diff --git a/charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml b/charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml
new file mode 100644
index 00000000..e5e96313
--- /dev/null
+++ b/charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml
@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disable-automount-sa-token
+  annotations:
+    policies.kyverno.io/title: Disable automountServiceAccountToken
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ServiceAccount
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.21"
+    policies.kyverno.io/description: >-
+      A new ServiceAccount called `default` is created whenever a new Namespace is created.
+      Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount.
+      This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token
+      into Pods obviating the need to do so individually.      
+spec:
+  rules:
+  - name: disable-automountserviceaccounttoken
+    match:
+      any:
+      - resources:
+          kinds:
+          - ServiceAccount
+          names:
+          - default
+    mutate:
+      patchStrategicMerge:
+        automountServiceAccountToken: false
diff --git a/charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml b/charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml
new file mode 100644
index 00000000..0c8bd6fa
--- /dev/null
+++ b/charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-automount-sa-token
+  annotations:
+    policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod,ServiceAccount
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      Kubernetes automatically mounts ServiceAccount credentials in each Pod.
+      The ServiceAccount may be assigned roles allowing Pods to access API resources.
+      Blocking this ability is an extension of the least privilege best practice and should
+      be followed if Pods do not need to speak to the API server to function.
+      This policy ensures that mounting of these ServiceAccount tokens is blocked.      
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-automountServiceAccountToken
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    preconditions:
+      all:
+      - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}"
+        operator: NotEquals
+        value: policy-reporter
+    validate:
+      message: "Auto-mounting of Service Account tokens is not allowed."
+      pattern:
+        spec:
+          automountServiceAccountToken: "false"