Open Policy Agent Decoupled Policy From Code. The Policy Is Not Cryptographically Bound.
by Nick Clark | Published March 27, 2026
Open Policy Agent established policy-as-code as a standard practice by decoupling authorization decisions from application logic. Write policies in Rego, evaluate them against structured input, and receive allow/deny decisions. The decoupling is valuable. But OPA evaluates policy at decision points without cryptographic binding. Policy decisions are not signed, not bound to the operations they authorize, and not persisted as cryptographic governance lineage. The gap is between policy evaluation and cryptographic governance.
OPA's impact on the policy landscape is significant. Making policy a first-class artifact that can be versioned, tested, and deployed independently from application code was a genuine advance. The gap described here is about the binding between policy decisions and the operations they govern.
Policy evaluation is advisory until enforcement makes it binding
OPA evaluates a query against a policy and returns a decision. The calling application receives the decision and acts on it. But the decision is a data structure returned by an API call. It is not a cryptographic artifact.
A compromised application can ignore an OPA deny decision. A misconfigured enforcement point can skip the OPA check entirely. The policy evaluation is structurally advisory. Enforcement depends on every integration point correctly implementing the check and honoring the result.
Decision logs record, not bind
OPA's decision logging records every policy evaluation: the input, the policy version, and the decision. This is valuable for auditing. But the decision log is a record of what OPA was asked and what it answered. It is not a cryptographic binding between the decision and the operation that followed.
If the application executed an operation after receiving a deny decision, the decision log shows the deny. But the log does not prevent the operation. Governance and enforcement are separate systems that must be manually kept in sync.
What cryptographic governance provides
Cryptographic governance makes policy binding structural. Every operation carries a signed policy reference. Every mutation is gated by cryptographic validation that the policy authorizes the specific operation in the specific context. The binding is not advisory. It is cryptographic. An operation without a valid signed policy cannot execute because the execution layer requires it.
Decision provenance is recorded in lineage as part of the operation's cryptographic history. The governance decision is not a separate log entry. It is an intrinsic part of the operation's audit trail, signed and verifiable.
The remaining gap
OPA made policy a first-class artifact. The remaining gap is in binding: whether policy decisions are cryptographically bound to the operations they govern, making governance structural rather than advisory.
