diff --git a/.github/workflows/full_kubeflow_integration_test.yaml b/.github/workflows/full_kubeflow_integration_test.yaml
index 61d13d6463..d95f7c419c 100644
--- a/.github/workflows/full_kubeflow_integration_test.yaml
+++ b/.github/workflows/full_kubeflow_integration_test.yaml
@@ -195,8 +195,7 @@ jobs:
       run: ./tests/katib_test.sh "${KF_PROFILE}"
 
     - name: Run KServe Test
-      run: |
-        ./tests/kserve_test.sh ${KF_PROFILE}
+      run: ./tests/kserve_test.sh ${KF_PROFILE}
 
     - name: Run Spark Test
       run: chmod u+x tests/*.sh && ./tests/spark_test.sh "${KF_PROFILE}"
diff --git a/.github/workflows/kserve_test.yaml b/.github/workflows/kserve_test.yaml
index ff652ba352..b615114a27 100644
--- a/.github/workflows/kserve_test.yaml
+++ b/.github/workflows/kserve_test.yaml
@@ -9,7 +9,6 @@ on:
     - tests/kserve/**
     - tests/kserve_test.sh
     - tests/kserve_install.sh
-    - tests/kserve_jwt_authentication_test.sh
     - common/istio*/**
     - common/oauth2-proxy/**
     - tests/oauth2-proxy_install.sh
@@ -17,15 +16,13 @@ on:
     - tests/istio*
     - common/knative/**
     - tests/knative_install.sh
-    - tests/*authentication*test.sh
-    - tests/final_validation.sh
 
 permissions:
   contents: read
   actions: read
 
 jobs:
-  test-basic-kserve:
+  test-kserve:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
@@ -72,165 +69,13 @@ jobs:
     - name: Port forward
       run: ./tests/port_forward_gateway.sh
 
-    - name: Run KServe tests
-      run: ./tests/kserve_test.sh kubeflow-user-example-com
-
-    - name: Detailed KServe Access Diagnostics
-      run: |
-        export KSERVE_INGRESS_HOST_PORT=localhost:8080
-        export KSERVE_M2M_TOKEN="$(kubectl -n kubeflow-user-example-com create token default-editor)"
-
-        echo "=== AuthorizationPolicy Details ==="
-        kubectl get authorizationpolicy -n kubeflow-user-example-com -o yaml
-
-        echo "=== Detailed Curl Test ==="
-        curl -vv \
-          -H "Host: isvc-sklearn.kubeflow-user-example-com.example.com" \
-          -H "Authorization: Bearer ${KSERVE_M2M_TOKEN}" \
-          -H "Content-Type: application/json" \
-          "http://${KSERVE_INGRESS_HOST_PORT}/v1/models/isvc-sklearn:predict" \
-          -d '{"instances": [[6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6]]}'
-
-    - name: Run kserve models webapp test
-      run: |
-        kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app
-
-    - name: Apply Pod Security Standards restricted levels
-      run: ./tests/PSS_enable.sh
-
-  test-jwt-authentication:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Install KinD, Create KinD cluster and Install kustomize
-      run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
-
-    - name: Install kubectl
-      run: ./tests/kubectl_install.sh
-
-    - name: Create kubeflow namespace
-      run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
-
-    - name: Install Istio CNI
-      run: ./tests/istio-cni_install.sh
-
-    - name: Install oauth2-proxy
-      run: ./tests/oauth2-proxy_install.sh
-
-    - name: Install knative CNI with secure cluster-local-gateway
-      run: ./tests/knative_install.sh
-
-    - name: Verify secure cluster-local-gateway configuration
-      run: |
-        kubectl get authorizationpolicy,requestauthentication -n istio-system | grep cluster-local-gateway
-        kubectl get requestauthentication cluster-local-gateway-jwt -n istio-system -o yaml
-        kubectl get authorizationpolicy cluster-local-gateway -n istio-system -o yaml
-        kubectl get authorizationpolicy cluster-local-gateway-require-jwt -n istio-system -o yaml
-
-    - name: Setup python 3.12
-      uses: actions/setup-python@v4
-      with:
-        python-version: 3.12
-
-    - name: Port forward
-      run: ./tests/port_forward_gateway.sh
-
-    - name: Wait for cluster-local-gateway to be ready
+    - name: Wait for Istio configurations to propagate
       run: |
         kubectl wait --for=condition=Available --timeout=120s deployment/cluster-local-gateway -n istio-system
-        sleep 100
-
-    - name: Run Basic JWT Authentication Tests
-      run: |
-        export KSERVE_INGRESS_HOST_PORT=localhost:8080
-        curl -s -o /dev/null -w "%{http_code}" -H "Host: test.example.com" "http://localhost:8080/" | grep -q "403"
-
-    - name: Run Knative Service JWT Authentication Tests
-      run: |
-        export KSERVE_INGRESS_HOST_PORT=localhost:8080
-        ./tests/knative_authentication_test.sh
+        sleep 60
 
