Policy Engine

Field	Value
Document ID	ASCEND-GOV-006
Version	1.0.0
Last Updated	December 19, 2025
Author	Ascend Engineering Team
Publisher	OW-KAI Technologies Inc.
Classification	Enterprise Client Documentation
Compliance	SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4

Reading Time: 12 minutes | Skill Level: Advanced

Overview

The ASCEND Policy Engine provides real-time policy evaluation with sub-200ms performance. Policies define governance rules for AI agent actions, supporting natural language creation and comprehensive risk scoring.

Policy Architecture

+---------------------------------------------------------------------------------+
|                          POLICY EVALUATION FLOW                                  |
+---------------------------------------------------------------------------------+
|                                                                                  |
|   ACTION SUBMITTED                                                               |
|        |                                                                         |
|        v                                                                         |
|   +------------------------+                                                     |
|   |  POLICY CACHE CHECK    |  <-- Cache TTL: 300s (60s for high-risk)           |
|   +------------------------+                                                     |
|        |                                                                         |
|        v (cache miss)                                                            |
|   +------------------------+                                                     |
|   |   PATTERN MATCHING     |  Resource, Namespace, Verb patterns                |
|   +------------------------+                                                     |
|        |                                                                         |
|        v                                                                         |
|   +------------------------+                                                     |
|   |   CONDITION EVALUATION |  Time, Role, Environment conditions                |
|   +------------------------+                                                     |
|        |                                                                         |
|        v                                                                         |
|   +------------------------+                                                     |
|   |   RISK SCORING         |  4 categories: Financial, Data, Security, Compliance|
|   +------------------------+                                                     |
|        |                                                                         |
|        v                                                                         |
|   +------------------------+                                                     |
|   |   FINAL DECISION       |  ALLOW | DENY | REQUIRE_APPROVAL | ESCALATE        |
|   +------------------------+                                                     |
|                                                                                  |
+---------------------------------------------------------------------------------+

Policy Decisions

Decision	Description	Typical Use Case
`ALLOW`	Action permitted	Low-risk operations
`DENY`	Action blocked	Policy violations
`REQUIRE_APPROVAL`	Human approval needed	Medium-risk operations
`ESCALATE`	Security team review	Critical operations
`CONDITIONAL`	Depends on context	Time/role-based rules

Creating Policies

REST API

curl -X POST "https://pilot.owkai.app/api/mcp-governance/policies" \
  -H "Authorization: Bearer owkai_..." \
  -H "Content-Type: application/json" \
  -d '{
    "policy_name": "Production Database Protection",
    "natural_language_description": "Block any database deletions in production",
    "resource_patterns": ["database:*", "rds:*", "dynamodb:*"],
    "namespace_patterns": ["database", "storage"],
    "verb_patterns": ["delete", "drop", "truncate"],
    "actions": "DENY",
    "conditions": {
      "environment": "production"
    },
    "priority": 100,
    "is_active": true
  }'

Natural Language Creation

curl -X POST "https://pilot.owkai.app/api/mcp-governance/policies/generate" \
  -H "Authorization: Bearer owkai_..." \
  -H "Content-Type: application/json" \
  -d '{
    "description": "Require approval for financial transactions over $10,000 during business hours"
  }'

Response:

{
  "policy_id": 45,
  "policy_name": "High-Value Transaction Approval",
  "decision": "REQUIRE_APPROVAL",
  "resource_patterns": ["financial:*", "payment:*"],
  "conditions": {
    "time_range": {
      "start_hour": 9,
      "end_hour": 17,
      "timezone": "UTC"
    }
  },
  "parsed_from_nl": true,
  "confidence": 0.85,
  "approval_level": 2
}

Risk Categories

4-Category Risk Scoring

# Source: policy_engine.py:46
class RiskCategory(str, Enum):
    FINANCIAL = "financial"   # Financial impact assessment
    DATA = "data"             # Data sensitivity assessment
    SECURITY = "security"     # Security risk assessment
    COMPLIANCE = "compliance" # Regulatory compliance risk

