diff --git a/POLICIES.md b/POLICIES.md
index c93dc4f..1da1568 100644
--- a/POLICIES.md
+++ b/POLICIES.md
@@ -20,9 +20,9 @@ All releases use **SemVer** (semantic versioning). ArtifactHub requires SemVer f
 
 All infrastructure changes deploy via **Flux GitOps**. Flux reconciles the org's `infra` repo to the cluster automatically.
 
-- **Never `kubectl apply` manually** — commit changes to the infra repo and let Flux reconcile
-- **Never modify cluster resources directly** — manual changes will be reverted by Flux on the next reconciliation cycle
-- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra)
+- **The only way to change Kubernetes resources is through the infra repo.** Commit manifests, push, and Flux deploys. There is no other path.
+- **`kubectl` is read-only.** You may use `kubectl get`, `kubectl describe`, `kubectl logs`, etc. for troubleshooting and verification. You may NEVER use `kubectl apply`, `kubectl delete`, `kubectl edit`, `kubectl patch`, `kubectl create`, or any other mutating command. Flux will revert any manual changes.
+- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra).
 
 ## Git Workflow