-    - name: Test External Access Configuration
-      run: |
-        export KSERVE_INGRESS_HOST_PORT=localhost:8080
-        ./tests/kserve_setup_external_access.sh kubeflow-user-example-com secure-model-predictor
-        # Test external access pattern
-        TOKEN=$(kubectl -n kubeflow-user-example-com create token default-editor)
-        RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-          -H "Authorization: Bearer $TOKEN" \
-          -H "Content-Type: application/json" \
-          "http://localhost:8080/kserve/kubeflow-user-example-com/secure-model-predictor/" \
-          2>/dev/null || echo "404")
-        if [ "$RESPONSE" != "404" ] && [ "$RESPONSE" != "200" ] && [ "$RESPONSE" != "503" ]; then
-          exit 1
-        fi
-
-    - name: Apply Pod Security Standards restricted levels
-      run: ./tests/PSS_enable.sh
-
-  test-secure-authentication:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Install KinD, Create KinD cluster and Install kustomize
-      run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
-
-    - name: Install kubectl
-      run: ./tests/kubectl_install.sh
-
-    - name: Create kubeflow namespace
-      run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
-
-    - name: Install Istio CNI
-      run: ./tests/istio-cni_install.sh
-
-    - name: Install oauth2-proxy
-      run: ./tests/oauth2-proxy_install.sh
-
-    - name: Install cert-manager
-      run: ./tests/cert_manager_install.sh
-
-    - name: Install knative CNI (with secure cluster-local-gateway)
-      run: ./tests/knative_install.sh
-
-    - name: Install KServe
-      run: ./tests/kserve_install.sh
-
-    - name: Install KF Multi Tenancy
-      run: ./tests/multi_tenancy_install.sh
-
-    - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
-
-    - name: Create KF Profile
-      run: ./tests/kubeflow_profile_install.sh
-
-    - name: Setup python 3.12
-      uses: actions/setup-python@v4
-      with:
-        python-version: 3.12
-
-    - name: Port forward
-      run: ./tests/port_forward_gateway.sh
-
-    - name: Verify JWT authentication policies are applied
-      run: |
-        kubectl get authorizationpolicy cluster-local-gateway-require-jwt -n istio-system
-        kubectl get requestauthentication cluster-local-gateway-jwt -n istio-system
-        kubectl get authorizationpolicy cluster-local-gateway -n istio-system
-        kubectl get deployment cluster-local-gateway -n istio-system
-        kubectl wait --for=condition=Available deployment/cluster-local-gateway -n istio-system --timeout=120s
-        kubectl get pods -n istio-system -l app=cluster-jwks-proxy | grep -q Running || kubectl get pods -n istio-system -l app=cluster-jwks-proxy
-
-    - name: Wait for configurations to propagate
-      run: sleep 60
-
-    - name: Run KServe secure authentication tests
-      run: ./tests/kserve_jwt_authentication_test.sh kubeflow-user-example-com
+    - name: Run KServe tests
+      run: ./tests/kserve_test.sh kubeflow-user-example-com
 
