Lesson 10 / 12
Policy and evidence at scale
Governance that works for one team has to hold for fifty without becoming a console no one tracks. Key points:
- Policy is code. Rules ship with Open Policy Agent, live in version control, and are reviewed, versioned, and tested. Pre-built compliance policy bundles map to frameworks such as SOC 2, ISO 27001, PCI-DSS, and FedRAMP. The bundles map to the frameworks; they are not a certification or a claim of compliance.
- Decide what is org-wide baseline and what each tenant may set. Onboarding guardrails let you mark checks mandatory or advisory per tier and enforce them at onboarding and at the deploy gate, with continuous scoring so drift surfaces.
- Evidence is a byproduct of real activity. Controls draw on what the platform recorded, mapped to the requirement each one answers, so a report is generated rather than assembled by hand.