diff --git a/CHANGELOG.md b/CHANGELOG.md
index cefebfa0..0246f09c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,28 @@
+## 4.16.0 (January 2, 2025)
+
+It is safe to use this version with all `v4` control planes as long
+as the new incompatible features are not used. These features require
+a minimum version of the control plane and are detailed below.
+
+The minimum control plane version required for full compatibility
+with all the features in this release is `v4.18`.
+
+Data source incompatible with control planes previous to `v4.18`:
+
+- `cyral_policy_wizards`
+
+## Features:
+
+- ENG-14612: Implement cyral_policy_wizards datasource ([#593](https://github.com/cyralinc/terraform-provider-cyral/pull/593))
+
+## Improvements:
+
+- Bump golang.org/x/crypto from 0.30.0 to 0.31.0 ([#590](https://github.com/cyralinc/terraform-provider-cyral/pull/590))
+- Bump google.golang.org/grpc from 1.68.1 to 1.69.0 ([#592](https://github.com/cyralinc/terraform-provider-cyral/pull/592))
+- Bump hashicorp/terraform from 1.9.6 to 1.10.2 ([#591](https://github.com/cyralinc/terraform-provider-cyral/pull/591))
+- Bump all dependencies to the latest version ([#598](https://github.com/cyralinc/terraform-provider-cyral/pull/598))
+- ENG-14702: Update documentation for repo level policies ([#602](https://github.com/cyralinc/terraform-provider-cyral/pull/602))
+
 ## 4.15.0 (December 10, 2024)
 
 It is safe to use this version with all `v4` control planes as long
diff --git a/cyral/internal/regopolicy/resource_test.go b/cyral/internal/regopolicy/resource_test.go
index f044c77b..0b6fdff9 100644
--- a/cyral/internal/regopolicy/resource_test.go
+++ b/cyral/internal/regopolicy/resource_test.go
@@ -68,9 +68,9 @@ var (
 	regoPolicyInstanceOnlyRequiredArguments = RegoPolicyInstanceTestParameters{
 		policy: regopolicy.RegoPolicyInstancePayload{
 			RegoPolicyInstance: regopolicy.RegoPolicyInstance{
-				Name:       "some-rate-limit-policy",
-				TemplateID: "rate-limit",
-				Parameters: "{\"rateLimit\":7,\"labels\":[\"EMAIL\"],\"alertSeverity\":\"high\",\"block\":false}",
+				Name:       "some-object-protection-policy",
+				TemplateID: "object-protection",
+				Parameters: "{\"block\":false,\"objectType\":\"role/user\",\"alertSeverity\":\"high\",\"monitorCreates\":true,\"monitorDrops\":false,\"monitorAlters\":false}",
 			},
 		},
 		policyCategory: "SECURITY",
@@ -78,10 +78,10 @@ var (
 	regoPolicyInstanceAllArguments = RegoPolicyInstanceTestParameters{
 		policy: regopolicy.RegoPolicyInstancePayload{
 			RegoPolicyInstance: regopolicy.RegoPolicyInstance{
-				Name:        "some-rate-limit-policy",
+				Name:        "some-object-protection-policy",
+				TemplateID:  "object-protection",
+				Parameters:  "{\"block\":false,\"objectType\":\"role/user\",\"alertSeverity\":\"high\",\"monitorCreates\":true,\"monitorDrops\":false,\"monitorAlters\":false}",
 				Description: "Some description.",
-				TemplateID:  "rate-limit",
-				Parameters:  "{\"rateLimit\":7,\"labels\":[\"EMAIL\"],\"alertSeverity\":\"high\",\"block\":false}",
 				Enabled:     true,
 				Scope: &regopolicy.RegoPolicyInstanceScope{
 					RepoIDs: []string{"2U4prk5o6yi1rTvvXyImz8lgbgG"},
diff --git a/docs/guides/repo_level_policy.md b/docs/guides/repo_level_policy.md
index 06ec61d2..472c559b 100644
--- a/docs/guides/repo_level_policy.md
+++ b/docs/guides/repo_level_policy.md
@@ -1,17 +1,17 @@
 ---
-page_title: "Setup repo-level policy"
+page_title: "Setup repo-level policies"
 ---
 
-Cyral offers several pre-built [repo-level policy types](https://cyral.com/docs/policy/repo-level/).
-In this guide, we provide different examples on how to use them.
+Cyral offers several [policy wizards](https://cyral.com/docs/policy/repo-level/).
+These wizards generate policies for common use cases based on the parameters you provide. The created policies are part of a _policy set_.
+This guide shows how to define policy sets that use these wizards to create policies in Terraform.
 
 Recommended further reading:
 
 -   Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public
     docs for a complete documentation about the Cyral policy framework.
--   Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance)
-    resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
-    and how to use the pre-built repo-level policies in Terraform.
+-   Refer to the [`cyral_policy_set`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/policy_set)
+    resource for more details about how to create policy sets in Terraform.
