The Wrong Abstraction

Five authorization platforms. Five different implementations. One shared assumption: that identity is a role, actions are enumerable, and a permission check at one moment governs what happens next. Every assumption is wrong for agents. The industry is building a better version of the wrong thing. WorkOS FGA. Oso. Cerbos. Open Policy Agent. OpenFGA. Five platforms, five engineering teams, five distinct implementations of authorization for the agent era. WorkOS extends fine-grained authorization with relationship graphs. Oso combines RBAC, ABAC, and relationship-based access in a single engine. Cerbos lets you write custom policies that evaluate attributes at request time. OPA provides a general-purpose policy engine that decouples authorization logic from application code. OpenFGA models permissions as a graph of relationships between users and objects. Each product works. The engineering is sound. The abstractions are clean. And every one of them encodes the same three assumptions abou