Practice of defining organizational policies, compliance rules, and governance as executable code that can be automatically enforced. Like having security rules and compliance requirements written as programs that check themselves automatically.
Security teams use policy as code to automatically prevent deployment of resources that don't meet security requirements, like blocking public S3 buckets.
Policy as Code is typically implemented with cloud-native policy engines (Azure Policy, GCP Org Policy, AWS Config Rules/SCPs) and/or external policy engines (e.g., OPA) integrated into CI/CD and runtime admission control. AWS often splits governance across SCPs (prevent actions), IAM (authorize), and Config Rules (detect/remediate), while Azure Policy and GCP Org Policy provide centralized constraint definitions and enforcement.