diff --git a/devstack/lib/heat b/devstack/lib/heat
index e597f7228f..799f23a4c0 100644
--- a/devstack/lib/heat
+++ b/devstack/lib/heat
@@ -63,9 +63,9 @@ HEAT_CFN_API_UWSGI=$HEAT_BIN_DIR/heat-wsgi-api-cfn
 
 # Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
 # This is used to disable the compute API policies scope and new defaults.
-# By Default, it is False.
+# By Default, it is True.
 # For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
-HEAT_ENFORCE_SCOPE=$(trueorfalse False HEAT_ENFORCE_SCOPE)
+HEAT_ENFORCE_SCOPE=$(trueorfalse True HEAT_ENFORCE_SCOPE)
 
 # other default options
 if [[ "$HEAT_STANDALONE" == "True" ]]; then
diff --git a/heat/common/policy.py b/heat/common/policy.py
index ab17f5b200..204e94d47c 100644
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@@ -38,7 +38,11 @@ DEFAULT_RESOURCE_RULES = policy.Rules.from_dict({'default': '@'})
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True)
 
 ENFORCER = None
 
diff --git a/heat/tests/test_common_policy.py b/heat/tests/test_common_policy.py
index e085d1935b..e710b53518 100644
--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@@ -71,18 +71,20 @@ class TestPolicyEnforcer(common.HeatTestCase):
     @ddt.file_data('policy/test_acl_personas.yaml')
     @ddt.unpack
     def test_legacy_rbac_policies(self, **kwargs):
+        self.fixture.config(group='oslo_policy', enforce_scope=False)
+        self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
         self._test_legacy_rbac_policies(**kwargs)
 
     @ddt.file_data('policy/test_deprecated_access.yaml')
     @ddt.unpack
     def test_deprecated_policies(self, **kwargs):
+        self.fixture.config(group='oslo_policy', enforce_scope=False)
+        self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
         self._test_legacy_rbac_policies(**kwargs)
 
     @ddt.file_data('policy/test_new_acl_personas.yaml')
     @ddt.unpack
     def test_secure_rbac_policies(self, **kwargs):
-        self.fixture.config(group='oslo_policy', enforce_scope=True)
-        self.fixture.config(group='oslo_policy', enforce_new_defaults=True)
         scope = kwargs.get("scope")
         actions = kwargs.get("actions")
         allowed_personas = kwargs.get("allowed", [])
diff --git a/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml b/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml
new file mode 100644
index 0000000000..80505b55fb
--- /dev/null
+++ b/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Now heat enables the API policies (RBAC) new defaults and scope by default.
+    The default value of config options ``[oslo_policy] enforce_scope`` and
+    ``[oslo_policy] enforce_new_defaults`` have been changed from ``False`` to
+    ``True``.
diff --git a/requirements.txt b/requirements.txt
index 3b82e125d1..5f9d4e8e23 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -21,7 +21,7 @@ oslo.i18n>=3.20.0 # Apache-2.0
 oslo.log>=4.3.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=3.7.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization>=2.25.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0