Policy-as-Code for Agent Permissions

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-agentic-agent-policy-as-code-creators

1. Which policy language is specifically mentioned in the material as being used for expressing agent permissions?

   1. JavaScript
   2. Rego
   3. Python
   4. YAML

2. What does the acronym OPA stand for in the context of policy-as-code?

   1. Object Permission Authorization
   2. Operational Policy Automation
   3. Open Policy Agent
   4. Organized Policy Architecture

3. Which of these is identified as a capability of AI in the policy-as-code workflow?

   1. Replacing quarterly policy reviews with continuous AI generation
   2. Eliminating the need for any human oversight of policies
   3. Automatically updating policies without stakeholder input
   4. Translating allowed actions into Rego or Cedar rules

4. According to the material, what is a fundamental limitation of AI when writing policy rules?

   1. AI cannot read policy documents
   2. AI cannot distinguish between allow and deny rules
   3. AI cannot understand basic authorization concepts
   4. AI cannot capture every nuance of human judgment in rules

5. What is the recommended frequency for reviewing written policies according to the material?

   1. Monthly
   2. Only when a security incident occurs
   3. Quarterly
   4. Annually

6. A company policy states: 'refunds under $50 allowed without manager approval.' When writing a Rego rule for this, what boundary value is MOST important to test?

   1. $0.01
   2. $49.99
   3. $50.00
   4. $50.01

7. What does it mean to 'block model-side overrides at the policy layer'?

   1. The AI model can ignore policies when it believes the user has good intent
   2. Developers can override policy decisions by editing model prompts
   3. Policy blocks can be bypassed during emergency situations
   4. The policy engine enforces rules regardless of what the AI model suggests or attempts

8. Why might a policy written six months ago become problematic even if the code hasn't changed?

   1. OPA may have removed support for older policy formats
   2. The policy language Rego may have deprecated syntax
   3. AI models can no longer parse policies older than three months
   4. Business rules and legal requirements may have evolved, making old policies inapplicable

9. What type of testing can be performed on written policies to verify their behavior?

   1. A/B testing with live traffic
   2. Unit tests against known scenarios
   3. Performance benchmarking
   4. User acceptance testing only

10. Why can't policy-as-code completely eliminate the need for prompt guidance?

    1. Rego and Cedar languages cannot express denial rules
    2. Rules cannot capture every nuanced situation that requires contextual human judgment
    3. Prompt guidance is required by law in all jurisdictions
    4. Policies are too complex for the AI to enforce without prompting

11. When creating test cases for a refund policy, what is the purpose of testing boundary values like $49.99 and $50.01?

    1. To check if the AI can process decimal amounts
    2. To test how quickly the policy evaluates
    3. To verify the exact threshold where policy behavior changes
    4. To ensure the system currency formatting is correct

12. What is the primary purpose of permission tests in a policy-as-code workflow?

    1. To automatically verify that policies produce correct allow/deny decisions for known cases
    2. To measure how long it takes to write policies
    3. To test the performance of the AI model under load
    4. To validate user credentials before policy evaluation

13. Why is it important that policies be 'auditable'?

    1. Auditable policies cost less to implement
    2. Auditing is required by cloud computing platforms
    3. Auditing allows security teams to review, approve, and trace permission decisions
    4. AI can only process auditable policies

14. What does it mean to say policies can be 'unit-tested'?

    1. Policies can be tested in isolation with specific inputs to verify expected outputs
    2. Unit testing policies requires shutting down the agent
    3. Policies can only be tested in production environments
    4. Policies must be tested by end users before deployment

15. How does prompt guidance work together with policy-as-code?

    1. Prompts replace policies in production systems
    2. Policies and prompts serve the same purpose and are interchangeable
    3. Policies handle authorization decisions while prompts guide AI behavior in areas rules don't cover
    4. Prompts are converted to policies automatically