Using Policy as Code to enhance Enterprise Risk Management

Move Up the Stack

Problem

Your large enterprise is trying to shift auditor focus from individual controls to comprehensive frameworks. Why?

• Time and resource drain: A significant portion of business resources are consumed by compliance efforts. In a 2025 survey, 25% of organizations spent 1,000 to 4,999 hours on compliance annually. Two-thirds of organizations spend at least three months preparing for each audit.

• Budget limitations: A 2025 study found that 74% of organizations could not address vulnerabilities due to limited budgets and resources.

• Increasing expenses: 58% of compliance leaders reported that internal costs for managing compliance efforts had increased over a three-year period.

Key Elements of a Solution

• Consistency: You need to ensure that audit and ERM are on the same page

• Comprehensiveness: You need consistent, repeatable processes for changing your software and your policies

• Continuity: You need ways to demonstrate that policy enforcement is happening everywhere, all the time

• Automation: You want audit trails for everything, generated automatically and stored immutably

How Policy as Code Can Help

1. Centralized Controls

   1. Migrating your services, systems and applications to using a common, centralized Policy as Code framework for policy enforcement improves the Consistency and the Comprehensiveness of the policies

2. Ubiquitous Logging

   1. Policy as Code agents support Automation by capturing every policy decision as an attestation record and forward those decisions to immutable archives of your choosing

3. Deployed Everywhere

   1. Policy as Code agents are small-footprint, ubiquitous entities, that you can deploy across your entire network with a very modest resource impact. Keeping these agents very close to the services that use them ensure that your policies are enforced Continously.

Implemented this way, Policy as Code allows auditors to stop focusing on the attestation of individual people, and focus on job titles or business roles.

With IAM, you have to look at the individual, review their entitles and the associated resources very rigorously, because of the complex iterations between entitlements and real-world (and virtual) resources.

With Policy as Code, the policies are generalized to the roles, and the entitlements are instead data elements that are associated with the individual and the resources. Instead of having to review 10,000 individual user permissions, auditors can review the policies associated with the business roles.

The Virtuous Attestation Circle

Because Policy as Code is, well, code, changes to the policies can be managed, approved and signed off in the same way that other code changes can be managed, approved and signed off. These changes are captured and subject to audit, just like any other change.

Centralized, Single-Responsibility for Policy

Migrating your policy implementations from the business applications and services into a centralized policy repository provides several benefits:

• No risk that slight differences in implementation in different applications/systems create non-compliant effects

• One source of truth

• Centralized policy is easier to understand, easier to review and easier to test

• Compliance and Risk experts can work with the centralized team in a consistent and collaborative way, which is much more difficult if the policy is scattered across thousands of applications and services

Another benefit: separating policy enforcement from the business logic will typically make it easier and faster to build and extend the business logic.

Three Lines of Defense

Policy as Code supports all three lines of defense:

• Business Operations use the centrally managed and approved policy logic

• Risk & Compliance management can use the decision logs to verify implementations

• Internal Audit has a central repository of policy to review, and rich, auditable evidence of control effectiveness

  • IA will also have an easier time detecting impairments and alerting the business

Win Win Win

Your enterprise will benefit in several ways from a strategic investment in Policy as Code:

1. You will be able to respond to new risks faster, because the policy logic is centralized and ubiquitous. Policy changes can be performed in days instead of months.

2. You will be able to offer new business services faster, and respond to competitive threats faster, because the policy logic is separate from the business logic

3. You will be able to verify audit compliance faster, because your auditors can focus on the policy logic and the decision log outcomes, rather than having to focus on individual access rights

4. Policy as Code agents have a very low TCO, especially compared to the TCO of maintaining policy in hundreds or thousands of individual systems

5. It will be much easier to migrate acquired services and business logic to this model than it will be to merge and refine disparate IAM models

Common Objections

This is just moving the problem around

Policy logic embedded in hundreds or thousands of applications/services is a nightmare to change and extend, especially as the applications and services become part of the “legacy” infrastructure.

This will make things slower

Policy agents are designed to be deployable everywhere. In many cases, within the same containers or VMs, which dramatically reduces the latency of calls across the wire. So it may make things a tiny bit slower, but there are a lot of other benefits.

Policy logic is hard to write and read

This is because it isn’t a focus of the organization. With practice and discipline, a focused team will rapidly master policy logic.

Changes to the policies may require the applications to supply additional information

Yes, but if the policy changes, the application would almost always have to be updated as well, right? So yes, there may be changes to the applications, but those changes will be small, focused, and easy to test.

It will be difficult to get auditors to recognize this new approach

You’ll have to work with the auditors to educate them on this approach, create pilot programs, and provide demonstrations of how it will improve their effectiveness. Start with risk-aware auditors or more “progressive” audit teams where you can.

Conclusion

Thank you for taking the time to get this far. If you’d like to discuss this further, please feel free to reach out at: johnbr@paclabs.io .