diff --git a/service/policy/attributes/attributes.proto b/service/policy/attributes/attributes.proto
index b95df1aa1..8dc11a6cd 100644
--- a/service/policy/attributes/attributes.proto
+++ b/service/policy/attributes/attributes.proto
@@ -13,13 +13,25 @@ import "policy/selectors.proto";
 */
 
 message AttributeKeyAccessServer {
-  string attribute_id = 1;
-  string key_access_server_id = 2;
+  string attribute_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
+  string key_access_server_id = 2 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 
 message ValueKeyAccessServer {
-  string value_id = 1;
-  string key_access_server_id = 2;
+  string value_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
+  string key_access_server_id = 2 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 
 /*
@@ -37,7 +49,10 @@ message ListAttributesResponse {
 }
 
 message GetAttributeRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message GetAttributeResponse {
   policy.Attribute attribute = 1;
@@ -45,7 +60,10 @@ message GetAttributeResponse {
 
 message CreateAttributeRequest {
   // Required
-  string namespace_id = 1 [(buf.validate.field).required = true];
+  string namespace_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   string name = 2 [
     (buf.validate.field).required = true,
     (buf.validate.field).string.max_len = 253,
@@ -84,7 +102,10 @@ message CreateAttributeResponse {
 
 message UpdateAttributeRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
   common.MetadataMutable metadata = 100;
@@ -95,7 +116,10 @@ message UpdateAttributeResponse {
 }
 
 message DeactivateAttributeRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeactivateAttributeResponse {
   policy.Attribute attribute = 1;
@@ -105,14 +129,20 @@ message DeactivateAttributeResponse {
 /// Value RPC messages
 ///
 message GetAttributeValueRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message GetAttributeValueResponse {
   policy.Value value = 1;
 }
 
 message ListAttributeValuesRequest {
-  string attribute_id = 1 [(buf.validate.field).required = true];
+  string attribute_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   // ACTIVE by default when not specified
   common.ActiveStateEnum state = 2;
 }
@@ -122,7 +152,10 @@ message ListAttributeValuesResponse {
 
 message CreateAttributeValueRequest {
   // Required
-  string attribute_id = 1 [(buf.validate.field).required = true];
+  string attribute_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   string value = 2     [
     (buf.validate.field).required = true,
     (buf.validate.field).string.max_len = 253,
@@ -145,7 +178,10 @@ message CreateAttributeValueResponse {
 }
 
 message UpdateAttributeValueRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Deprecated
   reserved "members";
@@ -160,7 +196,10 @@ message UpdateAttributeValueResponse {
 }
 
 message DeactivateAttributeValueRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeactivateAttributeValueResponse {
   policy.Value value = 1;
@@ -169,7 +208,7 @@ message DeactivateAttributeValueResponse {
 message GetAttributeValuesByFqnsRequest {
   // Required
   // Fully Qualified Names of attribute values (i.e. https://<namespace>/attr/<attribute_name>/value/<value_name>), normalized to lower case.
-  repeated string fqns = 1 [(buf.validate.field).required = true];
+  repeated string fqns = 1 [(buf.validate.field).required = true]; // TODO: validate min/max len but NOT FQN format
   policy.AttributeValueSelector with_value = 2 [(buf.validate.field).required = true];
 }
 message GetAttributeValuesByFqnsResponse {
diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto
index c62392ba9..e3a0e4323 100644
--- a/service/policy/kasregistry/key_access_server_registry.proto
+++ b/service/policy/kasregistry/key_access_server_registry.proto
@@ -8,7 +8,10 @@ import "google/api/annotations.proto";
 import "policy/objects.proto";
 
 message GetKeyAccessServerRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message GetKeyAccessServerResponse {
   KeyAccessServer key_access_server = 1;
@@ -33,7 +36,10 @@ message CreateKeyAccessServerResponse {
 
 message UpdateKeyAccessServerRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   string uri = 2;
   PublicKey public_key = 3;
 