 
 ## Example: data firewall
 
@@ -29,15 +29,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the data firewall wizard to filter table
 # 'finance.cards', returning only data where
 # finance.cards.country = 'US' for users not in 'Admin' group
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-firewall-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_firewall_policy" {
+  name        = "data firewall policy"
   description = "Returns only data where finance.cards.country = 'US' in table 'finance.cards' for users not in 'Admin' group"
-  template_id = "data-firewall"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
+  wizard_id   = "data-firewall"
+  parameters  = jsonencode(
+    {
+      "dataset" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "excludedIdentities" = { "groups" = ["Admin"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -62,14 +68,19 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to apply null masking to
+# Creates a policy set using the data masking wizard to apply null masking to
 # any data labeled as CCN for users in group 'Marketing'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-masking-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_masking_policy" {
+  name        = "data masking policy"
   description = "Apply null masking to any data labeled as CCN for users in group 'Marketing'"
-  template_id = "data-masking"
-  parameters  = "{ \"maskType\": \"NULL_MASK\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+  wizard_id   = "data-masking"
+  parameters  = jsonencode(
+    {
+      "maskType" = "null"
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -94,14 +105,20 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to raise a 'high' alert
-# and block updates and deletes on label CCN
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-protection-policy"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and block updates and deletes on label CCN"
-  template_id = "data-protection"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"labels\": [\"CCN\"]}"
+# Creates a policy set using the data protection wizard to raise
+# an alert and block updates and deletes on label CCN
+resource "cyral_policy_set" "data_protection_policy" {
+  name        = "data protection policy"
+  description = "Raise an alert and block updates and deletes on label CCN"
+  wizard_id   = "data-protection"
+  parameters  = jsonencode(
+    {
+      "block" = true
+      "alertSeverity" = "high"
+      "governedOperations" = ["update", "delete"]
+      "labels" = ["CCN"]
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -126,15 +143,21 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to raise a 'high' alert
+# Creates a policy set using the rate limit wizard to raise an alert
 # and set a rate limit of 500 rows per hour for group 'Marketing'
 # and any data labeled as CCN
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "rate-limit-policy"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
-  template_id = "rate-limit"
-  parameters  = "{ \"rateLimit\": 500, \"block\": true, \"alertSeverity\": \"high\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+resource "cyral_policy_set" "rate_limit_policy" {
+  name        = "rate limit policy"
+  description = "Raise an alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
+  wizard_id   = "rate-limit"
+  parameters  = jsonencode(
+    {
+      "rateLimit" = 500
+      "enforce" = true
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
@@ -159,15 +182,21 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to limits to 100 the
+# Creates a policy set using the read limit wizard to limits to 100 the
 # amount of rows that can be read per query on the entire
 # repository for group 'Devs'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "read-limit-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "read_limit_policy" {
+  name        = "read limit policy"
   description = "Limits to 100 the amount of rows that can be read per query on the entire repository for group 'Devs'"
-  template_id = "read-limit"
-  parameters  = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"appliesToAllData\": true, \"identities\": { \"included\": { \"groups\": [\"Devs\"] } }}"
+  wizard_id   = "read-limit"
+  parameters  = jsonencode(
+    {
+      "rowLimit" = 100
+      "enforce" = true
+      "datasets" = "*"
+      "identities" = { "included": { "groups" = ["Devs"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
@@ -191,15 +220,20 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to limits to 100 the
-# amount of rows that can be updated or deleted per query on
-# all repository data for anyone except group 'Admin'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "repository-protection-policy"
-  category    = "SECURITY"
-  description = "Limits to 100 the amount of rows that can be updated or deleted per query on all repository data for anyone except group 'Admin'"
-  template_id = "repository-protection"
-  parameters  = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"identities\": { \"excluded\": { \"groups\": [\"Admin\"] } }}"
+# Creates a policy set using the repository protection wizard to alert if more than
+# 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'
+resource "cyral_policy_set" "repository_protection_policy" {
+  name        = "repository protection policy"
+  description = "Alert if more than 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'"
+  wizard_id   = "repository-protection"
+  parameters  = jsonencode(
+    {
+      "rowLimit" = 100
+      "datasets" = "*"
+      "governedOperations" = ["update", "delete"]
+      "identities" = { "excluded": { "groups" = ["Admin"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -223,16 +257,19 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to alert and block
-# whenever the following service accounts john try to read,
-# update, or delete data from the repository without end
-# user attribution.
-resource "cyral_rego_policy_instance" "policy" {
+# Creates a policy set using the service account abuse wizard to alert and block
+# whenever the service accounts john is used without end user attribution.
+resource "cyral_policy_set" "service_account_abuse_policy" {
   name        = "service account abuse policy"
-  category    = "SECURITY"
-  description = "Alert and block whenever the following service accounts john try to read, update, or delete data from the repository without end user attribution"
-  template_id = "service-account-abuse"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"serviceAccounts\": [\"john\"]}"
+  description = "Alert and block whenever the service accounts john is used without end user attribution"
+  wizard_id   = "service-account-abuse"
+  parameters  = jsonencode(
+    {
+      "block" = true
+      "alertSeverity" = "high"
+      "serviceAccounts" = ["john"]
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
@@ -256,15 +293,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the user segmentation wizard to filter table
 # 'finance.cards' when users in group 'Marketing' read label
 # CCN, returning only data where finance.cards.country = 'US'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "user-segmentation-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "user_segmentation_policy" {
+  name        = "user segmentation policy"
   description = "Filter table 'finance.cards' when users in group 'Marketing' read label CCN, returning only data where finance.cards.country = 'US'"
-  template_id = "user-segmentation"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
+  wizard_id   = "user-segmentation"
+  parameters  = jsonencode(
+    {
+      "dataset" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "includedIdentities" = { "groups" = ["Marketing"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
diff --git a/docs/resources/policy_set.md b/docs/resources/policy_set.md
index 26c8e2e4..da6706d7 100644
--- a/docs/resources/policy_set.md
+++ b/docs/resources/policy_set.md
@@ -38,6 +38,127 @@ resource "cyral_policy_set" "repo_lockdown_example" {
 }
 ```
 
+## Available Policy Wizards
+
+The following policy wizards are available for creating policy sets. The wizard parameters,
+specified as a JSON object, are described below for each wizard as well.
+
+-> You can also use the Cyral API `GET` `/v1/regopolicies/templates` to retrieve all existing templates and their corresponding parameters schema.
+
+### Data Firewall (data-firewall) - Ensure that sensitive data can only be read by specified individuals.
+
+-   `dataset` (String) Data Set (table, collection, etc.) to which the policy applies.
+-   `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
+-   `substitutionQuery` (String) A query that will be used to replace all occurrences of the dataset in the original query. Only one of `dataFilter` and `substitutionQuery` can be specified.
+-   `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList).
+
+### Data Masking (data-masking) - Mask fields for specific users and applications.
+
+-   `maskType` (String) Mask Type (E.g.: `null`, `constant`, `format-preserving`).
+-   `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).
+-   `tags` (Array) Data Tags to which the policy applies.
+-   `labels` (Array) Data Labels to which the policy applies.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will apply to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will apply to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Data Protection (data-protection) - Guard against reads and writes of specified tables or fields.
+
+-   `block` (Boolean) Policy action to block.
+-   `governedOperations` (Array) Operations governed by this policy, can be one or more of: `read`, `update`, `delete`, and `insert`.
+-   `tags` (Array) Data Tags to which the policy applies.
+-   `labels` (Array) Data Labels to which the policy applies.
+-   `datasets` (Array) Data Sets (tables, collections, etc.) to which the policy applies.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.
+
+-   `objectType` (String) The type of object to monitor or protect. The only value currently supported is `role/user`.
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+-   `governedOperations` (Array) Operations governed by this policy, can be one or more of: `create`, `drop`, and `alter`.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Alert severity. Allowed values are: `low`, `medium`, `high`.
+
+### Rate Limit (rate-limit) - Implement threshold on sensitive data reads over a period of time.
+
+-   `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.
+-   `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+-   `tags` (Array) Data Tags to which the policy applies.
+-   `labels` (Array) Data Labels to which the policy applies.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Read Limit (read-limit) - Prevent certain data from being read beyond a specified limit.
