diff --git a/fast/stages/0-org-setup/schemas/organization.schema.json b/fast/stages/0-org-setup/schemas/organization.schema.json
index 4092e5320..3f82b7e6f 100644
--- a/fast/stages/0-org-setup/schemas/organization.schema.json
+++ b/fast/stages/0-org-setup/schemas/organization.schema.json
@@ -178,6 +178,85 @@
"iam_by_principals_additive": {
"$ref": "#/$defs/iam_by_principals"
},
+ "iam_deny_policies": {
+ "type": "object",
+ "additionalProperties": false,
+ "patternProperties": {
+ "^[a-z0-9-]+$": {
+ "type": "object",
+ "additionalProperties": false,
+ "required": [
+ "rules"
+ ],
+ "properties": {
+ "display_name": {
+ "type": "string"
+ },
+ "rules": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "required": [
+ "denied_permissions",
+ "denied_principals"
+ ],
+ "properties": {
+ "description": {
+ "type": "string"
+ },
+ "denied_permissions": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "denied_principals": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "denial_condition": {
+ "type": "object",
+ "additionalProperties": false,
+ "required": [
+ "expression"
+ ],
+ "properties": {
+ "expression": {
+ "type": "string"
+ },
+ "title": {
+ "type": "string"
+ },
+ "description": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ }
+ }
+ },
+ "exception_permissions": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "exception_principals": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
"logging": {
"type": "object",
"additionalProperties": false,
diff --git a/fast/stages/0-org-setup/schemas/organization.schema.md b/fast/stages/0-org-setup/schemas/organization.schema.md
index 9523f7334..d22bd9b7d 100644
--- a/fast/stages/0-org-setup/schemas/organization.schema.md
+++ b/fast/stages/0-org-setup/schemas/organization.schema.md
@@ -56,6 +56,29 @@
- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))*
- **iam_by_principals_conditional**: *reference([iam_by_principals_conditional](#refs-iam_by_principals_conditional))*
- **iam_by_principals_additive**: *reference([iam_by_principals](#refs-iam_by_principals))*
+- **iam_deny_policies**: *object*
+
*additional properties: false*
+ - **`^[a-z0-9-]+$`**: *object*
+
*additional properties: false*
+ - **display_name**: *string*
+ - ⁺**rules**: *array*
+ - items: *object*
+
*additional properties: false*
+ - **description**: *string*
+ - ⁺**denied_permissions**: *array*
+ - items: *string*
+ - ⁺**denied_principals**: *array*
+ - items: *string*
+ - **denial_condition**: *object*
+
*additional properties: false*
+ - ⁺**expression**: *string*
+ - **title**: *string*
+ - **description**: *string*
+ - **location**: *string*
+ - **exception_permissions**: *array*
+ - items: *string*
+ - **exception_principals**: *array*
+ - items: *string*
- **logging**: *object*
*additional properties: false*
- **kms_key_name**: *string*