     - name: Apply Pod Security Standards restricted levels
       run: ./tests/PSS_enable.sh
diff --git a/tests/knative_authentication_test.sh b/tests/knative_authentication_test.sh
deleted file mode 100755
index 01359d66e8..0000000000
--- a/tests/knative_authentication_test.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-PRIMARY_NAMESPACE="kubeflow-user-example-com"
-ATTACKER_NAMESPACE="kubeflow-user-attacker"
-INGRESS_HOST_PORT="${KSERVE_INGRESS_HOST_PORT:-localhost:8080}"
-
-function setup_test_environment() {
-    kubectl create namespace $PRIMARY_NAMESPACE --dry-run=client -o yaml | kubectl apply -f -
-    kubectl create namespace $ATTACKER_NAMESPACE --dry-run=client -o yaml | kubectl apply -f -
-    kubectl create serviceaccount default-editor -n $PRIMARY_NAMESPACE --dry-run=client -o yaml | kubectl apply -f -
-    kubectl create serviceaccount attacker-sa -n $ATTACKER_NAMESPACE --dry-run=client -o yaml | kubectl apply -f -
-    
-    cat <<EOF | kubectl apply -f -
-apiVersion: serving.knative.dev/v1
-kind: Service
-metadata:
-  name: secure-model-predictor
-  namespace: $PRIMARY_NAMESPACE
-spec:
-  template:
-    metadata:
-      annotations:
-        autoscaling.knative.dev/minScale: "1"
-    spec:
-      containers:
-      - image: gcr.io/knative-samples/helloworld-go
-        ports:
-        - containerPort: 8080
-        env:
-        - name: TARGET
-          value: "Secure KServe Model"
-EOF
-
-    kubectl wait --for=condition=Ready ksvc/secure-model-predictor -n $PRIMARY_NAMESPACE --timeout=120s
-}
-
-function test_gateway_authentication() {
-    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-        -H "Host: secure-model-predictor.$PRIMARY_NAMESPACE.svc.cluster.local" \
-        "http://$INGRESS_HOST_PORT/")
-    
-    if [ "$RESPONSE" != "403" ]; then
-        exit 1
-    fi
-    
-    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-        -H "Host: secure-model-predictor.$PRIMARY_NAMESPACE.svc.cluster.local" \
-        -H "Authorization: Bearer invalid-token" \
-        "http://$INGRESS_HOST_PORT/")
-    
-    if [ "$RESPONSE" != "401" ] && [ "$RESPONSE" != "403" ]; then
-        exit 1
-    fi
-}
-
-function test_namespace_isolation() {
-    PRIMARY_TOKEN=$(kubectl -n $PRIMARY_NAMESPACE create token default-editor)
-    ATTACKER_TOKEN=$(kubectl -n $ATTACKER_NAMESPACE create token attacker-sa)
-    
-    RESPONSE=$(curl -s -w "%{http_code}" \
-        -H "Host: secure-model-predictor.$PRIMARY_NAMESPACE.svc.cluster.local" \
-        -H "Authorization: Bearer $PRIMARY_TOKEN" \
-        "http://$INGRESS_HOST_PORT/")
-    
-    if [[ "$RESPONSE" != *"200"* ]] && [[ "$RESPONSE" != *"404"* ]] && [[ "$RESPONSE" != *"503"* ]]; then
-        exit 1
-    fi
-    
-    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-        -H "Host: secure-model-predictor.$PRIMARY_NAMESPACE.svc.cluster.local" \
-        -H "Authorization: Bearer $ATTACKER_TOKEN" \
-        "http://$INGRESS_HOST_PORT/")
-    
-    if [[ "$RESPONSE" != *"200"* ]] && [[ "$RESPONSE" != *"404"* ]] && [[ "$RESPONSE" != *"503"* ]]; then
-        exit 1
-    fi
-}
-
-function test_cluster_local_gateway() {
-    kubectl port-forward -n istio-system svc/cluster-local-gateway 8081:80 &
-    PF_PID=$!
-    sleep 5
-    
-    PRIMARY_TOKEN=$(kubectl -n $PRIMARY_NAMESPACE create token default-editor)
-    
-    curl -s -o /dev/null -w "%{http_code}" \
-        -H "Host: secure-model-predictor.$PRIMARY_NAMESPACE.svc.cluster.local" \
-        -H "Authorization: Bearer $PRIMARY_TOKEN" \
-        "http://localhost:8081/" > /dev/null
-    
-    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-        -H "Host: secure-model-predictor.$PRIMARY_NAMESPACE.svc.cluster.local" \
-        "http://localhost:8081/")
-    
-    if [ "$RESPONSE" != "403" ]; then
-        exit 1
-    fi
-    
-    kill $PF_PID 2>/dev/null || true
-}
-
-function cleanup() {
-    kubectl delete namespace $ATTACKER_NAMESPACE --ignore-not-found=true
-    kubectl delete ksvc secure-model-predictor -n $PRIMARY_NAMESPACE --ignore-not-found=true
-}
-
-function main() {
-    setup_test_environment
-    test_gateway_authentication
-    test_namespace_isolation
-    test_cluster_local_gateway
-    cleanup
-}
-
-main
\ No newline at end of file
diff --git a/tests/kserve_jwt_authentication_test.sh b/tests/kserve_jwt_authentication_test.sh
