Practice of defining organizational policies, compliance rules, and governance as executable code that can be automatically enforced. Like having security rules and compliance requirements written as programs that check themselves automatically.
Security teams use policy as code to automatically prevent deployment of resources that don't meet security requirements, like blocking public S3 buckets.
Policy as Code is implemented via policy engines and guardrails that evaluate infrastructure and configuration against rules. Azure Policy and GCP Organization Policy provide first-class policy frameworks. On AWS, similar outcomes are achieved by combining SCPs (account-level guardrails), AWS Config rules (configuration compliance), and IaC policy tools like CloudFormation Guard; IAM Access Analyzer helps detect unintended access. On OCI, Cloud Guard recipes and IAM policies provide governance and enforcement patterns, often paired with CI/CD checks.