+
+-   `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.
+-   `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+-   `tags` (Array) Data Tags to which the policy applies.
+-   `labels` (Array) Data Labels to which the policy applies.
+-   `datasets` (Array) Data Sets (tables, collections, etc.) to which the policy applies.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Repository Lockdown (repo-lockdown) - Deny all statements that are not allowed by some policy and/or not understood by Cyral.
+
+-   `failClosed` (Boolean) Whether to fail closed, if true, all statements that are not understood by Cyral will be blocked.
+-   `denyByDefault` (Boolean) Whether to deny all statements by default, if true, all statements that are not explicitly allowed by some policy will be blocked.
+
+### Repository Protection (repository-protection) - Alert when more than a specified number of records are updated, deleted, or inserted in specified datasets.
+
+-   `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.
+-   `governedOperations` (Array) Operations governed by this policy, can be one or more of: `update`, `delete` and `insert`.
+-   `datasets` (Array) Data Sets (tables, collections, etc.) to which the policy applies.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Schema Protection (schema-protection) - Protect database schema against unauthorized creation, deletion, or modification of tables and views.
+
+-   `block` (Boolean) Whether to block unauthorized schema changes.
+-   `schemas` (Array) Schemas to which the policy applies.
+-   `excludedIdentities` (Object) Identities that are exempt from the policy. See [identities](#objects--identityList).
+
+### Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.
+
+-   `block` (Boolean) Policy action to enforce.
+-   `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
+-   `alertSeverity` (String) Alert severity. Allowed values are: `low`, `medium`, `high`.
+
+### Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures..
+
+-   `enforced` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+-   `governedProcedures` (Array) Stored procedures to which the policy applies.
+-   `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Alert severity. Allowed values are: `low`, `medium`, `high`.
+
+### User Segmentation (user-segmentation) - Restrict specific users to a subset of data.
+
+-   `dataset` (String) Data Set (table, collection, etc.) to which the policy applies.
+-   `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
+-   `substitutionQuery` (String) A query that will be used to replace all occurrences of the dataset in the original query. Only one of `dataFilter` and `substitutionQuery` can be specified.
+-   `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
+-   `includedDbAccounts` (Array) Database accounts cannot see restricted records.
+
+<a id="parameter-objects"></a>
+
+### Objects
+
+<a id="objects--identities"></a>
+
+-   `identities` (Object) Identities. See properties below:
+    -   `included` (Object) Included Identities. See [identityList](#objects--identityList).
+    -   `excluded` (Object) Excluded Identities. See [identityList](#objects--identityList).
+        <a id="objects--dbAccounts"></a>
+-   `dbAccounts` (Object) Database Accounts. See properties below:
+    -   `included` (Array) Included Database Accounts.
+    -   `excluded` (Array) Excluded Database Accounts.
+        <a id="objects--identityList"></a>
+-   `identityList` (Object) Identity List. See properties below:
+    -   `userNames` (Array) Identity Emails.
+    -   `emails` (Array) Identity Usernames.
+    -   `groups` (Array) Identity Groups.
+
 <!-- schema generated by tfplugindocs -->
 
 ## Schema
diff --git a/docs/resources/rego_policy_instance.md b/docs/resources/rego_policy_instance.md
index b7e35343..b62367b7 100644
--- a/docs/resources/rego_policy_instance.md
+++ b/docs/resources/rego_policy_instance.md
@@ -71,7 +71,54 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 
 -> You can also use the Cyral API `GET` `/v1/regopolicies/templates` to retrieve all existing templates and their corresponding parameters schema.
 
-### Data Firewall (data-firewall)
+### Fail Closed (fail-closed) - Protect against statements that are not understood by Cyral.
+
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.
+
+-   `objectType` (String) The type of object to monitor or protect. Supported types include tables, views, roles/users, and schemas. Specific actions depend on the object type.
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+-   `monitorCreates` (Boolean) Specifies whether to monitor 'CREATE' operations for the defined object type. Applies only to relevant object types.
+-   `monitorDrops` (Boolean) Specifies whether to monitor 'DROP' operations for the defined object type. Applies only to relevant object types.
+-   `monitorAlters` (Boolean) Specifies whether to monitor 'ALTER' operations for the defined object type. Applies only to relevant object types.
+-   `objects` (Array) A list of specific objects (e.g., tables or views) to monitor or protect. Required for 'table' or 'view' object types. Not applicable to 'role/user' or 'schema'.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.
+
+-   `block` (Boolean) Policy action to enforce.
+-   `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures.
+
+-   `governedProcedures` (Array) List of stored procedures to be governed.
+-   `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Ungoverned Statements (ungoverned-statements) - Control execution of statements not governed by other policies.
+
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Deprecated policy templates
+
+The remaining list of policy templates have been deprecated in v4.18.X of the Cyral Control Plane
+and can not be used for creating new policies. Managing existing policy instances is still supported.
+Please visit [`cyral_policy_set`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/policy_set)
+resource to find replacements for the deprecated policy templates.
+
+#### Data Firewall (data-firewall)
 
 -   `dataSet` (String) Data Set.
 -   `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
@@ -79,7 +126,7 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 -   `labels` (Array) Data Labels.
 -   `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList).
 
-### Data Masking (data-masking)
+#### Data Masking (data-masking)
 
 -   `maskType` (String) Mask Type (E.g.: `NULL_MASK`, `CONSTANT_MASK`, `MASK`).
 -   `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).
@@ -88,7 +135,7 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 -   `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
 -   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
 
-### Data Protection (data-protection)
+#### Data Protection (data-protection)
 
 -   `block` (Boolean) Policy action to block.
 -   `monitorReads` (Boolean) Monitor read operations.
@@ -100,13 +147,13 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 -   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
 -   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Ephemeral Grant (EphemeralGrantPolicy)
+#### Ephemeral Grant (EphemeralGrantPolicy)
 
 -   `repoAccount` (String) Repository Account Name.
 -   `repo` (String) Repository Name.
 -   `allowedSensitiveAttributes` (Array) Allowed Sensitive Attributes.
 
-### Rate Limit (rate-limit)
+#### Rate Limit (rate-limit)
 
 -   `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.
 -   `block` (Boolean) Policy action to enforce.
@@ -116,7 +163,7 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 -   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
 -   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Read Limit (read-limit)
+#### Read Limit (read-limit)
 
 -   `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.
 -   `block` (Boolean) Policy action to enforce.
@@ -127,7 +174,7 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 -   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
 -   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Repository Protection (repository-protection)
+#### Repository Protection (repository-protection)
 
 -   `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.
 -   `monitorUpdates` (Boolean) Monitor update operations.
