Chris Nesbitt-Smith

Policy as [versioned] code - you're doing it wrong

Is your 'policy as code' just creating new friction? Learn how treating policy like a versioned software dependency finally makes compliance a collaborative engineering task.

Policy as [versioned] code - you're doing it wrong
#1about 7 minutes

Introducing the key personas in policy management

An allegorical story illustrates the conflicting perspectives of a CIO, product manager, developer, and operations staff on policy.

#2about 4 minutes

Why simply codifying policy is not enough

Codified policies often fail due to being kept secret, causing breaking changes during deployment, and generating warnings that are ignored in CI/CD pipelines.

#3about 5 minutes

Applying software patterns to policy management

The solution is to treat policy like a software dependency by making it visible, applying semantic versioning, and including tests.

#4about 4 minutes

Implementing versioned policy with modern tooling

A demonstration shows how to manage versioned policies for Terraform and Kubernetes using tools like Checkov, Kyverno, and Renovate for automated updates.

#5about 3 minutes

The cultural importance of purpose-driven policy

Effective policy requires a clear narrative explaining the risk it mitigates, which encourages collaboration and allows the policy to evolve with the business.

#6about 22 minutes

Q&A on policy culture, tooling, and security

The speaker answers audience questions about cultural challenges, tooling like OPA, supply chain attacks, and the role of risk management.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

The challenges of managing policies as code in Git
20:42 MIN

The challenges of managing policies as code in Git

What we Learned from Reading 100+ Kubernetes Post-Mortems

Shifting security left to prevent incidents before deployment
02:55 MIN

Shifting security left to prevent incidents before deployment

OPA for the cloud natives

Demo of enforcing compliance with policy as code
23:52 MIN

Demo of enforcing compliance with policy as code

Unleashing Potential Across Teams: The Power of Infrastructure as Code

Q&A: Implementing DevOps and advocating for change
17:34 MIN

Q&A: Implementing DevOps and advocating for change

Shifting Stress to Progress— Understanding DevOps to do DevOps Better

Introducing Policy as Code and Open Policy Agent
04:57 MIN

Introducing Policy as Code and Open Policy Agent

Decoupled Authorization using Policy as Code

Implementing and enforcing supply chain policies
23:29 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Implementing automated guardrails instead of manual gates
10:30 MIN

Implementing automated guardrails instead of manual gates

Great DevEx and Regulatory Compliance - Possible?

How to introduce policy enforcement gradually
13:07 MIN

How to introduce policy enforcement gradually

What we Learned from Reading 100+ Kubernetes Post-Mortems

Featured Partners

Related Videos

See all videos
Un-complicate authorization maintenance1:00:00

Un-complicate authorization maintenance

Alex Olivier

Decoupled Authorization using Policy as Code32:16

Decoupled Authorization using Policy as Code

Anderson Dadario & Denys Vitali

OPA for the cloud natives26:23

OPA for the cloud natives

Philipp Krenn

Great DevEx and Regulatory Compliance - Possible?23:26

Great DevEx and Regulatory Compliance - Possible?

Martin Reynolds

Platform Engineering vs. DevOps Why not both?58:40

Platform Engineering vs. DevOps Why not both?

Christian Strack

Technology is Necessary, But Not Sufficient37:09

Technology is Necessary, But Not Sufficient

Simon Copsey

3 Key Steps for Optimizing DevOps Workflows24:31

3 Key Steps for Optimizing DevOps Workflows

Daniel Tao

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

Related Articles

View all articles
AG
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
CH
Chris Heilmann
With AIs wide open - WeAreDevelopers at All Things Open 2025
Last week our VP of Developer Relations, Chris Heilmann, flew to Raleigh, North Carolina to present at All Things Open . An excellent event he had spoken at a few times in the past and this being the “Lucky 13” edition, he didn’t hesitate to come and...
With AIs wide open - WeAreDevelopers at All Things Open 2025
CH
Chris Heilmann
WeAreDevelopers LIVE days are changing - get ready to take part
Starting with this week's Web Dev Day edition of WeAreDevelopers LIVE Days, we changed the the way we run these online conferences. The main differences are:Shorter talks (half an hour tops)More interaction in Q&AA tips and tricks "Did you know" sect...
WeAreDevelopers LIVE days are changing - get ready to take part

From learning to earning

Jobs that call for the skills explored in this talk.