Istio best practices include using ALLOW with a positive pattern and DENY with a negative pattern. Using the inverse could cause policy mismatches. For more information, see the Istio documentation.
References:
https://istio.io/latest/docs/ops/best-practices/security/#use-allow-with-positive-matching-and-deny-with-negative-match-patterns
To follow this security format, update your Istio YAML files have any DENY action configured to use only matching fields with positive attributes such as notPaths or notValues rather than negative attributes such as paths or values. This makes the security configuration clearer and can avoid a double-negative loophole in the policy logic.