diff --git a/barbican/common/config.py b/barbican/common/config.py
index a372f35fd..80d734f7a 100644
--- a/barbican/common/config.py
+++ b/barbican/common/config.py
@@ -338,7 +338,11 @@ def set_lib_defaults():
     # once oslo_policy change the default value to 'policy.yaml'.
     # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
     DEFAULT_POLICY_FILE = 'policy.yaml'
-    policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+    policy_opts.set_defaults(
+        CONF,
+        DEFAULT_POLICY_FILE,
+        enforce_scope=True,
+        enforce_new_defaults=True)
 
 
 def set_middleware_defaults():
diff --git a/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml b/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml
new file mode 100644
index 000000000..78676227d
--- /dev/null
+++ b/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    This release uses Secure RBAC by default (See: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html )
+    To opt out of this change and continue using the legacy policies set 
+    enforce_new_defaults=False and enforce_scope=False in the [oslo_policy]
+    section of barbican.conf.