Most Kubernetes security programs have the same fatal flaw: the locks are installed, but nobody turned the key.
Walk into almost any enterprise running Kubernetes and you’ll find Kyverno or another policy engine deployed, dashboards full of policy violations, and a security team that believes their clusters are protected. They’re not. The policies are running in audit mode — flagging violations, logging them, and doing absolutely nothing to stop them.
This isn’t a hypothetical. Across hundreds of organizations using open source Kyverno, the pattern is consistent: most policies never graduate from audit to enforce. The cameras are on. The doors are wide open.
The Audit Mode Illusion
Audit mode is not security. It is a security-shaped log file.
When a policy runs in audit mode, a non-compliant workload gets flagged — and then deployed anyway. The violation is recorded. The risk materializes. The only difference from having no policy at all is that you have a longer list of things you didn’t stop.
The physical security analogy is exact: imagine installing card readers on every door in your building, but leaving them in “monitor only” mode. Every unauthorized entry gets logged. Nobody gets stopped. You generate excellent reports on how often you were breached.
That’s the state of Kubernetes security in most organizations today.
Why Enforcement Never Happens
There are four reasons security teams stay stuck in audit mode, and none of them are good enough.
“We don’t want to slow down developers.” This is the most common one. Enforcement, the argument goes, means blocked deployments, angry engineers, and a ticket queue nobody can manage. But consider what you’re trading: developer friction, measured in hours, against a security incident, measured in millions. The risk calculus isn’t close.
“We can’t handle the volume of violations.” If you have hundreds of violations, the answer is not to stop enforcing. It’s to understand why you have hundreds of violations and fix the underlying posture. Audit mode doesn’t reduce violations — it just stops you from seeing their real impact.
“Wiz will catch it.” This is the most dangerous reasoning of all. Wiz and other CNAPPs are detection and response tools. By the time Wiz alerts on a problem, a misconfigured workload is already running in production. Detection is not prevention. You are not safer because you’ll know faster when something goes wrong.
“It’s too hard to get developers to remediate.” This is real — but it’s an argument for shift-left enforcement, not less enforcement. Developers fix issues fastest when they’re caught in the tools they already use: CI/CD pipelines, and increasingly, AI coding assistants. Nirmata has plugins for Cursor and Claude Code that surface policy violations at the point of authorship — before a non-compliant workload ever reaches a cluster. If you’re only catching violations at admission, you’ve already missed the cheapest moment to fix them.
The Speed Problem Makes This Critical — Right Now
One year ago, a development team might push a dozen new workloads a week. Today, AI-assisted development has multiplied that rate by 10x or more. Code is being written, containerized, and deployed faster than any manual review process can follow.
The workloads arriving at your clusters aren’t just arriving faster — they’re arriving with more complexity. AI agents, model-serving infrastructure, and third-party AI components introduce supply chain risks that traditional policy engines weren’t designed to catch. We covered how to govern AI workloads from code to runtime in a recent post: Governing AI Agents from Code to Runtime. That problem compounds in exactly the same way as the enforcement gap: the longer you wait, the more it costs to unwind.
Your audit mode policies were inadequate before. At AI-accelerated development speed, they are completely irrelevant. Every hour your clusters run in audit mode, non-compliant workloads accumulate faster than your team can review them. You are already behind. The gap widens every day you wait.
This cannot be a next-quarter initiative. The organizations that delay enforcement now will spend the next two years trying to remediate a posture that hardened against them while they were deliberating.
Nirmata has worked with companies that started where most organizations are — nearly 100% of policies in audit mode — and gotten them to 100% enforce. The path there isn’t a big bang. It’s a combination of shift-left tooling that catches violations before they reach the cluster, and graduated enforcement that gives teams a runway to remediate. It’s possible. But it requires starting now.
What to Ask Your Platform Team
If you’re a CISO, these are the questions you should be asking in your next security review. If your team can’t answer them confidently, you have your answer about the state of your enforcement posture.
- What percentage of our Kyverno policies are running in enforce mode versus audit mode? If the answer is anything less than a clear majority in enforce — or if they need to look it up — that’s a gap.
- Which policy categories are we enforcing? Image signing, privilege escalation prevention, network policy, resource limits — ask for each one specifically. Broad “we have policies” answers obscure whether the high-severity categories are actually enforced.
- What is our process for graduating a policy from audit to enforce? There should be a defined workflow. If it’s ad hoc or “we review it when we have time,” enforcement will never scale.
- When was the last policy promoted from audit to enforce? Recency matters. If the answer is months ago — or never — enforcement is not an active practice.
- How are policy violations routed back to development teams, and what’s the resolution SLA? Enforcement without feedback loops creates friction without improvement. But detection without enforcement creates neither.
- Are we catching violations before they reach the cluster? Shift-left matters. Your platform team should be surfacing policy violations in CI/CD pipelines and in the AI coding tools developers use daily — not just at admission.
- What’s our plan as AI-assisted development accelerates deployment velocity? Policies designed for a slower era of software delivery need to be reassessed for a 10x faster one.
Prevention Is the Strategy. Detection Is the Fallback.
Wiz is a valuable tool. So is every other CNAPP in the market. But they are the fallback — the alarm that tells you a fire has started.
Nirmata is the sprinkler system. The goal is that you never need Wiz to surface a Kubernetes misconfiguration, because that misconfiguration was blocked at admission. “You’ll never see the issue in Wiz if you use Nirmata correctly” is not marketing — it’s the architecture working as intended.
Prevention and detection are not competing approaches. But prevention has to come first. Detection without prevention means you are always responding, never ahead, perpetually cleaning up what your posture should have blocked.
The companies investing in enforcement now are building a compounding advantage. Every policy promoted to enforce mode is a class of issues that stops generating incidents. Every incident prevented is engineering time that goes to product instead of remediation.
Check Your Posture Today
You don’t have to take your platform team’s word for it. ` gives you direct visibility into your cluster’s enforcement posture.
- The nctl scan command surfaces policy violations and enforcement gaps across your clusters.
- The nctl cluster assessment skill gives you a structured view of your overall security posture — including how many policies are running in audit versus enforce mode.
Run it. Look at the numbers. Then ask your platform team why.
If you’re running any percentage of policies in audit mode and calling it security, the gap between your assumed posture and your actual posture is your risk. The question is whether you’d rather know that now, or after something goes wrong.
Nirmata helps platform and security teams move from audit to enforce — without breaking developer workflows. Learn more at nirmata.com.
