Would it make sense to audit denied actions, such as AuthorizerBase.CanLoadEntity(..) == false? I mean it would be nice to have a method in IAuditor in this case. Otherwise denied actions have to be audited in authorizer classes. Or am I missing something?

Isn't that more application specific? The auditing is primarily targeted towards access on the data, so logging AFTER the fact. If you deny access, nothing has been accessed, so the auditing isn't executed/triggered.

Well, yes and no, depends on how you view auditing. You can view (as currently is) just as access log, or you could view it more broader like: i.e. Windows' security policy lets you define what sort of attempts you want to audit: Success &/| (that would be and-or :-)) Failure. The fact that auditing works only "after the fact" is just an implementational detail. Furthermore, as it is now, if one wants to log access denials one has to do it within autohorizer and thus blend authorizer functionality (it becomes an auditor, too).

I don't think it's an implementation detail, it's the fundamental thing what auditing currently is able to do.

What you suggest is indeed a good point: add the ability to audit failures. I'll add this as a feature request for v3.