deleted file mode 100755
index 69b847f57c..0000000000
--- a/tests/kserve_jwt_authentication_test.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-set -euxo pipefail
-
-NAMESPACE=${1:-kubeflow-user-example-com}
-SCRIPT_DIRECTORY="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-TEST_DIRECTORY="${SCRIPT_DIRECTORY}/kserve"
-
-if ! command -v pytest &> /dev/null; then
-  true
-fi
-
-export KSERVE_INGRESS_HOST_PORT=${KSERVE_INGRESS_HOST_PORT:-localhost:8080}
-export KSERVE_TEST_NAMESPACE=${NAMESPACE}
-
-# Create service account if it doesn't exist
-kubectl create serviceaccount default-editor -n ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
-
-# Create JWT token
-export KSERVE_M2M_TOKEN="$(kubectl -n ${NAMESPACE} create token default-editor)"
-
-# Try to deploy test InferenceService (may fail if KServe webhooks not ready)
-set +e
-if cat <<EOF | kubectl apply -f -
-apiVersion: "serving.kserve.io/v1beta1"
-kind: "InferenceService"
-metadata:
-  name: "test-sklearn-secure"
-  namespace: ${NAMESPACE}
-spec:
-  predictor:
-    sklearn:
-      storageUri: "gs://kfserving-examples/models/sklearn/1.0/model"
-      resources:
-        requests:
-          cpu: 50m
-          memory: 128Mi
-        limits:
-          cpu: 100m
-          memory: 256Mi
-EOF
-then
-  echo "InferenceService created successfully, waiting for it to be ready..."
-  kubectl wait --for=condition=Ready inferenceservice/test-sklearn-secure -n ${NAMESPACE} --timeout=180s || echo "InferenceService not ready, continuing with JWT tests..."
-  
-  # Create AuthorizationPolicy to allow authenticated access
-  cat <<EOF | kubectl apply -f -
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: allow-test-sklearn-secure
-  namespace: ${NAMESPACE}
-spec:
-  action: ALLOW
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-  selector:
-    matchLabels:
-      serving.knative.dev/service: test-sklearn-secure-predictor
-EOF
-else
-  echo "InferenceService creation failed (likely KServe webhook issues), continuing with JWT authentication tests..."
-fi
-set -e
-
-set +e
-RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-  -H "Host: test-sklearn-secure-predictor.${NAMESPACE}.svc.cluster.local" \
-  -H "Authorization: Bearer ${KSERVE_M2M_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "http://${KSERVE_INGRESS_HOST_PORT}/v1/models/test-sklearn-secure:predict" \
-  -d '{"instances": [[6.8, 2.8, 4.8, 1.4]]}')
-set -e
-
-if [ "$RESPONSE" != "200" ] && [ "$RESPONSE" != "404" ] && [ "$RESPONSE" != "503" ]; then
-  exit 1
-fi
-
-set +e
-RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-  -H "Host: test-sklearn-secure-predictor.${NAMESPACE}.svc.cluster.local" \
-  -H "Content-Type: application/json" \
-  "http://${KSERVE_INGRESS_HOST_PORT}/v1/models/test-sklearn-secure:predict" \
-  -d '{"instances": [[6.8, 2.8, 4.8, 1.4]]}')
-set -e
-
-if [ "$RESPONSE" != "403" ]; then
-  exit 1
-fi
-
-kubectl create namespace attacker-namespace --dry-run=client -o yaml | kubectl apply -f -
-kubectl create serviceaccount attacker-sa -n attacker-namespace --dry-run=client -o yaml | kubectl apply -f -
-ATTACKER_TOKEN="$(kubectl -n attacker-namespace create token attacker-sa)"
-
-set +e
-RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-  -H "Host: test-sklearn-secure-predictor.${NAMESPACE}.svc.cluster.local" \
-  -H "Authorization: Bearer ${ATTACKER_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "http://${KSERVE_INGRESS_HOST_PORT}/v1/models/test-sklearn-secure:predict" \
-  -d '{"instances": [[6.8, 2.8, 4.8, 1.4]]}')
-set -e
-
-if [ "$RESPONSE" != "200" ] && [ "$RESPONSE" != "404" ] && [ "$RESPONSE" != "503" ]; then
-  exit 1
-fi
-
-# Clean up
-kubectl delete namespace attacker-namespace --ignore-not-found=true
-
-
-# Run existing pytest tests if available
-if command -v pytest &> /dev/null && [ -d "${TEST_DIRECTORY}" ]; then
-  cd ${TEST_DIRECTORY} && pytest . -vs --log-level info
-fi
\ No newline at end of file
diff --git a/tests/kserve_test.sh b/tests/kserve_test.sh
index 2630a3f5ba..e1007b89d1 100755
--- a/tests/kserve_test.sh
+++ b/tests/kserve_test.sh
@@ -13,11 +13,17 @@ export KSERVE_INGRESS_HOST_PORT=${KSERVE_INGRESS_HOST_PORT:-localhost:8080}
 export KSERVE_M2M_TOKEN="$(kubectl -n ${NAMESPACE} create token default-editor)"
 export KSERVE_TEST_NAMESPACE=${NAMESPACE}
 
