OPA, Cedar, and similar engines excel at who may call which API and which roles see which resources. TrigGuard sits where irreversible commits happen: transfers, deploys, exports, control-plane writes.
You can compose both: policy material in Arbiter, evaluation in Gate, enforcement at the execution boundary.