@@ -46,7 +52,10 @@ message UpdateKeyAccessServerResponse {
 }
 
 message DeleteKeyAccessServerRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeleteKeyAccessServerResponse {
   KeyAccessServer key_access_server = 1;
@@ -73,8 +82,8 @@ message ListKeyAccessServerGrantsRequest {
   // Optional
   // Filter LIST by either ID or URI of a registered Key Access Server.
   // If neither is provided, grants from all registered KASs to policy attribute objects are returned.
-  string kas_id = 1;
-  string kas_uri = 2;
+  string kas_id = 1; // TOOD: test ignore_empty and other options for validating UUID only when not empty
+  string kas_uri = 2; // TODO: uri format
 }
 
 message ListKeyAccessServerGrantsResponse {
diff --git a/service/policy/namespaces/namespaces.proto b/service/policy/namespaces/namespaces.proto
index 2189c1e13..23c2c643b 100644
--- a/service/policy/namespaces/namespaces.proto
+++ b/service/policy/namespaces/namespaces.proto
@@ -13,8 +13,14 @@ import "policy/objects.proto";
 */
 
 message NamespaceKeyAccessServer {
-  string namespace_id = 1;
-  string key_access_server_id = 2;
+  string namespace_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
+  string key_access_server_id = 2 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 
 /*
@@ -24,7 +30,10 @@ message NamespaceKeyAccessServer {
 */
 
 message GetNamespaceRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message GetNamespaceResponse {
   policy.Namespace namespace = 1;
@@ -59,7 +68,10 @@ message CreateNamespaceResponse {
 
 message UpdateNamespaceRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
   common.MetadataMutable metadata = 100;
@@ -70,7 +82,10 @@ message UpdateNamespaceResponse {
 }
 
 message DeactivateNamespaceRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeactivateNamespaceResponse {}
 
diff --git a/service/policy/resourcemapping/resource_mapping.proto b/service/policy/resourcemapping/resource_mapping.proto
index 80fbc5540..f2b424c2f 100644
--- a/service/policy/resourcemapping/resource_mapping.proto
+++ b/service/policy/resourcemapping/resource_mapping.proto
@@ -14,7 +14,7 @@ import "policy/objects.proto";
 
 message ListResourceMappingGroupsRequest {
   // Optional
-  string namespace_id = 1;
+  string namespace_id = 1; // TODO: validate UUID only if provided
 }
 
 message ListResourceMappingGroupsResponse {
@@ -23,7 +23,10 @@ message ListResourceMappingGroupsResponse {
 
 message GetResourceMappingGroupRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 
 message GetResourceMappingGroupResponse {
@@ -32,7 +35,10 @@ message GetResourceMappingGroupResponse {
 
 message CreateResourceMappingGroupRequest {
   // Required
-  string namespace_id = 1 [(buf.validate.field).required = true];
+  string namespace_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   string name = 2 [(buf.validate.field).required = true];
 
@@ -46,10 +52,13 @@ message CreateResourceMappingGroupResponse {
 
 message UpdateResourceMappingGroupRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
-  string namespace_id = 2;
+  string namespace_id = 2; // TODO: validate UUID only when provided
 
   string name = 3;
 
@@ -64,7 +73,10 @@ message UpdateResourceMappingGroupResponse {
 
 message DeleteResourceMappingGroupRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 
 message DeleteResourceMappingGroupResponse {
@@ -77,7 +89,7 @@ message DeleteResourceMappingGroupResponse {
 
 message ListResourceMappingsRequest {
   // Optional
-  string group_id = 1;
+  string group_id = 1; // TODO: validate UUID only when provided
 }
 
 message ListResourceMappingsResponse {
@@ -112,50 +124,28 @@ message ListResourceMappingsByGroupFqnsResponse {
 
 message GetResourceMappingRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 
 message GetResourceMappingResponse {
   policy.ResourceMapping resource_mapping = 1;
 }
 
-/*
- ### Request
-
-     grpcurl -plaintext -d @ localhost:8080 policy.resourcemapping.ResourceMappingService/CreateResourceMapping <<EOM
-       {
-         "mapping": {
-           "name": "Classification",
-           "attribute_value_id": "12345678-1234-1234-1234-123456789012",
-           "terms": ["CONFIDENTIAL", "CONTROLLED UNCLASSIFIED", "OFFICIAL-SENSITIVE", "CUI", "C"]
-         }
-       }
-     EOM
-
-   ### Response
-
-     {
-       "mapping": {
-         "metadata": {
-           "id": "12345678-1234-1234-1234-123456789012",
-           "created_at": "2020-01-01T00:00:00Z",
-           "updated_at": "2020-01-01T00:00:00Z"
-         },
-         "name": "Classification",
-         "attribute_value_id": "12345678-1234-1234-1234-123456789012",
-         "terms": ["CONFIDENTIAL", "CONTROLLED UNCLASSIFIED", "OFFICIAL-SENSITIVE", "CUI", "C"]
-       }
-     }
 
-*/
 message CreateResourceMappingRequest {
   // Required
-  string attribute_value_id = 1 [(buf.validate.field).required = true];
+  string attribute_value_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
-  repeated string terms = 2 [(buf.validate.field).required = true];
+  repeated string terms = 2 [(buf.validate.field).required = true]; // TODO: validate list min/max and term min/max
 
   // Optional
-  string group_id = 3;
+  string group_id = 3; // TODO: validate UUID only when provided
 
   common.MetadataMutable metadata = 100;
 }
@@ -165,14 +155,17 @@ message CreateResourceMappingResponse {
 
 message UpdateResourceMappingRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
-  string attribute_value_id = 4;
+  string attribute_value_id = 4; // TODO: validate UUID only when provided
 
-  repeated string terms = 5;
+  repeated string terms = 5; // TODO: validate list min/max and term min/max
 
-  string group_id = 6;
+  string group_id = 6; // TODO: validate UUID only when provided
 
   // Common Metadata
   common.MetadataMutable metadata = 100;
@@ -184,7 +177,10 @@ message UpdateResourceMappingResponse {
 
 message DeleteResourceMappingRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeleteResourceMappingResponse {
   ResourceMapping resource_mapping = 1;
diff --git a/service/policy/subjectmapping/subject_mapping.proto b/service/policy/subjectmapping/subject_mapping.proto
index 50cb983a9..9d777d3bb 100644
--- a/service/policy/subjectmapping/subject_mapping.proto
+++ b/service/policy/subjectmapping/subject_mapping.proto
@@ -32,7 +32,10 @@ message MatchSubjectMappingsResponse {
 */
 
 message GetSubjectMappingRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message GetSubjectMappingResponse {
   policy.SubjectMapping subject_mapping = 1;
@@ -46,13 +49,16 @@ message ListSubjectMappingsResponse {
 message CreateSubjectMappingRequest{
   // Required
   // Attribute Value to be mapped to
-  string attribute_value_id = 1 [(buf.validate.field).required = true];
+  string attribute_value_id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   // The actions permitted by subjects in this mapping
   repeated policy.Action actions = 2 [(buf.validate.field).repeated.min_items = 1];
 
   // Either of the following:
   // Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)
-  string existing_subject_condition_set_id = 3;
+  string existing_subject_condition_set_id = 3; // TODO: validate UUID only when provided
   // Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)
   SubjectConditionSetCreate new_subject_condition_set = 4;
 
@@ -65,11 +71,14 @@ message CreateSubjectMappingResponse {
 
 message UpdateSubjectMappingRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
   // Replaces the existing SubjectConditionSet id with a new one
-  string subject_condition_set_id = 2;
+  string subject_condition_set_id = 2; // TODO: validate UUID only when provided
   // Replaces entire list of actions permitted by subjects
   repeated policy.Action actions = 3;
 
@@ -83,7 +92,10 @@ message UpdateSubjectMappingResponse {
 }
 
 message DeleteSubjectMappingRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeleteSubjectMappingResponse {
   // Only ID of the updated Subject Mapping provided
@@ -95,7 +107,10 @@ message DeleteSubjectMappingResponse {
 */
 
 message GetSubjectConditionSetRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message GetSubjectConditionSetResponse {
   policy.SubjectConditionSet subject_condition_set = 1;
@@ -125,7 +140,10 @@ message CreateSubjectConditionSetResponse {
 
 message UpdateSubjectConditionSetRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
   // If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions
@@ -141,7 +159,10 @@ message UpdateSubjectConditionSetResponse {
 }
 
 message DeleteSubjectConditionSetRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message DeleteSubjectConditionSetResponse {
   // Only ID of deleted Subject Condition Set provided
diff --git a/service/policy/unsafe/unsafe.proto b/service/policy/unsafe/unsafe.proto
index 73cc04be3..2845c73b7 100644
--- a/service/policy/unsafe/unsafe.proto
+++ b/service/policy/unsafe/unsafe.proto
@@ -13,7 +13,10 @@ import "policy/objects.proto";
 // Existing Attribute Definitions and their Values under the Namespace will now be associated with the new Namespace name.
 message UnsafeUpdateNamespaceRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   string name = 2 [
     (buf.validate.field).string.max_len = 253,
@@ -32,7 +35,10 @@ message UnsafeUpdateNamespaceResponse {
 // Reactivating a Namespace can potentially open up an access path to existing TDFs containing any Attributes under the Namespace.
 // Active state of any Definitions and their Values under this Namespace will NOT be changed.
 message UnsafeReactivateNamespaceRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message UnsafeReactivateNamespaceResponse {
     policy.Namespace namespace = 1;
@@ -44,9 +50,12 @@ message UnsafeReactivateNamespaceResponse {
 message UnsafeDeleteNamespaceRequest {
   // Required
   // UUID of the Namespace
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   // Fully Qualified Name (FQN) of Namespace (i.e. https://<namespace>), normalized to lower case.
-  string fqn = 2 [(buf.validate.field).required = true];
+  string fqn = 2 [(buf.validate.field).required = true]; // TODO: valid FQN
 }
 message UnsafeDeleteNamespaceResponse {
   policy.Namespace namespace = 1;
@@ -58,7 +67,10 @@ message UnsafeDeleteNamespaceResponse {
 // Updating an Attribute can have dangerous consequences. Use with caution.
 message UnsafeUpdateAttributeRequest {
   // Required
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   // Optional
   // WARNING!! 
@@ -91,7 +103,10 @@ message UnsafeUpdateAttributeResponse {
 // Reactivating an Attribute can potentially open up an access path to existing TDFs containing the Attribute name.
 // Active state of any Values under this Attribute Definition will NOT be changed.
 message UnsafeReactivateAttributeRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message UnsafeReactivateAttributeResponse {
   policy.Attribute attribute = 1;
@@ -104,9 +119,12 @@ message UnsafeReactivateAttributeResponse {
 message UnsafeDeleteAttributeRequest {
   // Required
   // UUID of the Attribute
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   // Fully Qualified Name (FQN) of Attribute Definition (i.e. https://<namespace>/attr/<attribute name>), normalized to lower case.
-  string fqn = 2 [(buf.validate.field).required = true];
+  string fqn = 2 [(buf.validate.field).required = true]; // TODO: valid FQN
 }
 message UnsafeDeleteAttributeResponse {
   policy.Attribute attribute = 1;
@@ -119,7 +137,10 @@ message UnsafeDeleteAttributeResponse {
 // WARNING!! 
 // Updating an Attribute Value will retroactively alter access to existing TDFs containing the old and new Attribute Value.
 message UnsafeUpdateAttributeValueRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 
   string value = 2 [
     (buf.validate.field).string.max_len = 253,
@@ -137,7 +158,10 @@ message UnsafeUpdateAttributeValueResponse {
 // WARNING!!
 // Reactivating an Attribute Value can potentially open up an access path to existing TDFs containing the Attribute Value.
 message UnsafeReactivateAttributeValueRequest {
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
 }
 message UnsafeReactivateAttributeValueResponse {
   policy.Value value = 1;
@@ -149,9 +173,12 @@ message UnsafeReactivateAttributeValueResponse {
 message UnsafeDeleteAttributeValueRequest {
   // Required
   // UUID of the Attribute Value
-  string id = 1 [(buf.validate.field).required = true];
+  string id = 1 [
+    (buf.validate.field).required = true,
+    (buf.validate.field).string.uuid = true
+  ];
   // Fully Qualified Name (FQN) of Attribute Value (i.e. https://<namespace>/attr/<attribute name>/value/<value>), normalized to lower case.
-  string fqn = 2 [(buf.validate.field).required = true];
+  string fqn = 2 [(buf.validate.field).required = true]; // TODO: valid FQN
 }
 message UnsafeDeleteAttributeValueResponse {
   policy.Value value = 1;