+# Test 1: Model Inference via KServe SDK (pytest creates isvc-sklearn internally)
+if cd ${TEST_DIRECTORY}; then
+  pytest . -vs --log-level info || true
+fi
+
+# Test 2: Path-based Routing & Ingress Gateway Security (VirtualService + AuthorizationPolicy)
 cat <<EOF | kubectl apply -f -
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
-  name: test-sklearn-path
+  name: isvc-sklearn-path
   namespace: ${NAMESPACE}
 spec:
   gateways:
@@ -27,7 +33,7 @@ spec:
   http:
     - match:
         - uri:
-            prefix: /kserve/${NAMESPACE}/test-sklearn/
+            prefix: /kserve/${NAMESPACE}/isvc-sklearn/
       rewrite:
         uri: /
       route:
@@ -36,38 +42,17 @@ spec:
           headers:
             request:
               set:
-                Host: test-sklearn-predictor.${NAMESPACE}.svc.cluster.local
+                Host: isvc-sklearn-predictor.${NAMESPACE}.svc.cluster.local
           weight: 100
       timeout: 300s
 EOF
 
-cat <<EOF | kubectl apply -f -
-apiVersion: "serving.kserve.io/v1beta1"
-kind: "InferenceService"
-metadata:
-  name: "test-sklearn"
-  namespace: ${NAMESPACE}
-spec:
-  predictor:
-    sklearn:
-      storageUri: "gs://kfserving-examples/models/sklearn/1.0/model"
-      resources:
-        requests:
-          cpu: 50m
-          memory: 128Mi
-        limits:
-          cpu: 100m
-          memory: 256Mi
-EOF
-
-kubectl wait --for=condition=Ready inferenceservice/test-sklearn -n ${NAMESPACE} --timeout=300s
-
-# Create AuthorizationPolicy to allow authenticated access
+# WARNING: This policy allows ANY valid token from ANY kubeflow namespace to access this InferenceService.
 cat <<EOF | kubectl apply -f -
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: allow-test-sklearn
+  name: allow-isvc-sklearn
   namespace: ${NAMESPACE}
 spec:
   action: ALLOW
@@ -77,57 +62,131 @@ spec:
         requestPrincipals: ["*"]
   selector:
     matchLabels:
-      serving.knative.dev/service: test-sklearn-predictor
+      serving.knative.dev/service: isvc-sklearn-predictor
 EOF
 
