Policy as code for AI — beyond allow/deny
“Policy as code” transformed infrastructure: rules became version-controlled, testable artifacts instead of wiki pages. OVERT-as-Code brings the same discipline to AI governance — and adds the layer that general-purpose policy engines were never built for: proving the policy actually ran.
The model
Section titled “The model”You declare governance as code, validate it in CI, and (with the runtime product) enforce it on the live request path:
overt.toml ──validate──▶ CI gate ──deploy──▶ runtime enforcement ──▶ signed receipt (decide) (test) (enforce) (prove)The same TOML drives all four stages, mapped 1:1 to the six OVERT domains: tool-call governance, egress/PII protection, human-in-the-loop gates, statistical measurement, attestation, and incident response.
How it differs from OPA/Rego and Terraform Sentinel
Section titled “How it differs from OPA/Rego and Terraform Sentinel”General-purpose policy engines answer “is this request allowed?” OVERT-as-Code answers that and “can I later prove this exact decision happened, to someone who doesn’t trust me?”
| OPA / Rego, Sentinel | OVERT-as-Code | |
|---|---|---|
| Domain | General (infra, k8s, cloud) | AI runtime governance specifically |
| Output | allow / deny | Permit / Deny / RequireApproval / Shadow, with typed reasons |
| AI-native controls | build your own | tool allow/deny + parameter schemas, recursion/loop limits, consent & HITL gates, behavioral drift |
| Conformance mapping | none | maps to OVERT domains + NIST/ISO/EU AI Act crosswalks |
| Compliance export | none | NIST OSCAL Assessment Results |
| Proof of execution | not in scope | signed, chained receipts via the runtime + verifier |
The one-line version: OPA decides; OVERT proves. If you already love policy as code, OVERT-as-Code is the AI-native sibling whose decisions leave evidence.
You can use both
Section titled “You can use both”OVERT-as-Code is not a replacement for your infrastructure policy stack. Keep Rego for k8s admission control; use OVERT-as-Code for the governance of what your AI agents are allowed to do — and to turn those decisions into an attestation chain that is evidence, not documentation.
Next steps
Section titled “Next steps”- Quickstart — a deny-by-default policy in minutes
- OSCAL export — feed your compliance automation
- Verify a proof — the layer that makes “proves” real