diff --git a/scripts/registry.py b/scripts/registry.py
index 3fa7cff..46d21f9 100644
--- a/scripts/registry.py
+++ b/scripts/registry.py
@@ -60,7 +60,9 @@
             "ecs_cluster_name": "data.aws_ecs_cluster.platform_main.cluster_name",
             "execution_role_arn": "data.aws_iam_role.platform_ecs_execution.arn",
             "route53_zone_id": "data.aws_route53_zone.platform_main.zone_id",
-            "developer_boundary_arn": "data.aws_iam_policy.platform_developer_boundary.arn",
+            # Boundary ARN constructed from account ID — no data source needed.
+            # Avoids iam:GetPolicy permission requirement on the boundary policy.
+            "developer_boundary_arn": "NOT_USED",
         },
     },
 
@@ -128,7 +130,7 @@
             "team": "yaml:team",
             "region": "env:AWS_REGION",
             "aws_account_id": "env:AWS_ACCOUNT_ID",
-            "permissions_boundary_arn": "ref:platform.developer_boundary_arn",
+            "permissions_boundary_arn": f"expr:arn:aws:iam::${{env:AWS_ACCOUNT_ID}}:policy/{PROJECT}-developer-boundary",
             "trusted_services": "list:yaml:compute.trusted_service|default:ecs-tasks.amazonaws.com",
             "additional_policy_jsons": "collect:access_policy_json",
         },
diff --git a/terraform/modules/platform-data/main.tf b/terraform/modules/platform-data/main.tf
index a47003c..7d62ff4 100644
--- a/terraform/modules/platform-data/main.tf
+++ b/terraform/modules/platform-data/main.tf
@@ -67,6 +67,6 @@ data "aws_route53_zone" "main" {
   private_zone = false
 }
 
-data "aws_iam_policy" "developer_boundary" {
-  name = "${var.project}-developer-boundary"
-}
+
+# Note: the developer boundary ARN is constructed directly by expand-modules.py
+# instead of using a data source, to avoid needing iam:GetPolicy permission.
diff --git a/terraform/org/boundary.tf b/terraform/org/boundary.tf
index 5bca20e..36cbf55 100644
--- a/terraform/org/boundary.tf
+++ b/terraform/org/boundary.tf
@@ -17,6 +17,7 @@ resource "aws_iam_policy" "developer_boundary" {
   name        = "${var.project}-developer-boundary"
   description = "Permission boundary for all non-platform roles. Self-replicating: roles with this boundary can only create roles that also carry it."
 
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [