Red Hat is previewing a policy-as-code capability for the Ansible Automation Platform that promises to make it simpler to apply and enforce governance and compliance policies.
Demonstrated at the Red Hat Summit and AnsibleFest 2024 conference, Matthew Jones, chief architect for Red Hat Ansible Automation Platform, told conference attendees this capability would, for example, make it possible to enforce policies that prevent artificial intelligence (AI) models from initiating actions beyond the scope of a set of policies defined as code.
Scheduled to be added to the Red Hat Ansible Automation Platform in the coming months, Red Hat is in effect providing a declarative approach to implementing policy-as-code, in a way that eliminates the need to deploy and master a separate programming framework.
Alternative to GRC Platforms
Policy-as-code frameworks have evolved as an alternative to risk and compliance (GRC) management platforms deployed and managed by a dedicated team. Rather than acquiring and deploying those platforms, GRC requirements are met using code to programmatically enforce policies in the context of DevOps workflows before or after an application is deployed.
The challenge up until now is that policy-as-code frameworks required DevOps teams to deploy a separate framework that in some instances also required someone on that team to master a programming language specifically designed for that framework. Red Hat is now making a case for implementing policy-as-code using the same declarative Ansible platform many IT teams already use to automate workflows.
It’s not clear how many organizations have thus far embraced policy-as-code. However, Red Hat is betting that as organizations move to operationalize AI there will soon be a much greater requirement. The issue that remains to be resolved is to what degree that goal might be achieved using an automation platform such as Ansible or a DevSecOps platform based on a continuous integration/continuous delivery (CI/CD) platform that has been extended to enable DevOps teams to programmatically address compliance mandates.
Alternatively, organizations might in the longer term make use of the reasoning capabilities built into a large language model (LLM) to ensure compliance mandates are met as the ability of generative AI models to automate tasks becomes more robust. In theory, LLMs will be able to not only provide a summary of a compliance issue but also recommend how best to resolve it in a way that is automatically applied, either by it or an automation framework such as Ansible.
Red Hat, in the meantime, has yet to signal its intentions for incorporating the open-source Terraform infrastructure-as-code (IaC) tools that parent company IBM has gained with the acquisition of HashiCorp. In some cases, some subset of GRC requirements might be addressed via IaC tools used to programmatically provision IT infrastructure.
Regardless of approach, it’s apparent that more responsibility for compliance is shifting left toward application development teams in much the same way security did with the rise of DevSecOps workflows. That’s crucial when the fines and penalties imposed for violating mandates that are increasing in number are also becoming more costly. The challenge and the opportunity now is to programmatically ensure there isn’t a violation in the first place using policy-as-code tools that are slowly but surely becoming more accessible.
