We should look in every location and require that if an authorization manager abstained, then access should be denied. One option is that if the AuthorizationResult is null, then deny access. Another option is to require AuthorizationResult to be non-null going forward.
This depends on:
- [x] #11958
- [x] #11967