TL;DR: ISC2 Congress 2025 showed security teams moving from manual policy writing to policy as code, continuous assurance, and encoded governance for AI and machine identities, with Cerbos reporting that the winning pattern is versionable, testable, and auditable enforcement across the stack. The real shift is not documentation style but control design, because static review cycles cannot govern dynamic access, agent behavior, or rapidly changing compliance demands.
NHIMG editorial — based on content published by Cerbos: ISC2 Congress 2025 and the move to policy as code
Questions worth separating out
Q: How should security teams implement policy as code in IAM and NHI programmes?
A: Start with the controls that create the most audit and privilege risk, then express them in version-controlled policy definitions that can be tested before deployment.
Q: Why do manual compliance workflows fail in modern identity environments?
A: Manual workflows fail because they depend on periodic human review in environments where access changes continuously.
Q: What should organisations do when AI systems need production access?
A: Treat AI access like any other privileged identity problem and define policy boundaries before granting production permissions.
Practitioner guidance
- Embed policy in version-controlled code Move critical authorization rules, access conditions, and enforcement logic into version control so changes can be reviewed, tested, and rolled back with the same discipline as application code.
- Automate evidence collection for audits Instrument systems to capture access decisions, policy evaluations, and enforcement events continuously so audit evidence comes from the control plane rather than manual reconstruction.
- Map AI and machine actions to explicit policy boundaries Define what AI agents, service accounts, and workloads are allowed to do before production rollout, then enforce those limits at the authorization layer rather than by convention.
What's in the full article
Cerbos' full article covers the operational detail this post intentionally leaves for the source:
- Practical examples of how policy as code is being applied in real access-control workflows.
- The conference discussion points around continuous assurance and auditability in modern compliance programmes.
- The session framing for JIT versus policy-based access control, including how practitioners compared the approaches.
- The article's wider notes on AI governance, financial risk quantification, and the convergence of security and compliance.
👉 Read Cerbos' analysis of policy as code, AI governance, and compliance at ISC2 Congress 2025 →
Policy as code and AI governance: what security teams need now?
Explore further
Policy as code is no longer a control preference, it is a governance requirement. The article captures a market-wide shift away from static compliance artefacts toward executable policy, and that shift matters because modern environments change faster than manual review loops can track. When access, authorization, and evidence live in code, governance becomes testable rather than interpretive. The practitioner conclusion is that policy must now behave like software infrastructure, not documentation.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably prove who or what still has access.
A question worth separating out:
Q: How do teams know whether policy as code is actually working?
A: Policy as code is working when policy changes are testable, enforcement is consistent across systems, and audit evidence is produced automatically. If teams still need to reconstruct what happened from ticket trails and spreadsheets, the control is not yet behaving like executable governance.
👉 Read our full editorial: Policy as code is becoming the new compliance playbook