Category Weights

Category	Weight	Base Scores
Security	35%	low: 25, medium: 50, high: 80, critical: 95
Data	30%	low: 20, medium: 45, high: 75, critical: 90
Compliance	20%	low: 10, medium: 35, high: 65, critical: 85
Financial	15%	low: 15, medium: 40, high: 70, critical: 95

Context Multipliers

# Source: policy_engine.py:377
CONTEXT_MULTIPLIERS = {
    'production': 1.5,      # Production environment
    'staging': 1.2,         # Staging environment
    'development': 0.8,     # Development environment
    'admin_user': 1.4,      # Administrative users
    'service_account': 1.3, # Service accounts
    'external_access': 2.0, # External access
    'after_hours': 1.3,     # After business hours
    'bulk_operation': 1.6   # Bulk operations
}

Policy Conditions

Time-Based Conditions

{
  "conditions": {
    "time_range": {
      "start_hour": 9,
      "end_hour": 17,
      "timezone": "UTC"
    }
  }
}

Role-Based Conditions

{
  "conditions": {
    "user_role": "admin"
  }
}

Environment Conditions

{
  "conditions": {
    "environment": "production"
  }
}

Combined Conditions

{
  "conditions": {
    "time_range": {"start_hour": 6, "end_hour": 22},
    "user_role": "admin",
    "environment": "production"
  }
}

Pattern Matching

Wildcard Patterns

# Matches any resource starting with "customer"
"resource_patterns": ["customer*"]

# Matches any database resource
"resource_patterns": ["database:*", "db:*"]

Exact Matching

# Matches exactly "customers.pii"
"resource_patterns": ["customers.pii"]

Contains Matching

# Matches any resource containing "financial"
"resource_patterns": ["*financial*"]

List Policies

curl "https://pilot.owkai.app/api/mcp-governance/policies" \
  -H "Authorization: Bearer owkai_..."

Response:

{
  "policies": [
    {
      "id": 45,
      "policy_name": "Production Database Protection",
      "policy_status": "deployed",
      "is_active": true,
      "priority": 100,
      "resource_patterns": ["database:*"],
      "verb_patterns": ["delete", "drop"],
      "actions": "DENY",
      "created_at": "2025-12-15T10:00:00Z"
    }
  ],
  "total": 1
}

Policy Evaluation API

Evaluate Action

curl -X POST "https://pilot.owkai.app/api/mcp-governance/evaluate" \
  -H "Authorization: Bearer owkai_..." \
  -H "Content-Type: application/json" \
  -d '{
    "action_type": "database.delete",
    "resource": "customers.inactive",
    "namespace": "database",
    "environment": "production",
    "user_role": "developer"
  }'

Response:

{
  "evaluation_id": "eval_a1b2c3d4e5f6g7h8",
  "decision": "DENY",
  "risk_score": {
    "total_score": 85,
    "category_scores": {
      "security": 80,
      "data": 90,
      "compliance": 85,
      "financial": 70
    },
    "risk_level": "HIGH",
    "requires_approval": true,
    "approval_level": 3
  },
  "matched_policies": [
    {
      "policy_id": "45",
      "policy_name": "Production Database Protection",
      "confidence": 0.95,
      "decision": "DENY"
    }
  ],
  "evaluation_time_ms": 45.2,
  "recommendations": [
    "Action blocked by Production Database Protection policy",
    "Enhanced security monitoring recommended"
  ]
}

Unified Policy Service

Agent and MCP Actions

# Source: services/unified_policy_evaluation_service.py:40
class UnifiedPolicyEvaluationService:
    """
    Evaluates both agent and MCP actions using SAME policy engine
    ensuring consistent risk scoring and governance.
    """

    async def evaluate_agent_action(self, action, user_context):
        """Evaluate agent action with policy engine."""
        pass

    async def evaluate_mcp_action(self, action, user_context):
        """Evaluate MCP action with SAME policy engine."""
        pass

Policy Fusion (Hybrid Risk)

# 80% CVSS + 20% Policy Risk for agent actions
if action.cvss_score:
    fused_risk = int(
        (action.cvss_score * 10 * 0.8) +
        (policy_risk_score * 0.2)
    )
else:
    # 100% policy risk for MCP actions
    fused_risk = policy_risk_score

Policy Statistics

curl "https://pilot.owkai.app/api/mcp-governance/policies/statistics" \
  -H "Authorization: Bearer owkai_..."

