S09: Policy as Platform

Gatekeeper 3.22 (March 2026) shipped VAP enforcement by default. CEL is now the in-tree policy language across Kubernetes, Envoy, Istio, and Google IAM. But Kyverno still owns mutation. Gatekeeper still owns ConstraintTemplate sharing. Three engines is not a failure. It is a transition.

Policy is a platform product with a routing matrix. This series covers the three-engine coexistence, the Rego-to-CEL migration, and the continuous-compliance evidence emission that turns SOC 2 from a quarterly theater into a CI artifact.