@@ -136,13 +183,7 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 -   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
 -   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Service Account Abuse (service-account-abuse)
-
--   `block` (Boolean) Policy action to enforce.
--   `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
--   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
-
-### User Segmentation (user-segmentation)
+#### User Segmentation (user-segmentation)
 
 -   `dataSet` (String) Data Set.
 -   `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
diff --git a/examples/guides/repo_level_policies/data_firewall.tf b/examples/guides/repo_level_policies/data_firewall.tf
index 2a918942..73bcbf31 100644
--- a/examples/guides/repo_level_policies/data_firewall.tf
+++ b/examples/guides/repo_level_policies/data_firewall.tf
@@ -9,15 +9,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the data firewall wizard to filter table
 # 'finance.cards', returning only data where
 # finance.cards.country = 'US' for users not in 'Admin' group
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-firewall-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_firewall_policy" {
+  name        = "data firewall policy"
   description = "Returns only data where finance.cards.country = 'US' in table 'finance.cards' for users not in 'Admin' group"
-  template_id = "data-firewall"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
+  wizard_id   = "data-firewall"
+  parameters  = jsonencode(
+    {
+      "dataset" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "excludedIdentities" = { "groups" = ["Admin"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
diff --git a/examples/guides/repo_level_policies/data_masking.tf b/examples/guides/repo_level_policies/data_masking.tf
index 20a1483b..61ed9dfe 100644
--- a/examples/guides/repo_level_policies/data_masking.tf
+++ b/examples/guides/repo_level_policies/data_masking.tf
@@ -9,14 +9,19 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to apply null masking to
+# Creates a policy set using the data masking wizard to apply null masking to
 # any data labeled as CCN for users in group 'Marketing'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-masking-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_masking_policy" {
+  name        = "data masking policy"
   description = "Apply null masking to any data labeled as CCN for users in group 'Marketing'"
-  template_id = "data-masking"
-  parameters  = "{ \"maskType\": \"NULL_MASK\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+  wizard_id   = "data-masking"
+  parameters  = jsonencode(
+    {
+      "maskType" = "null"
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
diff --git a/examples/guides/repo_level_policies/data_protection.tf b/examples/guides/repo_level_policies/data_protection.tf
index 701c660e..1721ab06 100644
--- a/examples/guides/repo_level_policies/data_protection.tf
+++ b/examples/guides/repo_level_policies/data_protection.tf
@@ -9,14 +9,20 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to raise a 'high' alert
-# and block updates and deletes on label CCN
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-protection-policy"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and block updates and deletes on label CCN"
-  template_id = "data-protection"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"labels\": [\"CCN\"]}"
+# Creates a policy set using the data protection wizard to raise
+# an alert and block updates and deletes on label CCN
+resource "cyral_policy_set" "data_protection_policy" {
+  name        = "data protection policy"
+  description = "Raise an alert and block updates and deletes on label CCN"
+  wizard_id   = "data-protection"
+  parameters  = jsonencode(
+    {
+      "block" = true
+      "alertSeverity" = "high"
+      "governedOperations" = ["update", "delete"]
+      "labels" = ["CCN"]
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
diff --git a/examples/guides/repo_level_policies/rate_limit.tf b/examples/guides/repo_level_policies/rate_limit.tf
index 50d7322e..604997cb 100644
--- a/examples/guides/repo_level_policies/rate_limit.tf
+++ b/examples/guides/repo_level_policies/rate_limit.tf
@@ -9,15 +9,21 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to raise a 'high' alert
+# Creates a policy set using the rate limit wizard to raise an alert
 # and set a rate limit of 500 rows per hour for group 'Marketing'
 # and any data labeled as CCN
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "rate-limit-policy"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
-  template_id = "rate-limit"
-  parameters  = "{ \"rateLimit\": 500, \"block\": true, \"alertSeverity\": \"high\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+resource "cyral_policy_set" "rate_limit_policy" {
+  name        = "rate limit policy"
+  description = "Raise an alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
+  wizard_id   = "rate-limit"
+  parameters  = jsonencode(
+    {
+      "rateLimit" = 500
+      "enforce" = true
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
diff --git a/examples/guides/repo_level_policies/read_limit.tf b/examples/guides/repo_level_policies/read_limit.tf
index f8475114..be8f8035 100644
--- a/examples/guides/repo_level_policies/read_limit.tf
+++ b/examples/guides/repo_level_policies/read_limit.tf
@@ -9,15 +9,21 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to limits to 100 the
+# Creates a policy set using the read limit wizard to limits to 100 the
 # amount of rows that can be read per query on the entire
 # repository for group 'Devs'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "read-limit-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "read_limit_policy" {
+  name        = "read limit policy"
   description = "Limits to 100 the amount of rows that can be read per query on the entire repository for group 'Devs'"
-  template_id = "read-limit"
-  parameters  = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"appliesToAllData\": true, \"identities\": { \"included\": { \"groups\": [\"Devs\"] } }}"
+  wizard_id   = "read-limit"
+  parameters  = jsonencode(
+    {
+      "rowLimit" = 100
+      "enforce" = true
+      "datasets" = "*"
+      "identities" = { "included": { "groups" = ["Devs"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
diff --git a/examples/guides/repo_level_policies/repository_protection.tf b/examples/guides/repo_level_policies/repository_protection.tf
index e6423323..f7fc3736 100644
--- a/examples/guides/repo_level_policies/repository_protection.tf
+++ b/examples/guides/repo_level_policies/repository_protection.tf
@@ -9,15 +9,20 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to limits to 100 the
-# amount of rows that can be updated or deleted per query on
-# all repository data for anyone except group 'Admin'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "repository-protection-policy"
-  category    = "SECURITY"
-  description = "Limits to 100 the amount of rows that can be updated or deleted per query on all repository data for anyone except group 'Admin'"
-  template_id = "repository-protection"
-  parameters  = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"identities\": { \"excluded\": { \"groups\": [\"Admin\"] } }}"
+# Creates a policy set using the repository protection wizard to alert if more than
+# 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'
+resource "cyral_policy_set" "repository_protection_policy" {
+  name        = "repository protection policy"
+  description = "Alert if more than 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'"
+  wizard_id   = "repository-protection"
+  parameters  = jsonencode(
+    {
+      "rowLimit" = 100
+      "datasets" = "*"
+      "governedOperations" = ["update", "delete"]
+      "identities" = { "excluded": { "groups" = ["Admin"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
diff --git a/examples/guides/repo_level_policies/service_account_abuse.tf b/examples/guides/repo_level_policies/service_account_abuse.tf
index 86435151..f3250f1f 100644
--- a/examples/guides/repo_level_policies/service_account_abuse.tf
+++ b/examples/guides/repo_level_policies/service_account_abuse.tf
@@ -9,16 +9,19 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to alert and block
-# whenever the following service accounts john try to read,
-# update, or delete data from the repository without end
-# user attribution.
