diff --git a/access_groups.tf b/access_groups.tf
index 3c7f125..e5f0d0b 100644
--- a/access_groups.tf
+++ b/access_groups.tf
@@ -11,85 +11,47 @@ resource "cloudflare_zero_trust_access_policy" "policies" {
   name             = each.value.name
   session_duration = "0s"
 
-  # Purpose justification
   purpose_justification_prompt   = try(each.value.purpose_justification_prompt, null)
   purpose_justification_required = try(each.value.purpose_justification, false)
 
-  # Include groups
-  include = concat(
-    # Groups (both SAML and composite groups via mapping)
-    [
-      for group in each.value.include_groups : {
-        group = {
-          id = var.policy_groups[group]
-        }
+  include = [
+    for group in each.value.include_groups : {
+      group = {
+        id = var.policy_groups[group]
       }
-    ],
-    # Email domain (for contractors)
-    try(each.value.include_email_domain, false) ? [{
-      email_domain = {
-        domain = var.cf_email_domain
-      }
-    }] : []
-  )
+    }
+  ]
+
+  exclude = try([
+    for group in each.value.exclude_groups : {
+      group = {
+        id = var.policy_groups[group]
+      }
+    }
+  ], [])
 
-  # Require conditions
   require = concat(
-    # Device posture (always required if specified)
-    try(each.value.require_posture, false) ? [{
-      device_posture = {
-        integration_uid = var.cf_gateway_posture_id
-      }
-    }] : [],
-    # MFA requirement
     try(each.value.require_mfa, false) ? [{
-      auth_method = {
-        auth_method = "mfa"
-      }
+      any_valid_service_token = false
+      auth_method             = "mfa"
     }] : [],
-    # Login method (for specific policies)
+
     try(each.value.require_login_method, false) ? [{
       login_method = {
         id = var.cf_okta_identity_provider_id
       }
     }] : [],
-    # Country requirements
+
     try(each.value.require_country, false) ? [{
       group = {
-        id = cloudflare_zero_trust_access_group.country_requirements_rule_group.id
+        id = var.policy_groups["country_requirements"]
       }
     }] : [],
-    # OS version requirements
-    try(each.value.require_os_version, false) ? [{
+
+    try(each.value.require_latest_os, false) ? [{
       group = {
-        id = cloudflare_zero_trust_access_group.latest_os_version_requirements_rule_group.id
-      }
-    }] : [],
-    # External evaluation requirements
-    try(each.value.require_external_evaluation, false) ? [{
-      external_evaluation = {
-        evaluate_url = each.value.external_evaluation_url
-        keys_url     = each.value.external_evaluation_keys_url
+        id = var.policy_groups["latest_os_version_requirements"]
       }
     }] : []
   )
-
-  # Exclude SMS (for MFA policies)
-  exclude = try(each.value.require_mfa, false) ? [{
-    auth_method = {
-      auth_method = "sms"
-    }
-  }] : []
-
-  # Explicit dependencies to ensure proper destruction order:
-  # Policies → Composite Groups → Individual SAML Groups
-  depends_on = [
-    cloudflare_zero_trust_access_group.employees_rule_group,
-    cloudflare_zero_trust_access_group.sales_team_rule_group,
-    cloudflare_zero_trust_access_group.admins_rule_group,
-    cloudflare_zero_trust_access_group.contractors_rule_group,
-    cloudflare_zero_trust_access_group.saml_groups
-  ]
-
-  # Note: lifecycle blocks cannot be conditional in for_each resources
-}
\ No newline at end of file
+}