April 22, 2026 – Rapid policy change, growing regulatory complexity, and increasingly fragmented technology environments are straining security and compliance management and enforcement. New insights from global IT research and advisory firm Info-Tech Research Group reveal that while policy-as-code (PaC) is gaining attention as a solution, most organizations are not prepared to adopt it effectively.
To help IT and security leaders address inconsistent policy enforcement and growing compliance complexity, Info-Tech has published its Assess Readiness and Value for Policy-as-Code resource, which provides a structured framework to evaluate organizational readiness, clarify potential value, and determine the most appropriate adoption path.
“In the right organizational context, PaC adoption is more than a tooling rollout: it’s a strategic process that brings stakeholders together, clarifies true policy intent, and establishes enforceable defaults,” says Seva Ioussoufovitch, senior research analyst at Info-Tech Research Group. “Conversely, treating PaC as a plug-and-play extension of infrastructure-as-code risks premature implementation that only codifies chaos, heightens security risk, and degrades delivery performance.”
Info-Tech’s findings underscore that PaC adoption is not a simple yes-or-no decision but a complex strategic choice. Ioussoufovitch, one of the firm’s experts on security and privacy, suggests organizations must carefully weigh where automation will meaningfully reduce risk and improve performance, where manual processes still make sense, and what foundational gaps must be addressed first.
Key Challenges IT Leaders Face With Policy-as-Code Adoption
Despite growing interest in PaC, Info-Tech’s resource highlights several common challenges that can limit PaC effectiveness:
- Misaligned expectations or lack of understanding by stakeholders, who may be resistant to PaC or view it as a standalone tool rather than a strategic initiative
- Unclear policy ownership and governance, leading to inconsistent interpretation and enforcement
- Immature or poorly defined policies, which reduce the value of automation
- Skills and capability gaps across security, compliance, and other relevant teams
Info-Tech’s Framework for Assessing Policy-as-Code Readiness and Value
The Assess Readiness and Value for Policy-as-Code blueprint highlights that successful PaC adoption depends on understanding both where it will deliver value and whether the organization is ready to support it. Findings in the resource show many initiatives stall when organizations move too quickly into implementation without aligning stakeholders, validating use cases, or addressing gaps in governance and skills. To mitigate this, Info-Tech outlines a structured three-step approach to assess fit, align teams, and define a clear path forward.
Step 1: Define Potential Scope – Led by security leaders, platform engineering teams, and DevOps managers, this step focuses on identifying where PaC can be applied to deliver the most impact. Teams evaluate key use cases such as pipeline policy enforcement, infrastructure and platform guardrails, identity and access controls, and compliance mapping to ensure efforts are aligned with business and regulatory priorities.
Step 2: Assess Value and Readiness – CIOs, CISOs, and cross-functional stakeholders across security, infrastructure, and compliance teams are responsible for evaluating both the potential business value and organizational readiness. This includes assessing capabilities across four critical areas: technical systems and integration, governance and stakeholder alignment, team skills and collaboration practices, and security and compliance metrics.
Step 3: Select the Right Path Forward – Executive leadership, in collaboration with IT and security leaders, uses assessment results to determine the most appropriate next step. Depending on outcomes, organizations may proceed with a full pilot, initiate a limited pilot, prioritize readiness improvements, or delay adoption until foundational gaps are addressed.
By grounding PaC adoption decisions in both value and readiness, Info-Tech’s resource shows how organizations can avoid premature implementation that codifies ineffective policies or introduces additional complexity. The firm’s blueprint highlights that without this upfront assessment, PaC initiatives often reinforce existing gaps rather than improving enforcement. By following the structured approach outlined in the resource, organizations can instead focus on targeted use cases where PaC strengthens enforcement, reduces manual overhead, and improves consistency across environments.
For exclusive and timely commentary from Seva Ioussoufovitch, an expert on security and privacy, and access to the complete Assess Readiness and Value for Policy-as-Code blueprint, please contact pr@infotech.com.
About Info-Tech Research Group
Info-Tech Research Group is the “get things done” partner for over 30,000 IT, HR, and marketing leaders worldwide. The fastest growing research and advisory firm, Info-Tech enables leaders to make well-informed decisions and transform their organizations through AI, strategic foresight, step-by-step methodologies, practical tools, industry-leading advisory, and training programs. For nearly 30 years, tens of thousands of private and public organizations have trusted Info-Tech to lead their most important initiatives through periods of change and deliver outcomes that truly matter.
To learn more about Info-Tech's HR research and advisory services, visit McLean & Company, and for data-driven software buying insights and vendor evaluations, visit the firm's SoftwareReviews platform.
Media professionals can register for unrestricted access to research across IT, HR, and software and hundreds of industry analysts through the firm’s Media Insiders program. To gain access, contact pr@infotech.com.
For information about Info-Tech Research Group or to access the latest research, visit infotech.com and connect via LinkedIn and X.
Media Contact
Sufyan Al-Hassan, PR Director
Info-Tech Research Group
salhassan@infotech.com | +1 (888) 670-8889 x2418