![Policy as [versioned] code - you're doing it wrong](/video/policy-as-versioned-code/images/banner_hu_5dff0cd0786e21f4.webp)
Policy as [versioned] code - you're doing it wrong
Chris Nesbitt-Smith presents the case for treating governance policy the same way we treat source code — versioned, iterable, peer-reviewed, and continuously improved. Drawing on his experience advocating modern engineering practices within UK government, Chris explains why policies fail and what it takes to make them work.
Key Topics Covered
- Why policies fail: Policies are usually written once, emotionally, as a reaction to a specific incident. They quickly become outdated, overcomplicated, and disconnected from real risk — leading developers to work around them rather than with them.
- The lift pitch: Using a story of a CIO, Product Manager, developer, and cleaner sharing a lift, Chris illustrates the different stakeholder perspectives on policy — risk ownership, delivery velocity, and day-to-day practicality — and how good policy serves all of them simultaneously.
- Policy as code: Storing policy in version control (Git/GitHub), enforcing it through automated CI/CD pipelines, and treating compliance as a test suite lets teams iterate on policy as fast as the threat landscape changes.
- Kubernetes admission control: The specific technical context — using Kubernetes policy engines (such as OPA/Gatekeeper or Kyverno) to enforce rules at deployment time, giving developers fast and understandable feedback in their existing workflow.
- Iterative, not waterfall: Attempting to write perfect policy upfront causes the same failures as waterfall software delivery. Small, incremental improvements with clear rationale are more effective and more trusted by the teams subject to them.
- Culture over tooling: Tooling is the easy part. The real challenge is helping people understand why a policy exists. When developers understand the consequence, they follow the spirit of the policy — not just its letter.
From this talk you’ll learn how to use a software development pattern and product ways of thinking towards how your organization can manage policy; achieve continual updates to policy allowing the risk mitigations to move as fast as the risk does, not get in the way and be easy to measure compliance.
Useful Resources:
Related Content
GitHub Actions and Azure - Using Environments with GitHub Actions
Once you have a working GitHub Actions workflow, the next challenge is safely deploying across dev, staging, and production with the right secrets in the right places. This episode deep-dives into GitHub Actions Environments: how to scope secrets per environment to enforce the principle of least privilege, configure required reviewers and wait timers as production gates, and assign service principals with minimal Azure RBAC permissions. A live demo deploys the cloudwithchris.com Hugo site to Azure Storage, making every concept concrete.
Automate Azure Role Based Access Control (RBAC) using Github
Azure RBAC is a critical security control — but managing custom role definitions manually is error-prone, hard to audit, and doesn't scale. In this episode, Chris is joined by Marcel Lupo, DevOps MVP and Solutions Architect, who demonstrates how GitHub Actions can automate the full lifecycle of custom Azure RBAC role definitions. This session goes beyond typical developer workflows to show how GitHub can serve as the governance backbone for your Azure security posture — with role definitions version-controlled, reviewed via pull requests, and deployed through automated pipelines.
V038 / V039 - Weekly Technology Vlog #38 and #39
A double episode catching up on two weeks of Azure updates including AKS scale down modes, Cosmos DB Functions v4, and Azure Functions runtime 4.0 with .NET 6, plus GitHub CLI 2.0, Advanced Security secret scanning APIs, and a look at secretless application patterns with managed identities.