Enforce-Guadrail policies - Apply where and should you?

[MikaelJcSoderberg]

These are part of ALZ-Policies-Extra of Enterprise Scale
https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies-Extra.md#2-alz-workload-specific-compliance-and-regulated-industries

Many of the policies are default Audit but some are DeployIfNotExist.
For me it is difficult to know where to apply them. Many of the Enforce-Guardrails are now also less developed than I would like.

Corp:
Many have a private networking requirement that would work perfectly in Corp, but there are already policies governing the requirement of private networking.
Online:
Difficult, since there it is best to have private networking as well, but a workload team has been free to use public endpoints.
Landing zones:

I was convinced that it was clear for my team to apply the Enforce-Guardrails during start of 2026 (At least in Audit/Disabled), but now I’m not as sure anymore.

In the next release I can see this and are wondering if the 415 policies in it would be a good replacement for the Enforce-Guardrails policies:

Microsoft cloud security benchmark v2
https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e3ec7e09-768c-4b64-882c-fcada3772047.html

So I'm asking for opinions on:

• Are you Applying Enforce-Guardrails.
• Where are you applying Enforce-Guardrails, Corp/Online/Landing Zones/Azure Landing Zones. And could you provide reasoning?
• Do you think Microsoft cloud security benchmark v2 is a good replacement for Enforce-Guardrails, bacially increasing the Well Archictected Framework(WAF) scores.