Gormley: Organizations typically implement policy as code through a combination of declarative policy languages and enforcement engines. In other words, they incorporate the appropriate regulations and operational rules into code that AI agents can read and must obey. If it’s in the code, the AI agent must execute. And if an instruction is not in the code, the AI agent cannot see or act upon it.
The people who architect the code rely on Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) to develop policy as code rules that determine whether an action should be allowed, and whether it violates policy. The bottom line is that an AI agent, by design, is unable to act outside the parameters of its allowed operations. And the beauty of the capability is that it also enables system observability and accurate record keeping.
The Kyndryl differentiator is that we embed our policy-as-code capability directly into the Kyndryl Agentic AI Framework. In the same way that all Kyndryl solutions are fit-for-purpose instead of off-the-shelf, our approach to policy as code governs every aspect of digital workflow — from initial data retrieval to final approval. By design, people supervise the system. They don’t just observe and report. As a result, Kyndryl’s approach to policy as code eliminates the impact of AI hallucinations, provides end-to-end oversight and auditing, and can enable faster deployment of agentic AI without jeopardizing safety, transparency or human control.