Policy Engine
| Field | Value |
|---|---|
| Document ID | ASCEND-GOV-006 |
| Version | 2026.04 |
| Last Updated | April 2026 |
| Author | ASCEND Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 12 minutes | Skill Level: Advanced
Overview
The ASCEND Policy Engine provides real-time policy evaluation with sub-200ms performance. Policies define governance rules for AI agent actions, supporting natural language creation and comprehensive risk scoring.
Immediate Effect
Policy changes take effect immediately for all subsequent action evaluations. Test new policies in a staging environment or use the dry-run mode before applying to production agents.
Policy Architecture
+---------------------------------------------------------------------------------+
| POLICY EVALUATION FLOW |
+---------------------------------------------------------------------------------+
| |
| ACTION SUBMITTED |
| | |
| v |
| +------------------------+ |
| | POLICY CACHE CHECK | <-- Cache TTL: 300s (60s for high-risk) |
| +------------------------+ |
| | |
| v (cache miss) |
| +------------------------+ |
| | PATTERN MATCHING | Resource, Namespace, Verb patterns |
| +------------------------+ |
| | |
| v |
| +------------------------+ |
| | CONDITION EVALUATION | Time, Role, Environment conditions |
| +------------------------+ |
| | |
| v |
| +------------------------+ |
| | RISK SCORING | 4 categories: Financial, Data, Security, Compliance|
| +------------------------+ |
| | |
| v |
| +------------------------+ |
| | FINAL DECISION | ALLOW | DENY | REQUIRE_APPROVAL | ESCALATE |
| +------------------------+ |
| |
+---------------------------------------------------------------------------------+
Policy Decisions
| Decision | Description | Typical Use Case |
|---|---|---|
ALLOW | Action permitted | Low-risk operations |
DENY | Action blocked | Policy violations |
REQUIRE_APPROVAL | Human approval needed | Medium-risk operations |
ESCALATE | Security team review | Critical operations |
CONDITIONAL | Depends on context | Time/role-based rules |
Creating Policies
REST API
curl -X POST "https://pilot.owkai.app/api/governance/policies" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"policy_name": "Production Database Protection",
"natural_language_description": "Block any database deletions in production",
"resource_patterns": ["database:*", "rds:*", "dynamodb:*"],
"namespace_patterns": ["database", "storage"],
"verb_patterns": ["delete", "drop", "truncate"],
"actions": "DENY",
"conditions": {
"environment": "production"
},
"priority": 100,
"is_active": true
}'
Natural Language Creation
curl -X POST "https://pilot.owkai.app/api/governance/policies/generate" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"description": "Require approval for financial transactions over $10,000 during business hours"
}'
Response:
{
"policy_id": 45,
"policy_name": "High-Value Transaction Approval",
"decision": "REQUIRE_APPROVAL",
"resource_patterns": ["financial:*", "payment:*"],
"conditions": {
"time_range": {
"start_hour": 9,
"end_hour": 17,
"timezone": "UTC"
}
},
"parsed_from_nl": true,
"confidence": 0.85,
"approval_level": 2
}
Risk Categories
4-Category Risk Scoring
# Source: policy_engine.py:46
class RiskCategory(str, Enum):
FINANCIAL = "financial" # Financial impact assessment
DATA = "data" # Data sensitivity assessment
SECURITY = "security" # Security risk assessment
COMPLIANCE = "compliance" # Regulatory compliance risk
Category Weights
| Category | Weight | Base Scores |
|---|---|---|
| Security | 35% | low: 25, medium: 50, high: 80, critical: 95 |
| Data | 30% | low: 20, medium: 45, high: 75, critical: 90 |
| Compliance | 20% | low: 10, medium: 35, high: 65, critical: 85 |
| Financial | 15% | low: 15, medium: 40, high: 70, critical: 95 |
Context Multipliers
# Source: policy_engine.py:377
CONTEXT_MULTIPLIERS = {
'production': 1.5, # Production environment
'staging': 1.2, # Staging environment
'development': 0.8, # Development environment
'admin_user': 1.4, # Administrative users
'service_account': 1.3, # Service accounts
'external_access': 2.0, # External access
'after_hours': 1.3, # After business hours
'bulk_operation': 1.6 # Bulk operations
}
Policy Conditions
Time-Based Conditions
{
"conditions": {
"time_range": {
"start_hour": 9,
"end_hour": 17,
"timezone": "UTC"
}
}
}
Role-Based Conditions
{
"conditions": {
"user_role": "admin"
}
}
Environment Conditions
{
"conditions": {
"environment": "production"
}
}
Combined Conditions
{
"conditions": {
"time_range": {"start_hour": 6, "end_hour": 22},
"user_role": "admin",
"environment": "production"
}
}
Pattern Matching
Wildcard Patterns
# Matches any resource starting with "customer"
"resource_patterns": ["customer*"]
# Matches any database resource
"resource_patterns": ["database:*", "db:*"]
Exact Matching
# Matches exactly "customers.pii"
"resource_patterns": ["customers.pii"]
Contains Matching
# Matches any resource containing "financial"
"resource_patterns": ["*financial*"]
List Policies
curl "https://pilot.owkai.app/api/governance/policies" \
-H "Authorization: Bearer owkai_..."
