Constellation vs OPA

OPA is a general-purpose policy engine. It:

• •Enforces policies-as-code using Rego, a purpose-built query language
• •Evaluates access control across Kubernetes admission, API gateways, and microservices
• •Decouples policy from application code for consistent enforcement
• •Runs as a sidecar or daemon with sub-millisecond evaluation times
• •Scales to millions of policy evaluations per second in production infrastructure

It’s infrastructure for technical policy enforcement — and it’s become the standard for cloud-native policy management.

OPA evaluates requests against static policy bundles. Constellation evaluates actions against a living institutional state — decisions that evolve, commitments that expire, authority that shifts. The inputs are fundamentally different.

Policy engines are stateless evaluators. They cannot:

• •Evaluate institutional context — whether a board decision permits or prohibits an action
• •Route an escalation to the appropriate human authority with full trace
• •Build governance precedent from past decisions that shapes future evaluations
• •Allow formal contestation of the rules themselves by those governed by them
• •Manage delegated authority that changes over time as commitments evolve
• •Calibrate AI agent delegation through shadow mode observation before enforcement
• •Provide institutional memory — a knowledge graph of why decisions were made

These aren’t limitations of OPA. Policy engines are designed to be stateless, fast, and deterministic. Institutional governance requires state, context, and judgment.

OPA and Constellation are not just compatible — they’re complementary layers of a complete governance architecture:

1. 1OPA enforces infrastructure policies — Kubernetes admission, API gateway rules, data access controls. Technical guardrails at the infrastructure layer.
2. 2Constellation governs institutional action — checking whether the action is legitimate given the organisation’s decisions, commitments, and delegated authority.
3. 3Constellation could even emit OPA-compatible policy bundles from institutional constraints — translating governance decisions into enforceable infrastructure rules.

An engineer might write Rego policies for API rate limits and data classification. A board chair defines institutional constraints for spending authority and partnership approvals. Both are governance. Both need enforcement. They operate at different layers.

OPA sits at the infrastructure layer — enforcing technical policies before requests reach application logic. Constellation sits at the institutional layer — evaluating whether the resulting action is legitimate given organisational context. Different inputs, different evaluation models, complementary enforcement.