Istio best practices include using ALLOW with a positive pattern and DENY with a negative pattern. Using the inverse could cause policy mismatches. For more information, see the Istio documentation.
References:
https://istio.io/latest/docs/ops/best-practices/security/#use-allow-with-positive-matching-and-deny-with-negative-match-patterns
To follow this security format, update your Istio YAML files have any ALLOW action configured to use only matching fields with positive attributes such as paths or values rather than negative attributes such as notPaths or notValues. This makes the security configuration clearer and can avoid a double-negative loophole in the policy logic.