OWASP Global AppSec EU 2026 Vienna

Enforcing security policies at enterprise scale is challenging, and it's becoming more so with rapid delivery cycles and AI-assisted development. Many organisations adopt policy-as-code to improve security and compliance but realise that, despite the solution’s technical soundness, exceptions multiply and teams quietly work around enforcement to meet delivery targets, with little real improvement in security outcomes.

This talk shares a real-world story of rolling out policy-as-code enforcement across an organisation with several thousand developers. It highlights not only the technical architecture of the enforcement system but also the organisational changes required to ensure its sustainability.

You’ll find out how security policies were defined, versioned, and consistently enforced across CI/CD pipelines. This talk also covers how enforcement points were designed and how feedback loops were built and embedded in the organisation to reduce friction. The session also explores how bypasses and exceptions were handled consistently at scale, and how validation was treated as an organisational assurance problem rather than just a tooling concern.

The talk offers vendor-neutral solutions and practical patterns, lessons learned, and design principles that attendees can adapt to their own environments.