In an example, a validation system comprises processing circuitry having access to a storage device and is configured to obtain flow records indicative of packet flows among workloads deployed to a cluster of one or more computing devices configured with a network policy, wherein each flow record of the flow records indicates a corresponding packet flow was allowed or denied by the cluster; receive an updated network policy; determine whether a corresponding packet flow for a flow record of the flow records has a discrepancy with the updated network policy; and in response to determining the corresponding packet flow for the flow record of the flow records has a discrepancy with the updated network policy, output an indication of an error.