Identity-Driven Feature Entitlements
Michael Grinich, CEO of WorkOS, on AI startups getting enterprise-ready at launch
This shows that WorkOS can turn one identity system into multiple products with almost no new underlying machinery. In practice, both RBAC and feature flags start from the same object model, users belong to orgs, users have roles or attributes, and those attributes decide whether something is on or off. WorkOS then ships both permissions and feature entitlements through the same login and token flow, which makes feature flags a natural extension of its core identity stack rather than a separate tool.
-
In WorkOS, feature flags are set at the organization level and injected into JWTs as a feature_flags claim, alongside role and permissions claims. That makes the runtime workflow nearly identical, the app reads the token and decides what this user in this org can see or do.
-
That is different from the mainstream feature flag model built for consumer rollout and experimentation. LaunchDarkly and Statsig are strong at targeting, experiments, and analytics, but even LaunchDarkly documents entitlements as a special feature flag use case rather than the core mental model.
-
The business implication is bundle expansion. A startup that buys WorkOS for SSO, directory sync, and user management can add feature gating for enterprise rollouts without wiring up another vendor, which is especially useful when big customers want to control when new functionality appears for their teams.
Going forward, this pushes feature management in B2B software toward identity native systems. The winning products will look less like experimentation consoles for growth teams and more like enterprise control planes, where auth, permissions, entitlements, and rollout timing are all managed from the same org and user graph.