Glossary

Policy-as-Code

Governance rules written as testable, versioned code that the runtime enforces directly.

category ▸ Governance

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What it means

Policy-as-Code, in plain language.

Policy-as-Code expresses governance rules — who may do what, under which conditions, and with what approval — as structured, executable definitions rather than prose in a wiki. Because the rules are code, they can be unit-tested, simulated before they ship, versioned, and reviewed like any other change.

This closes the gap between a written policy and an enforced one. A rule such as "payouts over $5,000 require approval" stops being a hopeful guideline and becomes a deterministic decision the runtime makes every time, identically, with a trace you can inspect.

In Cortex

How Cortex implements it.

This term isn't abstract here — it maps to a real capability in the runtime. Here is exactly how Cortex enforces or relates to it.

Governance

Cortex's policy engine evaluates rules in priority order with most-restrictive-wins precedence (deny > require_approval > allow) and returns the matched rule, the effect, and a per-rule trace. A simulate endpoint previews a decision against live or candidate rules before you save them.

Golden policy tests turn rules into a regression gate: you assert that a given context should yield require_approval, and a candidate rule set that breaks the test is caught before it ships — the same evidence an auditor wants to see for a documented control.

See Policy-as-Code enforced, not just defined.

Book a walkthrough and watch the controls in this glossary return real verdicts, seal real evidence, and trace every fact back to its source.