That's an interesting approach. My system state would then be application DB + Authzed, meaning for visibility (human and software) I'd have to stitch together the full view. On the other hand full duplication gives the system a fall back. Since Authzed quite naturally becomes a single system-wide dependency having an alternate in-time authz decision path can help reduce that risk (however small). I think I can actually get away with trying segregated state, I can always make it more cynical in the future.