Impact: @hulumi/policies versions before 1.3.2 did not fully inspect inline and attached IAM policy evidence for the administrator-policy guardrail, so some admin-equivalent policy paths could pass policy evaluation.

Patched in 1.3.2: the validator inspects the affected policy shapes and includes regression tests.

Remediation: upgrade @hulumi/policies to 1.3.2 or later.