In response to some ideas from a friend, I've hacked up Consent, a plugin that provides pre-filtering of incoming requests using a concise DSL:
It lets you specify rules that tell your app whether to accept an incoming request, redirect or render a 403. If the request is rejected, it never hits your controllers; Consent factors all your access control logic into a single file that acts as an intermediary between your routes and your controllers.
I've only been working on it a couple of afternoons but it's reasonably tested and documented to the point where it might be useful to others and open to feedback. Let me know if you try it out, and if any of it seems in need of improvement.