Standing up workload identity in a real cluster usually means running four projects: SPIRE for SVID issuance, OPA or Cedar for authorization, an OIDC provider for federation, and a separate audit pipeline. The standards finally caught up. OpenID AuthZEN Authorization API 1.0 was approved as a Final Specification on 2026-01-12 . Cedar joined CNCF Sandbox on 2025-10-08 and is in production at Cloudflare, MongoDB, StrongDM, and AWS Bedrock AgentCore. SPIFFE is the de-facto workload identity model. Omega is my attempt at wiring those pieces into one Apache-2.0 binary. A few terms first If any of these are unfamiliar, the rest of the article assumes them. Term One-line definition SPIFFE A spec for workload identity. Defines spiffe://trust-domain/path IDs. SVID SPIFFE Verifiable Identity Document. Either an X.509 cert or a JWT. Workload API A local gRPC endpoint a workload calls to fetch its current SVID. PDP / PEP Policy Decision Point answers "allow?". Policy Enforcement Point asks the question.…