Automated compliance management in hybrid cloud architectures: A policy-as-code approach

Compliance management grew in complexity with the proliferation of hybrid cloud infrastructures that integrate on-premises systems with public cloud services. Manual and traditional methods of compliance enforcement are becoming increasingly ineffective in these dynamic heterogeneous environments, exposing risk elevation and inefficient operations. This study explores the applicability of Policy-as-Code (PaC) as a disruption agent for compliance automation under hybrid cloud architectures. PaC enforces obligations continuously, monitors them in real-time, and remediates them automatically by embedding these obligations as machine-readable, declarative policies. The paper reviews the evolution of compliance automation, introduces a conceptual model for PaC integration across hybrid environments, and presents a reference architecture and workflow design for ensuring continuous compliance. It then evaluates the prominent tools and platforms that have varying support for said reference architecture, such as Open Policy Agent, HashiCorp Sentinel, and Azure Policy, describing their features, interoperability, and domain-specific use cases, e.g., finance, healthcare, and the public sector. Finally, the research establishes benefits, current limitations for alternative directions for adoption, and a future for PaC with respect to achieving scalable auditable compliance strategies that are resilient across cloud ecosystems from another perspective.