-resource "cyral_rego_policy_instance" "policy" {
+# Creates a policy set using the service account abuse wizard to alert and block
+# whenever the service accounts john is used without end user attribution.
+resource "cyral_policy_set" "service_account_abuse_policy" {
   name        = "service account abuse policy"
-  category    = "SECURITY"
-  description = "Alert and block whenever the following service accounts john try to read, update, or delete data from the repository without end user attribution"
-  template_id = "service-account-abuse"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"serviceAccounts\": [\"john\"]}"
+  description = "Alert and block whenever the service accounts john is used without end user attribution"
+  wizard_id   = "service-account-abuse"
+  parameters  = jsonencode(
+    {
+      "block" = true
+      "alertSeverity" = "high"
+      "serviceAccounts" = ["john"]
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
diff --git a/examples/guides/repo_level_policies/user_segmentation.tf b/examples/guides/repo_level_policies/user_segmentation.tf
index 5fdd6a96..e3adb4b3 100644
--- a/examples/guides/repo_level_policies/user_segmentation.tf
+++ b/examples/guides/repo_level_policies/user_segmentation.tf
@@ -9,15 +9,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the user segmentation wizard to filter table
 # 'finance.cards' when users in group 'Marketing' read label
 # CCN, returning only data where finance.cards.country = 'US'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "user-segmentation-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "user_segmentation_policy" {
+  name        = "user segmentation policy"
   description = "Filter table 'finance.cards' when users in group 'Marketing' read label CCN, returning only data where finance.cards.country = 'US'"
-  template_id = "user-segmentation"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
+  wizard_id   = "user-segmentation"
+  parameters  = jsonencode(
+    {
+      "dataset" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "includedIdentities" = { "groups" = ["Marketing"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
diff --git a/go.mod b/go.mod
index fa18be44..a61af808 100644
--- a/go.mod
+++ b/go.mod
@@ -5,8 +5,8 @@ go 1.22.7
 toolchain go1.23.3
 
 require (
-	buf.build/gen/go/cyral/policy/grpc/go v1.5.1-20241204234652-6dee75984790.1
-	buf.build/gen/go/cyral/policy/protocolbuffers/go v1.36.0-20241204234652-6dee75984790.1
+	buf.build/gen/go/cyral/policy/grpc/go v1.5.1-20241204234652-6dee75984790.2
+	buf.build/gen/go/cyral/policy/protocolbuffers/go v1.36.1-20241204234652-6dee75984790.1
 	github.com/aws/aws-sdk-go v1.55.5
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/terraform-plugin-docs v0.19.4
@@ -16,13 +16,13 @@ require (
 	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67
 	golang.org/x/oauth2 v0.24.0
 	google.golang.org/grpc v1.69.2
-	google.golang.org/protobuf v1.36.0
+	google.golang.org/protobuf v1.36.1
 )
 
 require (
-	buf.build/gen/go/cyral/utils/protocolbuffers/go v1.36.0-20241202152456-363249a7515c.1 // indirect
-	buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.36.0-20240617172848-daf171c6cdb5.1 // indirect
-	buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.0-20240617172850-a48fcebcf8f1.1 // indirect
+	buf.build/gen/go/cyral/utils/protocolbuffers/go v1.36.1-20241202152456-363249a7515c.1 // indirect
+	buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.36.1-20240617172848-daf171c6cdb5.1 // indirect
+	buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.1-20241220201140-4c5ba75caaf8.1 // indirect
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/Kunde21/markdownfmt/v3 v3.1.0 // indirect
@@ -90,8 +90,8 @@ require (
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/tools v0.28.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241223144023-3abc09e42ca8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index 866d130c..4a515b31 100644
--- a/go.sum
+++ b/go.sum
@@ -1,13 +1,13 @@
-buf.build/gen/go/cyral/policy/grpc/go v1.5.1-20241204234652-6dee75984790.1 h1:tl6pcZSURzy71NYelbi7ZARClsFxsOy3Zz97lfgraU8=
-buf.build/gen/go/cyral/policy/grpc/go v1.5.1-20241204234652-6dee75984790.1/go.mod h1:nnv6Imx5xapOLV612Q4oJ2z7hQDz1FyO0bJGImPJKEU=
-buf.build/gen/go/cyral/policy/protocolbuffers/go v1.36.0-20241204234652-6dee75984790.1 h1:ULg02uNwg6d5ACf3d/svhmWQxI3XOUa+zsT9PcqGE7U=
-buf.build/gen/go/cyral/policy/protocolbuffers/go v1.36.0-20241204234652-6dee75984790.1/go.mod h1:2MVlkoQXXNnCCegVZo/PrM697vKjMdtIZKZpsMjq06E=
-buf.build/gen/go/cyral/utils/protocolbuffers/go v1.36.0-20241202152456-363249a7515c.1 h1:AEZ/C4Xb3Q5flHtGWznh60EWLz83mMhqviRVDHzEXMc=
-buf.build/gen/go/cyral/utils/protocolbuffers/go v1.36.0-20241202152456-363249a7515c.1/go.mod h1:L7zSeN1DerTkeWs9ZtNPOvFBz4v2rKSCks5OOCh5W0Y=
-buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.36.0-20240617172848-daf171c6cdb5.1 h1:lVToKI30NYvd2m/n9oHlbctPyL1z7qOl3J2kTIVLqbQ=
-buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.36.0-20240617172848-daf171c6cdb5.1/go.mod h1:z6TXPjhMrkUwpR6h+lbyDMJ9sJ/eGltAclrTUW9gbE0=
-buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.0-20240617172850-a48fcebcf8f1.1 h1:nAE4HLCyHRljGiUA1PQ0jsl2VvuHfRg/AvAsIP280qA=
-buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.0-20240617172850-a48fcebcf8f1.1/go.mod h1:9kAozfForX2SS4gDDl/P+ImNbDypB9unxBZQqsyahYA=
+buf.build/gen/go/cyral/policy/grpc/go v1.5.1-20241204234652-6dee75984790.2 h1:Nb/a7uA1oABwVaNLaNpZ4wHaF2ruUWYqX47RF7mp1mc=
+buf.build/gen/go/cyral/policy/grpc/go v1.5.1-20241204234652-6dee75984790.2/go.mod h1:XTNaF/nhX6bf6V7wQOHqHF0VoVYh9iQSMIhzKxV7luo=
+buf.build/gen/go/cyral/policy/protocolbuffers/go v1.36.1-20241204234652-6dee75984790.1 h1:Znp6P4KIpZu0y+pwJfEJKK7OQX/tHAwueAvl5SZNJvA=
+buf.build/gen/go/cyral/policy/protocolbuffers/go v1.36.1-20241204234652-6dee75984790.1/go.mod h1:jObqyFs4Fbkj5YhlRelQM8Q93QTIFGws4cBAh8TMA/Q=
+buf.build/gen/go/cyral/utils/protocolbuffers/go v1.36.1-20241202152456-363249a7515c.1 h1:HVBV6zROo/gV3oMuCHqONvzN/qGHe80FlvoU1LP7SSs=
+buf.build/gen/go/cyral/utils/protocolbuffers/go v1.36.1-20241202152456-363249a7515c.1/go.mod h1:8Oifv1n03AaERmI2kDvZ0Sxr5NyXxG/v+9QLakIqn4M=
+buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.36.1-20240617172848-daf171c6cdb5.1 h1:3NW/OKYVUjacnT14MdeSrRwrv20SU4hfbDl+Cqspaf0=
+buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.36.1-20240617172848-daf171c6cdb5.1/go.mod h1:L3a8fJ4WVDtMqrivTUIK2pmaOZ/GF7qFq9xcSbeyA2M=
+buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.1-20241220201140-4c5ba75caaf8.1 h1:LuhF0tLV6LajBr3N1uHRWt2VtgdNB9qzhSwJwsD4nNk=
+buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.1-20241220201140-4c5ba75caaf8.1/go.mod h1:B0L3Am51xJ+EaDE1BkvpJEYvc22m404djbLMTWy3me0=
 cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
@@ -291,16 +291,16 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb h1:B7GIB7sr443wZ/EAEl7VZjmh1V6qzkt5V+RYcUYtS1U=
-google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:E5//3O5ZIG2l71Xnt+P/CYUY8Bxs8E7WMoZ9tlcMbAY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb h1:3oy2tynMOP1QbTC0MsNNAV+Se8M2Bd0A5+x1QHyw+pI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
+google.golang.org/genproto/googleapis/api v0.0.0-20241223144023-3abc09e42ca8 h1:st3LcW/BPi75W4q1jJTEor/QWwbNlPlDG0JTn6XhZu0=
+google.golang.org/genproto/googleapis/api v0.0.0-20241223144023-3abc09e42ca8/go.mod h1:klhJGKFyG8Tn50enBn7gizg4nXGXJ+jqEREdCWaPcV4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 h1:TqExAhdPaB60Ux47Cn0oLV07rGnxZzIsaRhQaqS666A=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
 google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
 google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ=
-google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/templates/guides/repo_level_policy.md.tmpl b/templates/guides/repo_level_policy.md.tmpl
index 6323432e..484138bd 100644
--- a/templates/guides/repo_level_policy.md.tmpl
+++ b/templates/guides/repo_level_policy.md.tmpl
@@ -1,17 +1,17 @@
 ---
-page_title: "Setup repo-level policy"
+page_title: "Setup repo-level policies"
 ---
 
-Cyral offers several pre-built [repo-level policy types](https://cyral.com/docs/policy/repo-level/).
-In this guide, we provide different examples on how to use them.
+Cyral offers several [policy wizards](https://cyral.com/docs/policy/repo-level/).
+  These wizards generate policies for common use cases based on the parameters you provide. The created policies are part of a _policy set_.
+  This guide shows how to define policy sets that use these wizards to create policies in Terraform.
 
 Recommended further reading:
 
-* Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public
-docs for a complete documentation about the Cyral policy framework.
-* Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance)
-resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
-and how to use the pre-built repo-level policies in Terraform.
+-   Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public
+    docs for a complete documentation about the Cyral policy framework.
+-   Refer to the [`cyral_policy_set`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/policy_set)
+    resource for more details about how to create policy sets in Terraform.
 
 ## Example: data firewall
 
diff --git a/templates/resources/policy_set.md.tmpl b/templates/resources/policy_set.md.tmpl
index f1fe8d09..2965ab72 100644
--- a/templates/resources/policy_set.md.tmpl
+++ b/templates/resources/policy_set.md.tmpl
@@ -8,4 +8,122 @@
 
 {{ tffile "examples/resources/cyral_policy_set/resource.tf" }}
 
+## Available Policy Wizards
+
+The following policy wizards are available for creating policy sets. The wizard parameters,
+specified as a JSON object, are described below for each wizard as well.
+
+-> You can also use the Cyral API `GET` `/v1/regopolicies/templates` to retrieve all existing templates and their corresponding parameters schema.
+
+### Data Firewall (data-firewall) - Ensure that sensitive data can only be read by specified individuals.
+
+- `dataset` (String) Data Set (table, collection, etc.) to which the policy applies.
+- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
+- `substitutionQuery` (String) A query that will be used to replace all occurrences of the dataset in the original query. Only one of `dataFilter` and `substitutionQuery` can be specified.
+- `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList).
+
+### Data Masking (data-masking) - Mask fields for specific users and applications.
+
+- `maskType` (String) Mask Type (E.g.: `null`, `constant`, `format-preserving`).
+- `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).
+- `tags` (Array) Data Tags to which the policy applies.
+- `labels` (Array) Data Labels to which the policy applies.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will apply to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will apply to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Data Protection (data-protection) - Guard against reads and writes of specified tables or fields.
+
+- `block` (Boolean) Policy action to block.
+- `governedOperations` (Array) Operations governed by this policy, can be one or more of: `read`, `update`, `delete`, and `insert`.
+- `tags` (Array) Data Tags to which the policy applies.
+- `labels` (Array) Data Labels to which the policy applies.
+- `datasets` (Array) Data Sets (tables, collections, etc.) to which the policy applies.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.
+
+- `objectType` (String) The type of object to monitor or protect. The only value currently supported is `role/user`.
+- `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+- `governedOperations` (Array) Operations governed by this policy, can be one or more of: `create`, `drop`, and `alter`.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+- `alertSeverity` (String) Alert severity. Allowed values are: `low`, `medium`, `high`.
+
+### Rate Limit (rate-limit) - Implement threshold on sensitive data reads over a period of time.
+
+- `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.
+- `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+- `tags` (Array) Data Tags to which the policy applies.
+- `labels` (Array) Data Labels to which the policy applies.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Read Limit (read-limit) - Prevent certain data from being read beyond a specified limit.
