diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go
index a796cb3d8..058ebbfe6 100644
--- a/agent/acl_endpoint.go
+++ b/agent/acl_endpoint.go
@@ -1156,8 +1156,6 @@ func (s *HTTPHandlers) ACLAuthorize(resp http.ResponseWriter, req *http.Request)
 		authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(request.Token, nil, nil)
 		if err != nil {
 			return nil, err
-		} else if authz == nil {
-			return nil, fmt.Errorf("Failed to initialize authorizer")
 		}
 
 		responses, err = structs.CreateACLAuthorizationResponses(authz, request.Requests)
diff --git a/agent/connect_auth.go b/agent/connect_auth.go
index 610b21381..293ac7016 100644
--- a/agent/connect_auth.go
+++ b/agent/connect_auth.go
@@ -132,14 +132,6 @@ func (a *Agent) ConnectAuthorize(token string,
 		return false, reason, &meta, nil
 	}
 
-	// No match, we need to determine the default behavior. We do this by
-	// fetching the default intention behavior from the resolved authorizer. The
-	// default behavior if ACLs are disabled is to allow connections to mimic the
-	// behavior of Consul itself: everything is allowed if ACLs are disabled.
-	if authz == nil {
-		// ACLs not enabled at all, the default is allow all.
-		return true, "ACLs disabled, access is allowed by default", &meta, nil
-	}
 	reason = "Default behavior configured by ACLs"
 	return authz.IntentionDefaultAllow(nil) == acl.Allow, reason, &meta, nil
 }
diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go
index e08c23786..8800cb0ec 100644
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@@ -981,8 +981,6 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc
 	authz, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if authz == nil {
-		return acl.ErrPermissionDenied
 	}
 
 	return a.srv.blockingQuery(&args.QueryOptions, &reply.QueryMeta,
@@ -1073,8 +1071,6 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str
 	authz, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if authz == nil {
-		return acl.ErrPermissionDenied
 	}
 
 	return a.srv.blockingQuery(&args.QueryOptions, &reply.QueryMeta,
@@ -1507,8 +1503,6 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs
 	authz, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if authz == nil {
-		return acl.ErrPermissionDenied
 	}
 
 	return a.srv.blockingQuery(&args.QueryOptions, &reply.QueryMeta,
@@ -2565,8 +2559,6 @@ func (a *ACL) Authorize(args *structs.RemoteACLAuthorizationRequest, reply *[]st
 	authz, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if authz == nil {
-		return fmt.Errorf("Failed to initialize authorizer")
 	}
 
 	responses, err := structs.CreateACLAuthorizationResponses(authz, args.Requests)