Comparison
Constellation vs Permit.io
Permit.io is excellent infrastructure — it handles authorization (who can access what resource). Constellation handles something different: institutional governance (who has authority to act, and was this action legitimate). They operate at different layers of the stack and solve fundamentally different problems.
The core distinction
Permit.io answers: “Does this user have permission to access this resource?”
Constellation answers: “Is this action institutionally legitimate right now, given everything this organization has decided?”
Authorization is binary — yes or no, based on roles and policies. Institutional governance is contextual — it evaluates authority, thresholds, timing, sequence, and precedent against the organization’s living governance state.
Same scenario, different questions
A marketing director uses an AI agent to send a press release about a new partnership.
Permit.io checks
- •Does this user have the “communications:send” permission?
- •Is this resource accessible to their role?
- •Result: allow or deny
Constellation checks
- •Has the partnership been ratified by the board?
- •Does a communications constraint require legal review first?
- •Is this within the director’s delegated authority?
- •Result: proceed, escalate, or block with trace
Permit.io confirms the user can press the button. Constellation confirms the organization should press the button.
Different layers of the stack
| Permit.io | Constellation | |
|---|---|---|
| Layer | Authorization | Institutional governance |
| Question | Can they? | Should they? |
| Input | User, role, resource | Action, context, institutional state |
| Output | Allow / deny | Proceed / escalate / block + trace |
| State | Policies, roles | Decisions, commitments, precedents |
| Enforcement | Gate (before access) | Check + record (before + after action) |
| Human loop | No (automated) | Yes (escalation to authority) |
| Memory | None (stateless) | Traces, precedents, institutional learning |
Where they sit in the stack
// The AI governance stack
LLM Layer
↓
Prompt Safety (Guardrails, Lakera)
↓
Authorization (Permit.io)
↓
Application Logic
↓
Institutional Governance (Constellation)
↓
Compliance Reporting (Drata, Vanta)
Permit.io sits above the application. Constellation sits at the moment of action — after authorization confirms access, but before the action is executed. They are complementary layers, not competing ones.
What authorization cannot do
Authorization systems — even sophisticated ones — cannot:
- •Evaluate whether an action conflicts with a prior board decision
- •Enforce spending thresholds that depend on institutional context
- •Route escalations to the right authority with full trace
- •Create an immutable record of why an action was taken
- •Allow contestation of constraints by those governed by them
- •Build institutional precedent from past governance decisions
- •Calibrate AI agent delegation through shadow mode observation
These aren’t limitations of Permit.io. They’re simply outside the scope of authorization.
The real bottleneck
In any organization of meaningful size, the bottleneck is never “can this person access this resource?” That’s solved infrastructure.
The bottleneck is human coordination: Who needs to approve this? Does this conflict with what we already decided? Are we allowed to do this right now? What happens if we get it wrong?
As AI agents take on more consequential actions, this coordination problem becomes urgent. An agent with the right permissions can still take an action that violates institutional commitments, exceeds delegated authority, or contradicts a board resolution.
Constellation closes that gap. It makes institutional knowledge present at the moment of action, so that speed doesn’t come at the cost of legitimacy.
Using them together
The strongest architecture uses both:
- 1Permit.io gates access — ensuring only authorized users and agents can reach the action surface.
- 2Constellation governs the action — checking institutional constraints, recording traces, and escalating when needed.
- 3The result is both technically secure (authorization) and institutionally legitimate (governance).
Constellation is not an alternative to Permit.io. It’s the layer that comes after authorization — where institutional knowledge meets consequential action.