Dave,
While I'm not Vish, I have been working on/around authentication for the past couple weeks and I'll provide my thoughts.
EC2 and OpenStack Nova APIs should not be affected by the authentication work going on. The Keystone project is the only candidate I'm aware of, and it seems like it is, or soon will be, a good candidate for integration into the stack. Migration to a separate authentication service is going to be tricky, but the goal is to do it as seamlessly as possible. "Near stable" should be able to be promised.
This is the phased approach myself and Brian Waldon have been playing around with:
http://wiki.openstack.org/Nova/AuthManagerSpec
Keystone should be able to provide the features of IAM.
I'm not able to find the PTL meeting logs, perhaps a #startmeeting was never issued for it? I was eavesdropping at the time but can't find the logs, perhaps someone can find them or send them out. The meeting I'm refering to was right after this:
http://eavesdrop.openstack.org/meetings/openstack-meeting/2011/openstack-meeting.2011-05-10-21.01.log.html