Policy as Code for Lakehouse Governance

This article examines how policy-as-code transforms data governance in lakehouse architectures, addressing the role explosion problem of traditional RBAC. It introduces attribute-based access control (ABAC) with three policy layers: column-level masking, row-level filters, and object-level policies—all evaluated at query time without data duplication. The piece covers policy hierarchy from organization to table, general-purpose engines like OPA, and platform-specific implementations: Databricks row filters/column masks, Snowflake Horizon cross-engine enforcement, BigQuery tag-based security, and tag-driven policy evaluation. It also discusses CI/CD for governance policies, common patterns and pitfalls, and a practical roadmap for implementing governed data access patterns in modern data platforms.