This document discusses addressing security concerns with using WSO2 Governance Registry as a policy store. It provides an overview of WSO2 and describes how WSO2 Identity Server can act as an XACML policy engine. It defines some common policy enforcement terminology and explains the difference between design-time and run-time policies. Finally, it demonstrates how WSO2 Governance Registry can be used to store policies that are evaluated by WSO2 Identity Server during the invocation of a service via the ESB.