Open Policy Agent is one of the best pieces of infrastructure software ever built. It solved a real problem β how do you enforce authorization and admission control across distributed systems β and it solved it well enough that it became the default answer. Kubernetes admission control, API authorization, Terraform plan validation, microservice access policies. If you're enforcing structured policy against structured data in infrastructure, OPA with Rego is the right tool. The problem is that people are now trying to use it for something it was never designed to do. As organizations deploy AI systems β LLMs, autonomous agents, AI-assisted workflows β the governance requirements extend far beyond what OPA can handle. The inputs are unstructured. The rules require judgment, not just pattern matching. The context is organizational, not technical. And the evaluation needs to understand meaning, not just structure. This isn't a criticism of OPA.β¦