Response:
{
"policies": [
{
"id": 45,
"policy_name": "Production Database Protection",
"policy_status": "deployed",
"is_active": true,
"priority": 100,
"resource_patterns": ["database:*"],
"verb_patterns": ["delete", "drop"],
"actions": "DENY",
"created_at": "2025-12-15T10:00:00Z"
}
],
"total": 1
}
Policy Evaluation API
Evaluate Action
curl -X POST "https://pilot.owkai.app/api/governance/evaluate" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"action_type": "database.delete",
"resource": "customers.inactive",
"namespace": "database",
"environment": "production",
"user_role": "developer"
}'
Response:
{
"evaluation_id": "eval_a1b2c3d4e5f6g7h8",
"decision": "DENY",
"risk_score": {
"total_score": 85,
"category_scores": {
"security": 80,
"data": 90,
"compliance": 85,
"financial": 70
},
"risk_level": "HIGH",
"requires_approval": true,
"approval_level": 3
},
"matched_policies": [
{
"policy_id": "45",
"policy_name": "Production Database Protection",
"confidence": 0.95,
"decision": "DENY"
}
],
"evaluation_time_ms": 45.2,
"recommendations": [
"Action blocked by Production Database Protection policy",
"Enhanced security monitoring recommended"
]
}
Unified Policy Service
Agent and MCP Actions
# Source: services/unified_policy_evaluation_service.py:40
class UnifiedPolicyEvaluationService:
"""
Evaluates both agent and MCP actions using SAME policy engine
ensuring consistent risk scoring and governance.
"""
async def evaluate_agent_action(self, action, user_context):
"""Evaluate agent action with policy engine."""
pass
async def evaluate_mcp_action(self, action, user_context):
"""Evaluate MCP action with SAME policy engine."""
pass
Policy Fusion (Hybrid Risk)
# 80% CVSS + 20% Policy Risk for agent actions
if action.cvss_score:
fused_risk = int(
(action.cvss_score * 10 * 0.8) +
(policy_risk_score * 0.2)
)
else:
# 100% policy risk for MCP actions
fused_risk = policy_risk_score
Policy Statistics
curl "https://pilot.owkai.app/api/governance/policies/statistics" \
-H "Authorization: Bearer owkai_..."
Response:
{
"total_policies": 25,
"active_policies": 22,
"deployed_policies": 20,
"created_today": 3,
"evaluations_24h": 15420,
"avg_evaluation_time_ms": 42.5,
"cache_hit_rate": 78.5
}
Performance Metrics
curl "https://pilot.owkai.app/api/governance/policies/performance" \
-H "Authorization: Bearer owkai_..."
Response:
{
"total_evaluations": 125000,
"avg_evaluation_time_ms": 38.5,
"cache_hit_rate": 82.3,
"cache_entries": 1250,
"performance_target_met": true,
"last_updated": "2025-12-15T10:30:00Z"
}
Cache Management
Clear Cache
curl -X POST "https://pilot.owkai.app/api/governance/policies/cache/clear" \
-H "Authorization: Bearer owkai_..."
Response:
{
"entries_cleared": 1250,
"cache_hit_rate_before_clear": 82.3
}
Best Practices
1. Use Specific Patterns
# Good - specific and targeted
{
"resource_patterns": ["database:customers.pii"],
"verb_patterns": ["delete", "drop"]
}
# Bad - too broad
{
"resource_patterns": ["*"],
"verb_patterns": ["*"]
}
2. Set Appropriate Priorities
# Higher priority (processed first)
{"priority": 100, "policy_name": "Security Block"}
# Lower priority (fallback)
{"priority": 10, "policy_name": "Default Allow"}
3. Use Natural Language for Complex Rules
# Let the engine parse complex rules
{
"description": "Require two approvals for any production database write operations during business hours for non-admin users"
}
4. Monitor Performance
# Check cache hit rate regularly
metrics = client.get_policy_performance()
if metrics.cache_hit_rate < 70:
print("Consider adjusting cache TTL")
Next Steps
- Risk Assessment — Configure risk scoring
- Approval Workflows — Set up approvals
- Audit Logging — Track policy evaluations
Document Version: 2026.04 | Last Updated: April 2026