diff --git a/controllers/authpolicy_istio_authorizationpolicy.go b/controllers/authpolicy_istio_authorizationpolicy.go
index 65323b6a7..5cc52ccea 100644
--- a/controllers/authpolicy_istio_authorizationpolicy.go
+++ b/controllers/authpolicy_istio_authorizationpolicy.go
@@ -94,8 +94,8 @@ func (r *AuthPolicyReconciler) istioAuthorizationPolicy(ctx context.Context, ap
 			Labels:    istioAuthorizationPolicyLabels(client.ObjectKeyFromObject(gateway), client.ObjectKeyFromObject(ap)),
 		},
 		Spec: istiosecurity.AuthorizationPolicy{
-			Action:   istiosecurity.AuthorizationPolicy_CUSTOM,
-			Selector: kuadrantistioutils.WorkloadSelectorFromGateway(ctx, r.Client(), gateway),
+			Action:    istiosecurity.AuthorizationPolicy_CUSTOM,
+			TargetRef: kuadrantistioutils.PolicyTargetRefFromGateway(gateway),
 			ActionDetail: &istiosecurity.AuthorizationPolicy_Provider{
 				Provider: &istiosecurity.AuthorizationPolicy_ExtensionProvider{
 					Name: KuadrantExtAuthProviderName,
diff --git a/tests/istio/authpolicy_controller_authorizationpolicy_test.go b/tests/istio/authpolicy_controller_authorizationpolicy_test.go
index 15a6f23bf..e922d0af7 100644
--- a/tests/istio/authpolicy_controller_authorizationpolicy_test.go
+++ b/tests/istio/authpolicy_controller_authorizationpolicy_test.go
@@ -123,6 +123,11 @@ var _ = Describe("AuthPolicy controller managing authorization policy", func() {
 				logf.Log.V(1).Info("Fetching Istio's AuthorizationPolicy", "key", iapKey.String(), "error", err)
 				return err == nil
 			}).WithContext(ctx).Should(BeTrue())
+
+			// has the correct target ref
+			Expect(iap.Spec.TargetRef.Group).To(Equal("gateway.networking.k8s.io"))
+			Expect(iap.Spec.TargetRef.Kind).To(Equal("Gateway"))
+			Expect(iap.Spec.TargetRef.Name).To(Equal(TestGatewayName))
 			Expect(iap.Spec.Rules).To(HaveLen(1))
 			Expect(iap.Spec.Rules[0].To).To(HaveLen(1))
 			Expect(iap.Spec.Rules[0].To[0].Operation).ShouldNot(BeNil())
@@ -167,6 +172,11 @@ var _ = Describe("AuthPolicy controller managing authorization policy", func() {
 				logf.Log.V(1).Info("Fetching Istio's AuthorizationPolicy", "key", iapKey.String(), "error", err)
 				return err == nil
 			}).WithContext(ctx).Should(BeTrue())
+
+			// has the correct target ref
+			Expect(iap.Spec.TargetRef.Group).To(Equal("gateway.networking.k8s.io"))
+			Expect(iap.Spec.TargetRef.Kind).To(Equal("Gateway"))
+			Expect(iap.Spec.TargetRef.Name).To(Equal(TestGatewayName))
 			Expect(iap.Spec.Rules).To(HaveLen(1))
 			Expect(iap.Spec.Rules[0].To).To(HaveLen(1))
 			Expect(iap.Spec.Rules[0].To[0].Operation).ShouldNot(BeNil())