diff --git a/nova/tests/functional/api/openstack/placement/test_verify_policy.py b/nova/tests/functional/api/openstack/placement/test_verify_policy.py
new file mode 100644
index 000000000000..a6fb602f72d1
--- /dev/null
+++ b/nova/tests/functional/api/openstack/placement/test_verify_policy.py
@@ -0,0 +1,50 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_config import cfg
+
+from nova.api.openstack.placement import direct
+from nova.api.openstack.placement import handler
+from nova.tests.functional.api.openstack.placement import base
+
+
+CONF = cfg.CONF
+
+
+class TestVerifyPolicy(base.TestCase):
+    """Verify that all defined placement routes have a policy."""
+
+    # Paths that don't need a policy check
+    EXCEPTIONS = ['/', '']
+
+    def _test_request_403(self, client, method, route):
+        headers = {
+            'x-auth-token': 'user',
+            'content-type': 'application/json'
+        }
+        request_method = getattr(client, method.lower())
+        # We send an empty request body on all requests. Because
+        # policy handling comes before other processing, the value
+        # of the body is irrelevant.
+        response = request_method(route, data='', headers=headers)
+        self.assertEqual(
+            403, response.status_code,
+            'method %s on route %s is open for user, status: %s' %
+            (method, route, response.status_code))
+
+    def test_verify_policy(self):
+        with direct.PlacementDirect(CONF, latest_microversion=True) as client:
+            for route, methods in handler.ROUTE_DECLARATIONS.items():
+                if route in self.EXCEPTIONS:
+                    continue
+                for method in methods:
+                    self._test_request_403(client, method, route)