diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 6b609bcfe10bc266f428db7192376f6586fd1d64..59af854f207b7afea3339286b83054bf9a58660b 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -279,6 +279,98 @@ policies:
           - istio-operator
           - istio-system
 
+  add-default-securitycontext:
+    validationFailureAction: Enforce
+    {{ if .Values.istio.enabled }}
+    parameters:
+      excludeContainers:
+        - istio-init
+        {{ if not .Values.addons.holocron.database.host }}
+        - init-chmod-data
+        {{- end }}
+    {{ else if not .Values.addons.holocron.database.host }}
+    parameters:
+      excludeContainers:
+        - init-chmod-data
+    {{- end }}
+    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.neuvector.enabled }}
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+      {{- if $deployNodeAgent }}
+      # Velero.  The node agent backup tool requires root group access to see the host's runtime pod directory which is
+      # mounted inside velero/node agent pods.
+      - resources:
+          namespaces:
+          - velero
+          names:
+          - node-agent*
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      # Twistlock Defenders run as root to perform real time scanning on the nodes/cluster, including:
+      # - read logs from `/var/log` to watch for malicious processes
+      # - audit modifications to `/etc/passwd` (watching for suspicious changes)
+      # - access the container runtime socket (observing all running containers on a node)
+      - resources:
+          namespaces:
+          - twistlock
+          names:
+          - twistlock-defender-ds*
+          - volume-upgrade-job*
+      {{- end }}
+      # For GitLab runner CI jobs that require root access
+      {{- if .Values.addons.gitlabRunner.enabled }}
+      - resources:
+          namespaces:
+          - gitlab-runner
+          names:
+          - runner-*
+      {{- end }}
+      {{- if .Values.fluentbit.enabled }}
+      # Fluentbit requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group
+      # and then granting permissions recursively on /var/log.
+      - resources:
+          namespaces:
+          - fluentbit
+          names:
+          - fluentbit-fluent-bit*
+      {{- end }}
+      {{- if .Values.promtail.enabled }}
+      # promtail requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group
+      # and then granting permissions recursively on /var/log.
+      # promtail requires access to /run/promtail for its buffering and persistent state.
+      - resources:
+          namespaces:
+          - promtail
+          names:
+          - promtail-promtail*
+      {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      # neuvector enforcers run as root to perform real time scanning on the nodes/cluster
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod-*
+          - neuvector-controller-pod-*
+          - neuvector-cert-upgrader-job-*
+      {{- end }}
+      {{- if .Values.addons.mattermost.enabled }}
+        # Mattermost fails when policy was implemented
+      - resources:
+          namespaces:
+          - mattermost
+          - mattermost-operator
+          names:
+          - mattermost-*
+      {{- end }}
+    {{- end }}
+
+
   require-non-root-group:
     validationFailureAction: Enforce
     {{ if .Values.istio.enabled }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 9d56a69d43164c53b3ced574fc1cc3fcc0b2c26d..5dedcd7cbc28e455dcd353766aa7db4b3a10a323 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -515,11 +515,11 @@ kyvernoPolicies:
   git:
     repo: https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git
     path: ./chart
-    tag: "3.3.4-bb.0"
+    tag: "3.3.4-bb.1"
   helmRepo:
     repoName: "registry1"
     chartName: "kyverno-policies"
-    tag: "3.3.4-bb.0"
+    tag: "3.3.4-bb.1"
 
   # -- Flux reconciliation overrides specifically for the Kyverno Package
   flux: {}
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 7dd0b81547799b95585dbed7e8a26ca5375fc6e3..1cc7638bda57ab06367d52ae198025cfb2b048ee 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -791,7 +791,36 @@ kyvernoPolicies:
               - alloy-config-validator*
               - alloy-config-analysis*
               - alloy-test*
-      require-non-root-user:
+      add-default-securitycontext:
+        exclude:
+          any:
+          - resources:
+              namespaces:
+              - metallb-system
+              names:
+              - speaker-*
+          - resources:
+              namespaces:
+              - argocd
+              names:
+              - guestbook*
+          - resources:
+              namespaces:
+              - velero
+              names:
+              - velero-backup-restore-test*
+          - resources:
+              namespaces:
+              - twistlock
+              names:
+              - volume-upgrade-job*
+          - resources:
+              namespaces:
+              - alloy
+              names:
+              - alloy-config-validator*
+              - alloy-config-analysis*
+              - alloy-test*
       disallow-namespaces:
         parameters:
           disallow: