diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
index edc12b907ac..c16db8736a7 100644
--- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
+++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
@@ -135,6 +135,12 @@ func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	if identity.Issuer == "" && identity.Subject == "" {
 		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
 	}
+	if identity.Issuer != "" {
+		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	}
+	if identity.Subject != "" {
+		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	}
 	return errs
 }
 
diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go
index 5d04662e836..b3213cc67a8 100644
--- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go
+++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go
@@ -439,6 +439,67 @@ func TestIdentitiesValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail when issuer has invalid regex",
+			expectErr:   true,
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Issuer: "****"}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "Should fail when subject has invalid regex",
+			expectErr:   true,
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Subject: "****"}},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Should pass when subject and issuer have valid regex",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{
+						{
+							Glob: "globbityglob",
+						},
+					},
+					Authorities: []Authority{
+						{
+							Keyless: &KeylessRef{
+								Identities: []Identity{{Subject: ".*subject.*", Issuer: ".*issuer.*"}},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:      "Should pass when identities is valid",
 			expectErr: false,
diff --git a/test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml b/test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml
new file mode 100644
index 00000000000..7b04359ee99
--- /dev/null
+++ b/test/testdata/cosigned/invalid/keylessref-with-malformed-issuer.yaml
@@ -0,0 +1,25 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: cosigned.sigstore.dev/v1alpha1
+kind: ClusterImagePolicy
+metadata:
+  name: image-policy
+spec:
+  images:
+  - glob: image*
+  authorities:
+  - keyless:
+      identities:
+      - issuer: ****
diff --git a/test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml b/test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml
new file mode 100644
index 00000000000..fbfd5f57288
--- /dev/null
+++ b/test/testdata/cosigned/invalid/keylessref-with-malformed-subject.yaml
@@ -0,0 +1,25 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: cosigned.sigstore.dev/v1alpha1
+kind: ClusterImagePolicy
+metadata:
+  name: image-policy
+spec:
+  images:
+  - glob: image*
+  authorities:
+  - keyless:
+      identities:
+      - subject: ****
diff --git a/test/testdata/cosigned/valid/valid-policy-regex.yaml b/test/testdata/cosigned/valid/valid-policy-regex.yaml
index a82ae479d84..804ff4127ec 100644
--- a/test/testdata/cosigned/valid/valid-policy-regex.yaml
+++ b/test/testdata/cosigned/valid/valid-policy-regex.yaml
@@ -33,6 +33,10 @@ spec:
   - keyless:
       identities:
       - issuer: "issue-details1"
+        subject: ".*subject.*"
+  - keyless:
+      identities:
+      - issuer: "issue.*"
   - key:
       data: |
         -----BEGIN PUBLIC KEY-----