Greg Surber

From Configs to Cognitive Risk.

2 minute read

From Azure Policy to Agent Policy: The Next Frontier

Over the last six months, we have talked about turning Governance into Code.

We replaced PDF policies with Azure Policy definitions. We replaced screenshot audits with Resource Graph queries. We replaced manual remediation with Event Grid automation.

We successfully built a “Constitution” for our infrastructure. If a developer tries to deploy an unencrypted disk, the platform says “No.”

But as we close out 2025, a new challenge has arrived. We aren’t just deploying infrastructure anymore; we are deploying Intelligence.

We are launching AI Agents that have the autonomy to plan, reason, and act. And the terrifying reality is that a secure server does not guarantee a secure agent.

The New Policy Engine

The principles of GRC Engineering still apply, but the syntax is changing. We are moving from Infrastructure Policy to Cognitive Policy.

In Infrastructure Policy, we are binary.

  • Rule: if (location != 'EastUS') { Deny }
  • Result: Pass or Fail.

In Agent Policy, we are semantic.

  • Rule: “Do not provide financial advice.”
  • Result: Probabilistic. The model might refuse, or it might be tricked (“jailbroken”) into doing it anyway.

Azure AI Content Safety is the New “Deny” Effect

Just as we used Azure Policy to enforce constraints on our VMs, we must use Azure AI Content Safety (and tools like Azure AI Studio) to enforce constraints on our Agents.

We cannot rely on the “System Prompt” alone. Telling an LLM “Please don’t be mean” is like putting a “Please Drive Slowly” sign on a highway. It’s a suggestion, not a control.

We need the equivalent of a speed bump.

In Azure AI Studio, we can configure Content Filters that sit between the user and the model. These filters act like an Azure Policy Deny effect. They scan the input and output for specific risk categories (Hate, Self-Harm, Jailbreak attempts) and block the traffic before the model even processes it.

The “Paved Road” for Agents

The goal of GRC Engineering was never to stop developers from building; it was to give them a “Paved Road” where they could move fast safely.

We need to do the same for AI.

Instead of banning AI, we provide a sanctioned Enterprise Agent Platform where:

  1. Identity is managed (Managed Identities).
  2. Network is private (Private Links).
  3. Safety is enforced (Content Filters).

If you build on the Paved Road, you get approved instantly. If you try to build “Shadow AI” on a public API key, you get blocked by the firewall.

The Architect’s Conclusion

The toolset changes. The syntax changes. But the mission remains the same.

Whether we are governing a Kubernetes cluster or a Reasoning Agent, our job is to define the boundaries of the system.

We don’t write rules on paper. We write constraints in code. That is GRC Engineering.

Updated:

You May Also Enjoy