We are completely sold on centralized Authzed model from PEP perspective(once we have the constraints implemented in spicedb). Defining and validating the user-intent is where we are debating. BTW OPA can run in both centralized and decentralized with a caveat that the policy states are maintained in-memory. Loss of the policy states(due to OPA restart/crash) requires re-download of the states from the controller(Bundle Manager)