 sleep 60
 
+# Request without token should be rejected
 RESPONSE_NO_TOKEN=$(curl -s -o /dev/null -w "%{http_code}" \
  -H "Content-Type: application/json" \
- "http://${KSERVE_INGRESS_HOST_PORT}/kserve/${NAMESPACE}/test-sklearn/v1/models/test-sklearn:predict" \
+ "http://${KSERVE_INGRESS_HOST_PORT}/kserve/${NAMESPACE}/isvc-sklearn/v1/models/isvc-sklearn:predict" \
  -d '{"instances": [[6.8, 2.8, 4.8, 1.4]]}')
 
 if [ "$RESPONSE_NO_TOKEN" != "403" ] && [ "$RESPONSE_NO_TOKEN" != "302" ]; then
   exit 1
 fi
 
+# Request with valid token should succeed
 RESPONSE_WITH_TOKEN=$(curl -s -o /dev/null -w "%{http_code}" \
  -H "Authorization: Bearer ${KSERVE_M2M_TOKEN}" \
  -H "Content-Type: application/json" \
- "http://${KSERVE_INGRESS_HOST_PORT}/kserve/${NAMESPACE}/test-sklearn/v1/models/test-sklearn:predict" \
+ "http://${KSERVE_INGRESS_HOST_PORT}/kserve/${NAMESPACE}/isvc-sklearn/v1/models/isvc-sklearn:predict" \
  -d '{"instances": [[6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6]]}')
 
 if [ "$RESPONSE_WITH_TOKEN" != "200" ] && [ "$RESPONSE_WITH_TOKEN" != "404" ] && [ "$RESPONSE_WITH_TOKEN" != "503" ]; then
   exit 1
 fi
 
-curl -s -o /dev/null \
-  -H "Host: test-sklearn-predictor.${NAMESPACE}.example.com" \
-  -H "Authorization: Bearer ${KSERVE_M2M_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "http://${KSERVE_INGRESS_HOST_PORT}/v1/models/test-sklearn:predict" \
-  -d '{"instances": [[6.8, 2.8, 4.8, 1.4]]}' || true
+kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app
 
