Policies

Four targeting layers (use the highest one that fits):

1. Tag — env:prod AND compliance:pci → cross-cuts vendors and asset types. Most durable.
2. Asset group — saved query like "DC1 crown jewels".
3. Asset type / vendor — when the syntax matters (e.g. only Cisco IOS).
4. Individual asset — escape hatch for one-offs.

Same intent, different vendors → automatic. One Unified Policy IR fans out via per-vendor translators (Cisco IOS, NX-OS, Arista, Palo Alto, Juniper, Aruba…) so you author once, SafeCadence emits the right CLI per device.

Asset can't comply? Add an exception with reason + expiry + compensating control instead of weakening the policy.