+
+- `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.
+- `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+- `tags` (Array) Data Tags to which the policy applies.
+- `labels` (Array) Data Labels to which the policy applies.
+- `datasets` (Array) Data Sets (tables, collections, etc.) to which the policy applies.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Repository Lockdown (repo-lockdown) - Deny all statements that are not allowed by some policy and/or not understood by Cyral.
+
+- `failClosed` (Boolean) Whether to fail closed, if true, all statements that are not understood by Cyral will be blocked.
+- `denyByDefault` (Boolean) Whether to deny all statements by default, if true, all statements that are not explicitly allowed by some policy will be blocked.
+
+### Repository Protection (repository-protection) - Alert when more than a specified number of records are updated, deleted, or inserted in specified datasets.
+
+- `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.
+- `governedOperations` (Array) Operations governed by this policy, can be one or more of: `update`, `delete` and `insert`.
+- `datasets` (Array) Data Sets (tables, collections, etc.) to which the policy applies.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+
+### Schema Protection (schema-protection) - Protect database schema against unauthorized creation, deletion, or modification of tables and views.
+
+- `block` (Boolean) Whether to block unauthorized schema changes.
+- `schemas` (Array) Schemas to which the policy applies.
+- `excludedIdentities` (Object) Identities that are exempt from the policy. See [identities](#objects--identityList).
+
+### Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.
+
+- `block` (Boolean) Policy action to enforce.
+- `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
+- `alertSeverity` (String) Alert severity. Allowed values are: `low`, `medium`, `high`.
+
+### Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures..
+
+- `enforced` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+- `governedProcedures` (Array) Stored procedures to which the policy applies.
+- `identities` (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See [dbAccounts](#objects--dbAccounts).
+- `alertSeverity` (String) Alert severity. Allowed values are: `low`, `medium`, `high`.
+
+### User Segmentation (user-segmentation) - Restrict specific users to a subset of data.
+
+- `dataset` (String) Data Set (table, collection, etc.) to which the policy applies.
+- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
+- `substitutionQuery` (String) A query that will be used to replace all occurrences of the dataset in the original query. Only one of `dataFilter` and `substitutionQuery` can be specified.
+- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
+- `includedDbAccounts` (Array) Database accounts cannot see restricted records.
+
+<a id="parameter-objects"></a>
+### Objects
+<a id="objects--identities"></a>
+- `identities` (Object) Identities. See properties below:
+  - `included` (Object) Included Identities. See [identityList](#objects--identityList).
+  - `excluded` (Object) Excluded Identities. See [identityList](#objects--identityList).
+<a id="objects--dbAccounts"></a>
+- `dbAccounts` (Object) Database Accounts. See properties below:
+  - `included` (Array) Included Database Accounts.
+  - `excluded` (Array) Excluded Database Accounts.
+<a id="objects--identityList"></a>
+- `identityList` (Object) Identity List. See properties below:
+  - `userNames` (Array) Identity Emails.
+  - `emails` (Array) Identity Usernames.
+  - `groups` (Array) Identity Groups.
+
 {{ .SchemaMarkdown | trimspace }}
diff --git a/templates/resources/rego_policy_instance.md.tmpl b/templates/resources/rego_policy_instance.md.tmpl
index b6a6beb2..0edb23c7 100644
--- a/templates/resources/rego_policy_instance.md.tmpl
+++ b/templates/resources/rego_policy_instance.md.tmpl
@@ -14,100 +14,205 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 
 -> You can also use the Cyral API `GET` `/v1/regopolicies/templates` to retrieve all existing templates and their corresponding parameters schema.
 
-### Data Firewall (data-firewall)
-
-- `dataSet` (String) Data Set.
-- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
-- `tags` (Array) Tags.
-- `labels` (Array) Data Labels.
-- `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList).
-
-### Data Masking (data-masking)
-
-- `maskType` (String) Mask Type (E.g.: `NULL_MASK`, `CONSTANT_MASK`, `MASK`).
-- `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).
-- `tags` (Array) Tags.
-- `labels` (Array) Data Labels.
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
-
-### Data Protection (data-protection)
-
-- `block` (Boolean) Policy action to block.
-- `monitorReads` (Boolean) Monitor read operations.
-- `monitorUpdates` (Boolean) Monitor update operations.
-- `monitorDeletes` (Boolean) Monitor delete operations.
-- `tags` (Array) Tags.
-- `labels` (Array) Data Labels.
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
-- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
-
-### Ephemeral Grant (EphemeralGrantPolicy)
-
-- `repoAccount` (String) Repository Account Name.
-- `repo` (String) Repository Name.
-- `allowedSensitiveAttributes` (Array) Allowed Sensitive Attributes.
-
-### Rate Limit (rate-limit)
+### Fail Closed (fail-closed) - Protect against statements that are not understood by Cyral.
 
-- `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.
-- `block` (Boolean) Policy action to enforce.
-- `tags` (Array) Tags.
-- `labels` (Array) Data Labels.
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+- `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+- `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+- `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
 - `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Read Limit (read-limit)
+### Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.
 
-- `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.
-- `block` (Boolean) Policy action to enforce.
-- `appliesToAllData` (Boolean) Whether the policy should apply to the entire repository data.
-- `tags` (Array) Tags.
-- `labels` (Array) Data Labels.
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+- `objectType` (String) The type of object to monitor or protect. Supported types include tables, views, roles/users, and schemas. Specific actions depend on the object type.
+- `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+- `monitorCreates` (Boolean) Specifies whether to monitor 'CREATE' operations for the defined object type. Applies only to relevant object types.
+- `monitorDrops` (Boolean) Specifies whether to monitor 'DROP' operations for the defined object type. Applies only to relevant object types.
+- `monitorAlters` (Boolean) Specifies whether to monitor 'ALTER' operations for the defined object type. Applies only to relevant object types.
+- `objects` (Array) A list of specific objects (e.g., tables or views) to monitor or protect. Required for 'table' or 'view' object types. Not applicable to 'role/user' or 'schema'.
+- `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+- `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
 - `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Repository Protection (repository-protection)
+### Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.
 
-- `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.
-- `monitorUpdates` (Boolean) Monitor update operations.
-- `monitorDeletes` (Boolean) Monitor delete operations.
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
-- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
-
-### Service Account Abuse (service-account-abuse)
+-   `block` (Boolean) Policy action to enforce.
+-   `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-- `block` (Boolean) Policy action to enforce.
-- `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
+### Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures.
+- `governedProcedures` (Array) List of stored procedures to be governed.
