Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ARPaCCino: An Agentic-RAG for Policy as Code Compliance

Francesco Romeo, Luigi Arena, Francesco Blefari, Francesco Aurelio Pironti, Matteo Lupinacci, Angelo Furfaro

TL;DR

Policy as Code (PaC) adoption is hampered by policy-language complexity and the risk of misconfigurations in Infrastructure as Code (IaC). The authors introduce ARPaCCino, an Agentic RAG system that translates natural language policy descriptions into formal Rego rules, validates IaC against these rules, and autonomously refines configurations to achieve conformance. The architecture combines a RAG knowledge layer, infrastructure and rule-checking tools, and deterministic policy validation to enable end-to-end PaC workflow automation, demonstrated on a Terraform-based case study with Proxmox. Results show high syntactic and semantic correctness in generated policies, effective detection of non-compliance, and the ability to repair IaC, even with smaller LLMs, highlighting the potential of agentic RAG to improve reliability, accessibility, and scalability of PaC across evolving IaC ecosystems. These findings point to meaningful practical impact in automated security governance for diverse infrastructure stacks and encourage future work on semantic verification and self-RAG capabilities.

Abstract

Policy as Code (PaC) is a paradigm that encodes security and compliance policies into machine-readable formats, enabling automated enforcement in Infrastructure as Code (IaC) environments. However, its adoption is hindered by the complexity of policy languages and the risk of misconfigurations. In this work, we present ARPaCCino, an agentic system that combines Large Language Models (LLMs), Retrieval-Augmented-Generation (RAG), and tool-based validation to automate the generation and verification of PaC rules. Given natural language descriptions of the desired policies, ARPaCCino generates formal Rego rules, assesses IaC compliance, and iteratively refines the IaC configurations to ensure conformance. Thanks to its modular agentic architecture and integration with external tools and knowledge bases, ARPaCCino supports policy validation across a wide range of technologies, including niche or emerging IaC frameworks. Experimental evaluation involving a Terraform-based case study demonstrates ARPaCCino's effectiveness in generating syntactically and semantically correct policies, identifying non-compliant infrastructures, and applying corrective modifications, even when using smaller, open-weight LLMs. Our results highlight the potential of agentic RAG architectures to enhance the automation, reliability, and accessibility of PaC workflows.

ARPaCCino: An Agentic-RAG for Policy as Code Compliance

TL;DR

Policy as Code (PaC) adoption is hampered by policy-language complexity and the risk of misconfigurations in Infrastructure as Code (IaC). The authors introduce ARPaCCino, an Agentic RAG system that translates natural language policy descriptions into formal Rego rules, validates IaC against these rules, and autonomously refines configurations to achieve conformance. The architecture combines a RAG knowledge layer, infrastructure and rule-checking tools, and deterministic policy validation to enable end-to-end PaC workflow automation, demonstrated on a Terraform-based case study with Proxmox. Results show high syntactic and semantic correctness in generated policies, effective detection of non-compliance, and the ability to repair IaC, even with smaller LLMs, highlighting the potential of agentic RAG to improve reliability, accessibility, and scalability of PaC across evolving IaC ecosystems. These findings point to meaningful practical impact in automated security governance for diverse infrastructure stacks and encourage future work on semantic verification and self-RAG capabilities.

Abstract

Policy as Code (PaC) is a paradigm that encodes security and compliance policies into machine-readable formats, enabling automated enforcement in Infrastructure as Code (IaC) environments. However, its adoption is hindered by the complexity of policy languages and the risk of misconfigurations. In this work, we present ARPaCCino, an agentic system that combines Large Language Models (LLMs), Retrieval-Augmented-Generation (RAG), and tool-based validation to automate the generation and verification of PaC rules. Given natural language descriptions of the desired policies, ARPaCCino generates formal Rego rules, assesses IaC compliance, and iteratively refines the IaC configurations to ensure conformance. Thanks to its modular agentic architecture and integration with external tools and knowledge bases, ARPaCCino supports policy validation across a wide range of technologies, including niche or emerging IaC frameworks. Experimental evaluation involving a Terraform-based case study demonstrates ARPaCCino's effectiveness in generating syntactically and semantically correct policies, identifying non-compliant infrastructures, and applying corrective modifications, even when using smaller, open-weight LLMs. Our results highlight the potential of agentic RAG architectures to enhance the automation, reliability, and accessibility of PaC workflows.

Paper Structure

This paper contains 21 sections, 4 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Infrastructure as Code
  4. Policy as Code
  5. AI Agent
  6. Agentic RAG architectures
  7. AI Agents for IaC and PaC
  8. ARPaCCino Architecture
  9. RAG Tool.
  10. Infrastructure Tools.
  11. Rule Checker Tool.
  12. Policy Validation Tool.
  13. Case study
  14. Expected Workflow
  15. Running Example
  16. ...and 6 more sections

Figures (4)

  • Figure 1: AI agent structure LLM_Agents_survey
  • Figure 2: Agentic RAG architecture. ©https://vectorize.io/how-i-finally-got-agentic-rag-to-work-right/
  • Figure 3: ARPaCCino Architecture
  • Figure 4: ARPaCCino running example