Apple Buys Styra Brains, OPA Remains Open
In what may be the most Apple-esque move in recent memory—quiet, strategic, and totally on-brand—the tech giant has apparently executed an “acquihire without the acquisition” by scooping up the co-founders and core team behind Styra, the original creators of Open Policy Agent (OPA). While Apple isn’t acquiring Styra outright, the impact is arguably just as seismic.
OPA, for those unfamiliar, is a powerful open source policy engine that has become a foundational layer in the cloud-native stack, allowing developers and operators to write and enforce policies across Kubernetes, APIs, microservices, and more. It’s Rego-based, declarative, and flexible enough to plug into nearly any part of your software delivery pipeline. In short: If you care about policy-as-code and cloud-native governance, OPA has probably crossed your radar.
Styra, the company behind OPA, not only created and maintained the open source project, but also commercialized it with a suite of enterprise-grade tooling around policy authoring, compliance auditing, and runtime enforcement. Their platform, Styra DAS (Declarative Authorization Service), was a go-to for teams looking to scale OPA across complex architectures.
So what exactly happened here?
The Brain Drain Play
According to reports from Heise and Open Source For You, Apple has hired the co-founders of Styra—Tim Hinrichs and Torin Sandall—along with several senior engineers and core contributors. However, they did not acquire the company or its assets.
This creates a somewhat surreal situation: the brains behind the project are now in Cupertino, but OPA itself remains open and independent, thanks to its status as a graduated CNCF project since 2021.
Even more interestingly, Styra has announced that much of its commercial tooling will be open-sourced in the wake of this talent migration. While it’s unclear whether that code will be contributed directly to CNCF or to some other foundation (or just pushed to GitHub and left to the winds), it’s a bold move—and, in many ways, a graceful exit.
But there’s one group that’s left hanging: Styra’s commercial customers.
What About the Customers?
If you’ve built your access control architecture around Styra’s enterprise platform, this news likely leaves a sour taste. Without the core team in place, and with no clear roadmap for ongoing support, customers are suddenly faced with a difficult choice: stick with an uncertain vendor, fork and self-support, or migrate to another solution.
This is a classic downside of the open core model. You rely on a vendor for stability, support, and innovation—until they’re no longer in the picture. To Styra’s credit, open-sourcing the commercial pieces could soften the blow, but most organizations don’t have the internal bandwidth or expertise to take on what is essentially a product stewardship role.
Shimmy’s Take
This one’s personal for me. I’ve been watching the evolution of open source in the cloud-native world for over a decade, and I can say this without hesitation: OPA is one of the most important projects of this era. It filled a policy enforcement vacuum at a critical moment in Kubernetes adoption, and it did so in a way that was both elegant and extensible.
Now, what Apple has done here is very on-brand: They’ve taken the delicious core and left the open shell. There’s no acquisition, no fanfare, and no obligation to the community. It’s Apple being Apple.
But that’s exactly why I’m grateful OPA was under CNCF governance. Imagine if OPA had remained fully under Styra’s ownership. This kind of brain drain could’ve been fatal. Instead, because the project was donated to CNCF back in 2018, and has since achieved graduated status, it has the institutional support and community momentum to continue—even if some of its original architects have moved on.
It’s a textbook case of why independent governance matters.
As for Styra’s commercial customers? Yeah, they’re in the lurch. OK, let’s be real—they’re in the deep lurch. But this creates space for someone else—maybe another vendor, maybe a startup, maybe a group of ex-Styra folks not going to Apple—to step up and provide commercial-grade OPA support.
This is also a rallying moment for the OPA community. We’ve seen it before—when HashiCorp changed licenses, when Docker pivoted, when Elasticsearch went closed. The OSS world has a way of responding with forks, alternatives, and renewed energy. I expect no less here.
So… What Now?
If you’re currently using Styra’s commercial tools or relying on OPA as a critical piece of your cloud-native stack, here’s my advice:
1. Audit Your Risk Exposure: Understand exactly how dependent your stack is on Styra’s proprietary tools versus the open source OPA project.
2. Track OPA’s Community Roadmap: Keep an eye on OPA’s future roadmap under CNCF—this will likely evolve now that some of its leadership is elsewhere.
3. Evaluate Alternatives: If you’re considering moving away from OPA or diversifying, here are a few options to explore:
- OpenFGA: A high-scale, open source authorization system from AWS inspired by Google Zanzibar.
- Cedar: An open-source language and engine for access control developed by AWS.
- AuthZed: Commercial authorization-as-a-service, with a strong developer focus.
- Casbin: A mature, multi-language policy engine supporting various access control models.
Each has trade-offs, but they share the same ethos: decoupling policy from application logic.
4. Advocate for Sustainable Open Source
If you’re a CIO, CTO, or architect, you’ve got to ask the hard questions:
Who owns and controls the code you’re building on?
What happens if they leave or pivot?
And most importantly: What are you doing to ensure your stack doesn’t depend on goodwill alone?
In Closing
OPA will be fine. The CNCF will ensure that. The community will adapt. Apple gets what it wants. Styra’s team, frankly, probably gets a well-earned windfall. The only question mark is what happens to those commercial customers—and who steps in to fill the vacuum.
This situation should serve as a wake-up call for anyone relying on open core vendors. Governance models, project maturity, and community health are not abstract ideals. They are the difference between resilience and disruption when things change.
We’ll keep covering the story as it unfolds. In the meantime, if you’ve got thoughts, or you’re working on the next great open source policy engine—drop me a line. You know where to find me.
