// GLOSSARY -- POLICY ENFORCEMENT

What is Policy Versioning?

2 min read Updated

Policy versioning is the practice of tracking changes to YAML policy files over time using version control (git), enabling audit trails of who changed what and when, rollbacks to previous versions, and code review workflows for policy changes.

WHY IT MATTERS

A policy that was correct last week might not be correct today. New tools are added, agent scopes change, compliance requirements evolve, and incidents reveal gaps. Policies must change — but uncontrolled changes to security policies are themselves a security risk. A misconfigured policy could expose sensitive data or block legitimate operations. An unauthorised change could weaken controls without anyone noticing.

Policy versioning solves this by applying the same rigour to policy changes that software engineering applies to code changes. Every modification is a commit with an author, timestamp, and message explaining why the change was made. Every version is preserved, so you can see exactly what the policy looked like at any point in history. Differences between versions are visible as diffs, making review straightforward.

For compliance, policy versioning is essential. Auditors need to know not just what your current policies are, but what they were during the audit period. If a security incident occurred on a specific date, you need to know which version of the policy was active at that time. Git provides this history automatically — every commit is a snapshot that can be reconstructed.

Versioning also enables safe experimentation. Teams can branch, test policy changes against real traffic patterns, and merge only after validation — reducing the risk that a well-intentioned change creates a new vulnerability.

HOW POLICYLAYER USES THIS

Intercept reads YAML policies from the filesystem, making git the natural version control system. Organisations store their policy files in a git repository — every change goes through a pull request, gets reviewed by a security or platform team member, and is merged only after approval. Intercept picks up the new policy files on deployment, ensuring the enforced version always matches the version in git. The git history serves as a complete audit trail of every policy change, who made it, and when.

FREQUENTLY ASKED QUESTIONS

Should policies live in the same repository as application code?
It depends on your organisation. A dedicated policy repository gives the security team control over access and review processes. Co-locating with application code makes it easier for developers to propose policy changes alongside feature work. Many organisations use a dedicated repo with cross-team review requirements.
How do I track which policy version is active in production?
Tag or label the git commit that's deployed to production. Use CI/CD to deploy policies from a specific branch (e.g. main) so the active version always matches the head of that branch. Intercept logs can include the policy file hash for correlation.
What if a policy change breaks things?
Revert the commit and redeploy. Because policies are in git, rollback is a standard git revert operation. This is one of the key benefits of policy versioning — recovery is fast and well-understood.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.