Why OPA and Rego are not enough for AI governance
We analyze why infrastructure tools like OPA are ill-suited for the semantic and contextual challenges of governing AI systems.

The crisis of traditional tools in the AI era
For years, Open Policy Agent (OPA) has established itself as the gold standard for open-source infrastructure. Its ability to manage authorizations and admission controls in distributed systems using the Rego language is indisputable. However, as companies integrate LLMs and autonomous agents, we are forcing technology designed for structured data to solve problems involving human judgment and ambiguous context.
As we explored in our article Model Output Is Not Authority: Seguridad y Programación en Agentes IA, controlling AI workflows requires a level of sophistication that goes far beyond deterministic validations.
The data model limit: Why does OPA fail here?
OPA shines when evaluating JSON against predictable rules. It is fast, auditable, and perfect for Kubernetes or Terraform. The problem arises with AI, where the input is unstructured text.
To apply a compliance policy, such as protecting medical data (PHI), OPA would require:
- Complex preprocessing: Transforming natural language into structured data before evaluation.
- Fragility: Any change in the extraction model breaks the policy.
- Lack of semantics: OPA does not understand tone, intent, or organizational context.
"Treating AI governance as an infrastructure problem creates systems that are technically sophisticated but practically useless."
Toward meaning-based governance
True AI governance requires an engine that combines three layers of evaluation:
- Deterministic rules: For pattern-based checks (keywords, regex).
- Semantic evaluation: The ability to understand nuances, such as the difference between a professional tone and a condescending one—something unattainable with traditional static rule programming.
- Organizational context (RAG-based): Evaluating content by comparing it against internal documents (manuals, brand guidelines) without the need to manually extract every piece of data into JSON.
The barrier to entry for experts
One of the biggest problems is that Rego requires advanced technical knowledge. Governance, however, is the domain of legal and compliance teams. Forcing these profiles to learn a complex query language creates an inefficient translation layer where engineers interpret laws, increasing the risk of errors.
The future of governance lies in systems that use YAML and natural language, allowing policies to be readable and verifiable by business stakeholders. As with API Governance: The Art of Scalable and Secure Programming, the key is to standardize without sacrificing agility.
Conclusion
It is not about abandoning tools like OPA, but about recognizing their limits. OPA is excellent for infrastructure, but AI needs a governance engine that understands semantics, session state, and intent. Adopting specialized solutions will allow AI innovation to be not only fast but also responsible and secure.
Sources:
- Dev.to - Why OPA and Rego Don't Work for AI Governance
Related articles
11 de julio de 2026
Controla els teus costos de programació IA: L'auge de la monitorització
Descobreix com tokscale i git-lrc estan transformant l'eficiència i el control de costos en el desenvolupament de programari assistit per IA.
11 de julio de 2026
Control Your AI Programming Costs: The Rise of Monitoring
Discover how tokscale and git-lrc are transforming efficiency and cost control in AI-assisted software development.
11 de julio de 2026
Controla tus costes de programación IA: El auge de la monitorización
Descubre cómo tokscale y git-lrc están transformando la eficiencia y el control de costes en el desarrollo de software asistido por IA.
10 de julio de 2026
Arquitectura de sincronització: Kotlin, Jetpack Compose i Spring Boot
Aprèn a construir un pipeline de comunicació robust entre el teu backend en Spring Boot i un client Android amb Kotlin per evitar inconsistències de dades.
Loading comments...