There are loads of jobs that we need to do on our code base. One of those is probably to introduce a caching layer, the question is when do you schedule the work to design and implement a caching strategy when using an agile, user story based process. We don't want to do premature optimisation but at the same time shoe horning a caching layer in at the 11th hour to fix a performance issue sounds like a total nightmare.
For now I think we'll wait and include it in our permissions stories, I think it can fairly safely cache all the users permissions on login and clear the cache when the session expires. It won't need to worry about invalidating cache entries, if permissions change then the user will have to log out and log back in again and at least that'll give us a base to build object caching and perhaps output caching on top of.
This interesting caching article got me started on thinking about this article, hopefully it'll still be up when I come to need it. http://openmymind.net/Caching-Your-Worst-Best-Friend/
This one is interesting too. http://37signals.com/svn/posts/3112-how-basecamp-next-got-to-be-so-damn-fast-without-using-much-client-side-ui