+- `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+- `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+- `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
 - `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### User Segmentation (user-segmentation)
+### Ungoverned Statements (ungoverned-statements) - Control execution of statements not governed by other policies.
+- `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+- `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+- `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-- `dataSet` (String) Data Set.
-- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
-- `tags` (Array) Tags.
-- `labels` (Array) Data Labels.
-- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
-- `includedDbAccounts` (Array) Database accounts cannot see restricted records.
+### Deprecated policy templates
+The remaining list of policy templates have been deprecated in v4.18.X of the Cyral Control Plane
+and can not be used for creating new policies. Managing existing policy instances is still supported.
+Please visit [`cyral_policy_set`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/policy_set)
+resource to find replacements for the deprecated policy templates.
+
+#### Data Firewall (data-firewall)
+
+-   `dataSet` (String) Data Set.
+-   `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
+-   `tags` (Array) Tags.
+-   `labels` (Array) Data Labels.
+-   `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList).
+
+#### Data Masking (data-masking)
+
+-   `maskType` (String) Mask Type (E.g.: `NULL_MASK`, `CONSTANT_MASK`, `MASK`).
+-   `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).
+-   `tags` (Array) Tags.
+-   `labels` (Array) Data Labels.
+-   `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+
+#### Data Protection (data-protection)
+
+-   `block` (Boolean) Policy action to block.
+-   `monitorReads` (Boolean) Monitor read operations.
+-   `monitorUpdates` (Boolean) Monitor update operations.
+-   `monitorDeletes` (Boolean) Monitor delete operations.
+-   `tags` (Array) Tags.
+-   `labels` (Array) Data Labels.
+-   `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+#### Ephemeral Grant (EphemeralGrantPolicy)
+
+-   `repoAccount` (String) Repository Account Name.
+-   `repo` (String) Repository Name.
+-   `allowedSensitiveAttributes` (Array) Allowed Sensitive Attributes.
+
+#### Rate Limit (rate-limit)
+
+-   `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.
+-   `block` (Boolean) Policy action to enforce.
+-   `tags` (Array) Tags.
+-   `labels` (Array) Data Labels.
+-   `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+#### Read Limit (read-limit)
+
+-   `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.
+-   `block` (Boolean) Policy action to enforce.
+-   `appliesToAllData` (Boolean) Whether the policy should apply to the entire repository data.
+-   `tags` (Array) Tags.
+-   `labels` (Array) Data Labels.
+-   `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+#### Repository Protection (repository-protection)
+
+-   `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.
+-   `monitorUpdates` (Boolean) Monitor update operations.
+-   `monitorDeletes` (Boolean) Monitor delete operations.
+-   `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+#### User Segmentation (user-segmentation)
+
+-   `dataSet` (String) Data Set.
+-   `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
+-   `tags` (Array) Tags.
+-   `labels` (Array) Data Labels.
+-   `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
+-   `includedDbAccounts` (Array) Database accounts cannot see restricted records.
 
 <a id="parameter-objects"></a>
+
 ### Objects
+
 <a id="objects--identities"></a>
-- `identities` (Object) Identities. See properties below:
-  - `included` (Object) Included Identities. See [identityList](#objects--identityList).
-  - `excluded` (Object) Excluded Identities. See [identityList](#objects--identityList).
-<a id="objects--dbAccounts"></a>
-- `dbAccounts` (Object) Database Accounts. See properties below:
-  - `included` (Array) Included Database Accounts.
-  - `excluded` (Array) Excluded Database Accounts.
-<a id="objects--identityList"></a>
-- `identityList` (Object) Identity List. See properties below:
-  - `userNames` (Array) Identity Emails.
-  - `emails` (Array) Identity Usernames.
-  - `groups` (Array) Identity Groups.
-
-{{ .SchemaMarkdown | trimspace }}
+
+-   `identities` (Object) Identities. See properties below:
+    -   `included` (Object) Included Identities. See [identityList](#objects--identityList).
+    -   `excluded` (Object) Excluded Identities. See [identityList](#objects--identityList).
+        <a id="objects--dbAccounts"></a>
+-   `dbAccounts` (Object) Database Accounts. See properties below:
+    -   `included` (Array) Included Database Accounts.
+    -   `excluded` (Array) Excluded Database Accounts.
+        <a id="objects--identityList"></a>
+-   `identityList` (Object) Identity List. See properties below:
+    -   `userNames` (Array) Identity Emails.
+    -   `emails` (Array) Identity Usernames.
+    -   `groups` (Array) Identity Groups.
+
+<!-- schema generated by tfplugindocs -->
+
+## Schema
+
+### Required
+
+-   `category` (String) Policy category. List of supported categories:
+    -   `SECURITY`
+    -   `GRANT`
+    -   `USER_DEFINED`
+-   `name` (String) Policy name.
+-   `template_id` (String) Policy template identifier. Predefined templates are:
+    -   `data-firewall`
+    -   `data-masking`
+    -   `data-protection`
+    -   `EphemeralGrantPolicy`
+    -   `rate-limit`
+    -   `read-limit`
+    -   `repository-protection`
+    -   `service-account-abuse`
+    -   `user-segmentation`
+
+### Optional
+
+-   `description` (String) Policy description.
+-   `duration` (String) Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc.
+-   `enabled` (Boolean) Enable/disable the policy. Defaults to `false` (Disabled).
+-   `parameters` (String) Policy parameters. The parameters vary based on the policy template schema.
+-   `scope` (Block Set, Max: 1) Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the corresponding `repo_ids` that this policy should be applied. (see [below for nested schema](#nestedblock--scope))
+-   `tags` (List of String) Tags that can be used to categorize the policy.
+
+### Read-Only
+
+-   `created` (Set of Object) Information regarding the policy creation. (see [below for nested schema](#nestedatt--created))
+-   `id` (String) The resource identifier. It is a composed ID that follows the format `{category}/{policy_id}`.
+-   `last_updated` (Set of Object) Information regarding the policy last update. (see [below for nested schema](#nestedatt--last_updated))
+-   `policy_id` (String) ID of this rego policy instance in Cyral environment.
+
+<a id="nestedblock--scope"></a>
+
+### Nested Schema for `scope`
+
+Required:
+
+-   `repo_ids` (List of String) A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
+
+<a id="nestedatt--created"></a>
+
+### Nested Schema for `created`
+
+Read-Only:
+
+-   `actor` (String)
+-   `actor_type` (String)
+-   `timestamp` (String)
+
+<a id="nestedatt--last_updated"></a>
+
+### Nested Schema for `last_updated`
+
+Read-Only:
+
+-   `actor` (String)
+-   `actor_type` (String)
+-   `timestamp` (String)