In part three of this series on Policy as Code, we’ll look at the intersection between PaC and AI coding assistants. AI coding tools have fundamentally changed software development. “Vibe coding” or chat-based coding, where you ask the LLM to write code, and then you feed it the results and ask it to make changes in a continuous loop is fairly commonplace. But this creates a challenge; as development teams are under more pressure to code deliver faster and with smaller (human-based) team sizes, how can teams maintain expected levels of security and quality?
Additionally, like humans, AI tools are just as susceptible to writing vulnerable code – either using libraries in an unsafe way, implementing business logic flaws due to not properly understanding the context, or creating overly complex point solutions when an organization already has a defined design pattern or library to solve a certain problem, with centralized logic and expectations.
They also can make changes to both the code and the tests, meaning that the bugs they introduce are often subtle and don’t fail the corresponding tests. With small changes, this is easily caught during a review, but with larger updates (as is typical when vibe coding) these bugs can easily slip through.
Automated Governance
Enter the concept of Automated Governance, which uses code to oversee changes, such as ones from AI coding tools, and can be implemented with Policy as Code.
In the TAG-Security’s recent Automated Governance Maturity Model, we broke this down into four components:
- Policy: Traditional governance relies on static documents that quickly become outdated. With PaC, policies become code, so they can be appropriately versioned, tested, and continuously improved. This also means that it becomes a single source of truth for use by both humans and compute, guiding decision-making, risk management, and compliance activities.
- Evaluation: Automated evaluation provides continuous assessment across all of your software repositories and runtime environments, providing feedback loops that help to refine governance strategies. An evaluation targets a specific application or service, and can be composed of multiple assessments, with each assessment having one or more steps corresponding to an assessment requirement in a control that is deemed applicable according to organizational policy.
- Enforcement: Instead of humans manually implementing controls, PaC enables automated enforcement at scale. Non-compliant resources are automatically remediated or blocked from deployment, creating a self-healing environment.
- Audit: With PaC, audit becomes a byproduct of standard operations, not an independent exercise. When policies are code and enforcement is automated, evidence collection happens continuously, allowing you to avoid unplanned work asking for audit evidence.
There are a number of ways Policy as Code can help govern and oversee AI-generated code.
Code Quality & Maintainability
- Complexity Limits: Automatically enforce maximum cyclomatic and cognitive complexity thresholds to prevent AI from generating unmaintainable “spaghetti code”
- Naming Convention Compliance: Ensure AI-generated code follows your organization’s naming standards for variables, functions, and classes
- Documentation Standards: Enforce proper commenting and documentation for AI-generated functions and classes to ensure future maintainability
Security & Compliance
- Secure Defaults: Verify that AI-generated code uses secure default configurations and avoids leaving in temporary code for local testing
- Sensitive Data Handling: Ensure that encryption, logging, authorization, classification, and overall data handling and integrations are aligned with company expectations
- Continuous Compliance: Ensure that compliance frameworks, new contracts, upcoming regulations, product requirements, and other needs are brought to the attention of developers while features and fixes are occurring in that part of the code base to reduce rework and overhead, and optimize cognitive load
Architectural Standards & Resilience
- Approved Components: Ensure the appropriate use of existing/internal packages, services, or design or architectural patterns to improve consistency and avoid sprawl.
- Domain Model Adherence: Verify that AI-generated code correctly implements your domain model and business rules
- Observability Standards: Require implementation of proper metrics, logging, and tracing according to your observability strategy
- Resilience Patterns: Ensure implementation of circuit breakers, retries, and other resilience patterns according to your standards
Feedback & Continuous Improvement
- Continuous Improvement: Identify opportunities to continuously improve code bases as they’re touched, such as revising comments to ensure they’re still accurate, re-aligning code with recent company decisions, or identifying opportunities to perform a root cause analysis or blameless postmortem on mistakes or issues with a significant impact.
- Policy Effectiveness Metrics: Measure and report on which policies are catching the most issues to focus improvement efforts as well as to feed information back upstream to the policy decision-making process, ensuring better-aligned governance with the real world.
- AI Model Feedback Loop: Provide feedback to AI coding assistants based on policy violations to improve future code generation
Automated controls allow you to govern better how your engineers use AI solutions on a daily basis. AI solutions evolve fast (and faster each day that goes by), so, having in place good guardrails at the platform level, will allow you to address security concerns that appear with the usage of agentic solutions and won’t drive your engineers’ evolution back.
How does this apply to Cloud Native?
Platform-level, automated controls let engineers move quickly with AI assistants without taking on risks that the responsible engineers aren’t fully informed of. Because policies are code, they evolve at exactly the same speed as the platform changes themselves. This frees developers to stay “in flow,” while the platform quietly blocks unsafe patterns and highlights areas for improvement, no context-switching required.
Deterministic policy engines such as Kyverno and Open Policy Agent (OPA) excel at clear yes/no rules (“No public S3 buckets,” “Image must be signed”). But AI-generated changes frequently blur those lines. While there is no one-click, end-to-end solution for this today, covering that gray area can be done using a layered approach including Deterministic PaC, LLM-based reviews, and Human-in-the-Loop reviews.