As an Automation Platform provider, introducing new policies is currently very challenging, as policies are meant to prevent/fail executions immediately.

A "permissive/check" mode is desired by users that would log and warn users that a job template execution would have been rejected by a policy if the policy would be enforced.

This is the same way SELinux for instance can be configured to avoid taking down the whole production if there is an error in the policy that would accidentally block too many jobs.

Using the "job type" "check" in Ansible doesn't resolve this issue, as this would require modifying each and every job (or duplicating it) to work around this issue. This is not practical and in a scenario where Org Admins are allowed to do everything they want and are only "guarded" by some specific policies, this would introduce a lot of friction.

By having a policy mode that allows for a smooth transition over the course of a timeframe by only warning users that their job would have been prevented from being started and why, allows users to adapt their jobs or go into discussions whether they are eligible for an exception.

This also prevents accidental blocking of too many jobs and therefore prevent enterprise users of AAP to implement policy enforcement at all.

Currently, all jobs that would be validated against a policy and would fail the policy check, would be prevented to run.