h/t to CloudSecList
TrailOfBits did a security evaluation of the Cedar, Rego and OpenFGA Policy languages - Policy Language Security Comparison and TM
Interestingly, they created a threat model to do this comparative analysis. They seem to have defined a generic model that includes systems that use these policy languages, and identified a bunch of threats, and then evaluated how well each policy language mitigated the threats.
I don’t recall seeing threat modelling used as a comparative analysis tool before, but it seems like a good idea!