl.AuthorizerContext
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1115,7 +1115,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Policy.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1246,7 +1246,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1297,7 +1297,7 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
 	if err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1469,7 +1469,7 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1549,7 +1549,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Role.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1707,7 +1707,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1754,7 +1754,7 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
 	if err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1853,7 +1853,7 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
 	if err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1894,7 +1894,7 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
 	// Verify token is permitted to modify ACLs
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.BindingRule.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2023,7 +2023,7 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
 	// Verify token is permitted to modify ACLs
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2071,7 +2071,7 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
 	if err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2110,7 +2110,7 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2155,7 +2155,7 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.AuthMethod.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2267,7 +2267,7 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
 
 	if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
 		return err
-	} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
+	} else if authz.ACLWrite(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2321,7 +2321,7 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
 	if err != nil {
 		return err
-	} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
+	} else if authz.ACLRead(&authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
diff --git a/agent/consul/kvs_endpoint.go b/agent/consul/kvs_endpoint.go
index df168c5c5..1b748c51e 100644
--- a/agent/consul/kvs_endpoint.go
+++ b/agent/consul/kvs_endpoint.go
@@ -157,7 +157,7 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
 			if err != nil {
 				return err
 			}
-			if authz != nil && authz.KeyRead(args.Key, &authzContext) != acl.Allow {
+			if authz.KeyRead(args.Key, &authzContext) != acl.Allow {
 				return acl.ErrPermissionDenied
 			}
 
@@ -194,7 +194,7 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
 		return err
 	}
 
-	if authz != nil && k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Key, &authzContext) != acl.Allow {
+	if k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Key, &authzContext) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -206,9 +206,7 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
 			if err != nil {
 				return err
 			}
-			if authz != nil {
-				ent = FilterDirEnt(authz, ent)
-			}
+			ent = FilterDirEnt(authz, ent)
 
 			if len(ent) == 0 {
 				// Must provide non-zero index to prevent blocking
diff --git a/agent/rpc/subscribe/subscribe.go b/agent/rpc/subscribe/subscribe.go
index acd434486..be19e9fa9 100644
--- a/agent/rpc/subscribe/subscribe.go
+++ b/agent/rpc/subscribe/subscribe.go
@@ -75,9 +75,7 @@ func (h *Server) Subscribe(req *pbsubscribe.SubscribeRequest, serverStream pbsub
 			return err
 		}
 
-		var ok bool
-		event, ok = filterByAuth(authz, event)
-		if !ok {
+		if !event.Payload.HasReadPermission(authz) {
 			continue
 		}
 
@@ -126,16 +124,6 @@ func forwardToDC(
 	}
 }
 
-// filterByAuth to only those Events allowed by the acl token.
-func filterByAuth(authz acl.Authorizer, event stream.Event) (stream.Event, bool) {
-	// authz will be nil when ACLs are disabled
-	if authz == nil {
-		return event, true
-	}
-
-	return event, event.Payload.HasReadPermission(authz)
-}
-
 func newEventFromStreamEvent(event stream.Event) *pbsubscribe.Event {
 	e := &pbsubscribe.Event{Index: event.Index}
 	switch {
diff --git a/agent/structs/intention.go b/agent/structs/intention.go
index 078bcbe50..15c401764 100644
--- a/agent/structs/intention.go
+++ b/agent/structs/intention.go
@@ -298,9 +298,6 @@ func (x *Intention) Validate() error {
 }
 
 func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
-	if authz == nil {
-		return true
-	}
 	var authzContext acl.AuthorizerContext
 
 	// Read access on either end of the intention allows you to read the
@@ -325,11 +322,12 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
 }
 
 func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
-	if authz == nil || authz == acl.ManageAll() {
+	if authz == acl.ManageAll() {
 		return true
 	}
 	var authzContext acl.AuthorizerContext
 
+	// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
 	if ixn.DestinationName == "" {
 		return false
 	}