Many companies are adopting modern software development practices such as DevOps, microservices, and cloud-based CI/CD pipelines, which necessitate robust security measures like zero-trust architectures to protect APIs and control access. Authorization, distinct from authentication, is crucial in this context, particularly in microservices where authorization must be consistently enforced across various components like API gateways, frontends, backends, and databases. There are different approaches to implementing authorization, including hardcoded policies, centralized services, distributed services, and service meshes, each with its own advantages and drawbacks. A service mesh, particularly when integrated with tools like Open Policy Agent (OPA) and Kuma, offers a scalable and consistent authorization solution by enabling network proxies to manage API authorization queries. OPA can be applied across the cloud-native stack for a range of use cases, including controlling CI/CD pipelines, cloud platform resources, and application access. Managing OPA instances in a large-scale service mesh setup can be optimized using control planes such as Styra Declarative Authorization Service (DAS), which offers a policy-as-code solution tailored for enterprise environments and supports various use cases, including Kubernetes and service mesh management.