Policy as code and AI governance: what security teams need now

TL;DR: ISC2 Congress 2025 showed security teams moving from manual policy writing to policy as code, continuous assurance, and encoded governance for AI and machine identities, with Cerbos reporting that the winning pattern is versionable, testable, and auditable enforcement across the stack. The real shift is not documentation style but control design, because static review cycles cannot govern dynamic access, agent behavior, or rapidly changing compliance demands.

NHIMG editorial — based on content published by Cerbos: ISC2 Congress 2025 and the move to policy as code

Questions worth separating out

Q: How should security teams implement policy as code in IAM and NHI programmes?

A: Start with the controls that create the most audit and privilege risk, then express them in version-controlled policy definitions that can be tested before deployment.

Q: Why do manual compliance workflows fail in modern identity environments?

A: Manual workflows fail because they depend on periodic human review in environments where access changes continuously.

Q: What should organisations do when AI systems need production access?

A: Treat AI access like any other privileged identity problem and define policy boundaries before granting production permissions.

Practitioner guidance

• Embed policy in version-controlled code Move critical authorization rules, access conditions, and enforcement logic into version control so changes can be reviewed, tested, and rolled back with the same discipline as application code.
• Automate evidence collection for audits Instrument systems to capture access decisions, policy evaluations, and enforcement events continuously so audit evidence comes from the control plane rather than manual reconstruction.
• Map AI and machine actions to explicit policy boundaries Define what AI agents, service accounts, and workloads are allowed to do before production rollout, then enforce those limits at the authorization layer rather than by convention.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• Practical examples of how policy as code is being applied in real access-control workflows.
• The conference discussion points around continuous assurance and auditability in modern compliance programmes.
• The session framing for JIT versus policy-based access control, including how practitioners compared the approaches.
• The article's wider notes on AI governance, financial risk quantification, and the convergence of security and compliance.

👉 Read Cerbos' analysis of policy as code, AI governance, and compliance at ISC2 Congress 2025 →

Policy as code and AI governance: what security teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →