@Dusk makes a quiet assumption that catches people off guard later... identities do not age well.
Addresses stick around. Roles don't. Someone gets approved an exemption expires a mandate changes... and the address keeps working long after it should have gone cold. That is not an edge case. That's how lists actually fail.
Dusk does not rely on memory. At execution time, the system asks a narrower question.. does this transaction satisfy the rule right now? Credentials either pass or they don't. Nothing "used to be allowed' carries forward.
You usually discover the difference after the fact. When an asset moved and nobody can point to a bad actor.. just a rule that should’ve stopped it.
Address-based gating forgets quietly.
Execution-time checks donot forget at all.