Policies & Guardrails
Governance by design: enforce security and compliance with policy-as-code without blocking teams.
Argy’s stance is simple: governance must be embedded into the delivery and operations workflows.
When governance is an external review step, it becomes a bottleneck. When it is codified, it becomes a platform capability.
What is a guardrail?
A guardrail is any rule that:
- prevents unsafe changes,
- enforces compliance requirements,
- makes decisions explicit.
Examples:
- mandatory tags/labels,
- approved network patterns,
- surfacing and enforcing security audit results (SAST, SCA, container scanning) as deployment evidence,
- surfacing and enforcing compliance audit results (GDPR, DORA, CIS benchmarks) as delivery requirements,
- image provenance rules,
- encryption requirements,
- least-privilege defaults.
Policy-as-Code (where it fits)
Policy-as-code should validate:
- IaC plans,
- Kubernetes manifests,
- module configuration parameters.
Common engines include OPA/Rego or Kyverno. The important part is not the engine but the integration point: policies are evaluated as part of the golden path.
Enforcement modes
In practice, organizations need progressive rollout:
- Warn: surface violations early.
- Fail: block non-compliant changes.
- Exception: time-bound, explicit, auditable.
Next steps
- Security overview: Security Model
- How guardrails ship with modules: Building Modules