diff --git a/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts b/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts
index 0ddbadafcf..4b9a773eb2 100644
--- a/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts
+++ b/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts
@@ -598,6 +598,7 @@ describe('Serving Runtime List', () => {
       initIntercepts({
         disableModelMeshConfig: false,
         disableKServeConfig: false,
+        disableKServeAuthConfig: true,
         servingRuntimes: [],
       });
 
@@ -619,6 +620,44 @@ describe('Serving Runtime List', () => {
       kserveModal.findAuthenticationCheckbox().should('not.exist');
     });
 
+    it('Kserve auth should be hidden when no required capabilities', () => {
+      initIntercepts({
+        disableModelMeshConfig: false,
+        disableKServeConfig: false,
+        disableKServeAuthConfig: false,
+        servingRuntimes: [],
+        requiredCapabilities: [],
+      });
+
+      projectDetails.visitSection('test-project', 'model-server');
+
+      modelServingSection.getServingPlatformCard('single-serving').findDeployModelButton().click();
+
+      kserveModal.shouldBeOpen();
+
+      // check external route, token should be checked and no alert
+      kserveModal.findAuthenticationCheckbox().should('not.exist');
+    });
+
+    it('Kserve auth should be enabled if capabilities are prsent', () => {
+      initIntercepts({
+        disableModelMeshConfig: false,
+        disableKServeConfig: false,
+        disableKServeAuthConfig: false,
+        servingRuntimes: [],
+        requiredCapabilities: [StackCapability.SERVICE_MESH, StackCapability.SERVICE_MESH_AUTHZ],
+      });
+
+      projectDetails.visitSection('test-project', 'model-server');
+
+      modelServingSection.getServingPlatformCard('single-serving').findDeployModelButton().click();
+
+      kserveModal.shouldBeOpen();
+
+      // check external route, token should be checked and no alert
+      kserveModal.findAuthenticationCheckbox().should('exist');
+    });
+
     it('Do not deploy KServe model when user cannot edit namespace', () => {
       initIntercepts({
         disableModelMeshConfig: false,
diff --git a/frontend/src/concepts/areas/__tests__/utils.spec.ts b/frontend/src/concepts/areas/__tests__/utils.spec.ts
index 4e1b639198..921e9a82f3 100644
--- a/frontend/src/concepts/areas/__tests__/utils.spec.ts
+++ b/frontend/src/concepts/areas/__tests__/utils.spec.ts
@@ -1,7 +1,7 @@
 import { isAreaAvailable, SupportedArea } from '~/concepts/areas';
 import { mockDscStatus } from '~/__mocks__/mockDscStatus';
 import { mockDashboardConfig } from '~/__mocks__/mockDashboardConfig';
-import { StackComponent } from '~/concepts/areas/types';
+import { StackCapability, StackComponent } from '~/concepts/areas/types';
 import { SupportedAreasStateMap } from '~/concepts/areas/const';
 import { mockDsciStatus } from '~/__mocks__/mockDsciStatus';
 
@@ -188,5 +188,72 @@ describe('isAreaAvailable', () => {
         expect(isAvailable.requiredComponents).toBe(null);
       });
     });
+
+    describe('requiredCapabilities', () => {
+      it('should enable area if both capabilities are enabled', () => {
+        // Make sure this test is valid
+        expect(SupportedAreasStateMap[SupportedArea.K_SERVE_AUTH].requiredCapabilities).toEqual([
+          StackCapability.SERVICE_MESH,
+          StackCapability.SERVICE_MESH_AUTHZ,
+        ]);
+
+        // Test both reliant areas
+        const isAvailableKserveAuth = isAreaAvailable(
+          SupportedArea.K_SERVE_AUTH,
+          mockDashboardConfig({ disableKServeAuth: false }).spec,
+          mockDscStatus({
+            installedComponents: {
+              [StackComponent.K_SERVE]: true,
+            },
+          }),
+          mockDsciStatus({
+            requiredCapabilities: [
+              StackCapability.SERVICE_MESH,
+              StackCapability.SERVICE_MESH_AUTHZ,
+            ],
+          }),
+        );
+
+        expect(isAvailableKserveAuth.status).toBe(true);
+        expect(isAvailableKserveAuth.featureFlags).toEqual({
+          disableKServeAuth: 'on',
+        });
+        expect(isAvailableKserveAuth.requiredCapabilities).toEqual({
+          [StackCapability.SERVICE_MESH]: true,
+          [StackCapability.SERVICE_MESH_AUTHZ]: true,
+        });
+      });
+
+      it('should enable area if one capability is missing', () => {
+        // Make sure this test is valid
+        expect(SupportedAreasStateMap[SupportedArea.K_SERVE_AUTH].requiredCapabilities).toEqual([
+          StackCapability.SERVICE_MESH,
+          StackCapability.SERVICE_MESH_AUTHZ,
+        ]);
+
+        // Test both reliant areas
+        const isAvailableKserveAuth = isAreaAvailable(
+          SupportedArea.K_SERVE_AUTH,
+          mockDashboardConfig({ disableKServeAuth: false }).spec,
+          mockDscStatus({
+            installedComponents: {
+              [StackComponent.K_SERVE]: true,
+            },
+          }),
+          mockDsciStatus({
+            requiredCapabilities: [StackCapability.SERVICE_MESH],
+          }),
+        );
+
+        expect(isAvailableKserveAuth.status).toBe(false);
+        expect(isAvailableKserveAuth.featureFlags).toEqual({
+          disableKServeAuth: 'on',
+        });
+        expect(isAvailableKserveAuth.requiredCapabilities).toEqual({
+          [StackCapability.SERVICE_MESH]: true,
+          [StackCapability.SERVICE_MESH_AUTHZ]: false,
+        });
+      });
+    });
   });
 });
diff --git a/manifests/base/cluster-role.yaml b/manifests/base/cluster-role.yaml
index 228eaeed7c..c816375095 100644
--- a/manifests/base/cluster-role.yaml
+++ b/manifests/base/cluster-role.yaml
@@ -172,3 +172,11 @@ rules:
       - get
     resources:
       - datascienceclusters
+  - apiGroups:
+      - dscinitialization.opendatahub.io
+    verbs:
+      - list
+      - watch
+      - get
+    resources:
+      - dscinitializations