A modern campus requires at least three separate security programs: a classical control-based program for enterprise systems, a compliance program for highly regulated environments, and a flexible, context-aware program for research. The policy guiding these programs needs to be adaptable, self-auditing, and progressive, immune from changes in the threat landscape and technology. This talk will explore this theme contrasting what the UC needs with the existing IS-3.