Policy as Code

Definition

Policy as code is the practice of defining governance rules in versioned, machine-readable files rather than prose or scattered configuration, so policy can be reviewed, tested, signed, and applied consistently and automatically.

Treating policy like software

When rules live in a document or in ad-hoc if-statements across services, they drift, conflict, and resist audit. Policy as code moves them into versioned artifacts that go through the same lifecycle as application code: peer review on change, testing against expected decisions, and a clear history of who changed what and when. The result is governance you can reason about — a single source of truth that a decision engine evaluates the same way every time.

Signing, simulation, and shadow policy

Cordum stores policy as versioned bundles and adds production-grade safeguards. Bundles can be signed (an Ed25519 signature over the bundle digest), with a strict mode that rejects unsigned policy, so only reviewed-and-approved rules take effect. Operators can simulate a policy against historical traffic to see what it would have decided, and run a shadow policy alongside the active one to measure impact before promotion. This lets teams change governance confidently without guessing at the blast radius of a rule change.

Frequently asked questions

Related reading

• Policy as Code for AI Agents
• AI Agent Policy Simulation
• Deterministic AI Control
• Safety Kernel