Response:

{
  "total_policies": 25,
  "active_policies": 22,
  "deployed_policies": 20,
  "created_today": 3,
  "evaluations_24h": 15420,
  "avg_evaluation_time_ms": 42.5,
  "cache_hit_rate": 78.5
}

Performance Metrics

curl "https://pilot.owkai.app/api/mcp-governance/policies/performance" \
  -H "Authorization: Bearer owkai_..."

Response:

{
  "total_evaluations": 125000,
  "avg_evaluation_time_ms": 38.5,
  "cache_hit_rate": 82.3,
  "cache_entries": 1250,
  "performance_target_met": true,
  "last_updated": "2025-12-15T10:30:00Z"
}

Cache Management

Clear Cache

curl -X POST "https://pilot.owkai.app/api/mcp-governance/policies/cache/clear" \
  -H "Authorization: Bearer owkai_..."

Response:

{
  "entries_cleared": 1250,
  "cache_hit_rate_before_clear": 82.3
}

Best Practices

1. Use Specific Patterns

# Good - specific and targeted
{
    "resource_patterns": ["database:customers.pii"],
    "verb_patterns": ["delete", "drop"]
}

# Bad - too broad
{
    "resource_patterns": ["*"],
    "verb_patterns": ["*"]
}

2. Set Appropriate Priorities

# Higher priority (processed first)
{"priority": 100, "policy_name": "Security Block"}

# Lower priority (fallback)
{"priority": 10, "policy_name": "Default Allow"}

3. Use Natural Language for Complex Rules

# Let the engine parse complex rules
{
    "description": "Require two approvals for any production database write operations during business hours for non-admin users"
}

4. Monitor Performance

# Check cache hit rate regularly
metrics = client.get_policy_performance()
if metrics.cache_hit_rate < 70:
    print("Consider adjusting cache TTL")

Next Steps

Risk Assessment — Configure risk scoring
Approval Workflows — Set up approvals
Audit Logging — Track policy evaluations

Document Version: 1.0.0 | Last Updated: December 2025

Overview​

Policy Architecture​

Policy Decisions​

Creating Policies​

REST API​

Natural Language Creation​

Risk Categories​

4-Category Risk Scoring​

Category Weights​

Context Multipliers​

Policy Conditions​

Time-Based Conditions​

Role-Based Conditions​

Environment Conditions​

Combined Conditions​

Pattern Matching​

Wildcard Patterns​

Exact Matching​

Contains Matching​

List Policies​

Policy Evaluation API​

Evaluate Action​

Unified Policy Service​

Agent and MCP Actions​

Policy Fusion (Hybrid Risk)​

Policy Statistics​

Performance Metrics​

Cache Management​

Clear Cache​

Best Practices​

1. Use Specific Patterns​

2. Set Appropriate Priorities​

3. Use Natural Language for Complex Rules​

4. Monitor Performance​

Next Steps​

Overview

Policy Architecture

Policy Decisions

Creating Policies

REST API

Natural Language Creation

Risk Categories

4-Category Risk Scoring

Category Weights

Context Multipliers

Policy Conditions

Time-Based Conditions

Role-Based Conditions

Environment Conditions

Combined Conditions

Pattern Matching

Wildcard Patterns

Exact Matching

Contains Matching

List Policies

Policy Evaluation API

Evaluate Action

Unified Policy Service

Agent and MCP Actions

Policy Fusion (Hybrid Risk)

Policy Statistics

Performance Metrics

Cache Management

Clear Cache

Best Practices

1. Use Specific Patterns

2. Set Appropriate Priorities

3. Use Natural Language for Complex Rules

4. Monitor Performance

Next Steps