Policies show great potential as a way to control the behavior of complex computer systems. In the case of authorization decisions in large distributed systems, policies offer the potential to abstract away from the details of who is allowed to access which services, under which conditions. This layer of abstraction is both a challenge and an opportunity: policy-driven distributed authorization systems may be more manageable, scalable, available, and secure than previous approaches---or they may be just the opposite. In the talk that accompanies this paper paper, we survey the status of the field and its near-term prospects, from both a theoretical and a practical perspective, and point out the major barriers to the adoption of policy-driven authorization systems in industry.