There are places in our service model where access control decisions are made by calling hasAction() on instances on the EntityAccessControl REST model rather than the actual access controlled metadata domain model. It would be better if all access control checks were made against the same API, and the metadata domain is the real source of truth for access control state. This is especially problematic if we are checking REST model objects for access control that have been posted to Kylo (not sure if this is actually happening.)
This behavior also interferes with the new refactoring that delegates all checks to the AccessController component.