Standard : Policy enforcement is automated across environments

Purpose and Strategic Importance

This standard ensures that policy enforcement—covering security, compliance, and quality—is automated across all environments. It enables consistent governance without slowing down delivery or relying on manual checks.

Aligned to our "Automate Everything Possible" and "Infrastructure as Code (IaC) & Policy as Code" policies, this standard promotes fairness, reduces human error, and strengthens organisational trust. Without it, enforcement is patchy, reactive, and hard to scale.

Strategic Impact

  • Improved delivery flow and consistency
  • Reduced risk exposure and governance gaps
  • Higher system resilience and team autonomy
  • Scalable, repeatable controls across environments

Risks of Not Having This Standard

  • Inconsistent compliance and increased audit failures
  • Increased manual effort and potential for human error
  • Reduced trust in operational integrity
  • Governance practices that do not scale

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Policies are communicated manually and inconsistently.
Teams rely on shared knowledge and custom scripts.
Process & Governance Enforcement is reactive and varies by team or environment.
Technology & Tools No tooling to enforce policy at scale.
Manual review processes dominate.
Measurement & Metrics No visibility into policy violations or enforcement effectiveness.

Level 2 – Managed

Category Description
People & Culture Teams recognise the need for consistency but lack shared practices.
Process & Governance Static analysis and linter tools are introduced for code or config policies.
Technology & Tools Policy enforcement tools (e.g., TFLint, OPA) used inconsistently.
Some automation exists in CI/CD.
Measurement & Metrics Violations may be captured, but no systematic reporting or analysis.

Level 3 – Defined

Category Description
People & Culture Teams are accountable for codifying and enforcing policies within their pipelines.
Process & Governance Policies are version-controlled and reviewed alongside code.
Technology & Tools Policies are enforced automatically across build, test, and deploy stages.
Measurement & Metrics Dashboards and reports track adherence rates and recurring violations.

Level 4 – Quantitatively Managed

Category Description
People & Culture Teams use policy adherence data to prioritise improvements.
Process & Governance Compliance thresholds and exceptions are defined with traceability.
Technology & Tools Enforcement tooling is integrated into SDLC workflows and deployment gates.
Measurement & Metrics Violation trends and policy coverage are tracked longitudinally.

Level 5 – Optimising

Category Description
People & Culture Policy creation and refinement is decentralised and continuously improved.
Process & Governance Feedback from violations and audits informs policy updates.
Policies adapt to evolving tech and risk contexts.
Technology & Tools Policies are tested, simulated, and validated before rollout.
ML or pattern recognition informs governance insights.
Measurement & Metrics Metrics drive proactive governance.
Success measured by reduction in preventable issues and audit findings.

Key Measures

  • % of policies codified and version-controlled
  • % of pipelines with automated policy enforcement
  • Number and severity of policy violations detected pre-release
  • Time to detect and resolve non-compliant changes
  • Policy coverage across environments and resource types