Policies

Policies connect compliance expectations to evidence that operators and auditors can review.

Current state:

• Unauthorized-device detection is implemented as a deterministic rule.
• Starter SOC 2, HIPAA, and GLBA controls are implemented with control IDs, domains, descriptions, policy references, and evidence expectations.
• Tenant-specific control status placeholders are implemented.
• OPA is planned but not wired.

Planned:

• Tenant policy configuration.
• OPA-backed authorization and compliance checks.
• Tenant-specific policy configuration and approvals.