-# Create AuthorizationPolicy for pytest isvc-sklearn
+# Knative Service authentication via cluster-local-gateway
 cat <<EOF | kubectl apply -f -
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
+apiVersion: serving.knative.dev/v1
+kind: Service
 metadata:
-  name: allow-isvc-sklearn
+  name: secure-model-predictor
   namespace: ${NAMESPACE}
 spec:
-  action: ALLOW
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-  selector:
-    matchLabels:
-      serving.knative.dev/service: isvc-sklearn-predictor
+  template:
+    metadata:
+      annotations:
+        autoscaling.knative.dev/minScale: "1"
+    spec:
+      containers:
+      - image: gcr.io/knative-samples/helloworld-go
+        ports:
+        - containerPort: 8080
+        env:
+        - name: TARGET
+          value: "Secure KServe Model"
 EOF
 
-kubectl delete inferenceservice isvc-sklearn -n ${NAMESPACE} --ignore-not-found=true
+kubectl wait --for=condition=Ready ksvc/secure-model-predictor -n ${NAMESPACE} --timeout=120s
 
-if cd ${TEST_DIRECTORY}; then
-  pytest . -vs --log-level info || true
-fi
\ No newline at end of file
+# Verify unauthenticated access is blocked
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Host: secure-model-predictor.${NAMESPACE}.svc.cluster.local" \
+    "http://${KSERVE_INGRESS_HOST_PORT}/")
+
+if [ "$RESPONSE" != "403" ]; then
+    exit 1
+fi
+
+# Verify invalid token is rejected
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Host: secure-model-predictor.${NAMESPACE}.svc.cluster.local" \
+    -H "Authorization: Bearer invalid-token" \
+    "http://${KSERVE_INGRESS_HOST_PORT}/")
+
+if [ "$RESPONSE" != "401" ] && [ "$RESPONSE" != "403" ]; then
+    exit 1
+fi
+
+# Test 3: Cluster-local-gateway requires authentication
+kubectl port-forward -n istio-system svc/cluster-local-gateway 8081:80 &
+PF_PID=$!
+sleep 5
+
+curl -s -o /dev/null -w "%{http_code}" \
+    -H "Host: secure-model-predictor.${NAMESPACE}.svc.cluster.local" \
+    -H "Authorization: Bearer $KSERVE_M2M_TOKEN" \
+    "http://localhost:8081/" > /dev/null
+
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Host: secure-model-predictor.${NAMESPACE}.svc.cluster.local" \
+    "http://localhost:8081/")
+
+if [ "$RESPONSE" != "403" ]; then
+    exit 1
+fi
+
+# Test 4: Namespace isolation - attacker in different namespace should NOT have access
+ATTACKER_NAMESPACE="attacker-namespace"
+kubectl create namespace ${ATTACKER_NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
+
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: attacker-service-account
+  namespace: ${ATTACKER_NAMESPACE}
+EOF
+
+# Test 5: Unauthenticated request from attacker namespace should be REJECTED
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Host: secure-model-predictor.${NAMESPACE}.svc.cluster.local" \
+    "http://localhost:8081/")
+
+if [ "$RESPONSE" == "200" ]; then
+    echo "FAIL: Unauthenticated attacker namespace request should be rejected, got $RESPONSE"
+    exit 1
+fi
+
+# Test 6: Authenticated request from attacker namespace should ALSO be REJECTED
+ATTACKER_TOKEN=$(kubectl -n ${ATTACKER_NAMESPACE} create token attacker-service-account)
+
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Host: secure-model-predictor.${NAMESPACE}.svc.cluster.local" \
+    -H "Authorization: Bearer $ATTACKER_TOKEN" \
+    "http://localhost:8081/")
+
+if [ "$RESPONSE" == "200" ]; then
+    echo "FAIL: Attacker namespace token should be rejected (namespace isolation), got $RESPONSE"
+    exit 1
+fi
+
+kill $PF_PID 2>/dev/null || true
+
+kubectl delete namespace ${ATTACKER_NAMESPACE} --ignore-not-found=true
+kubectl delete ksvc secure-model-predictor -n ${NAMESPACE} --ignore-not-found=true