What is Policy Inheritance?
Policy inheritance is the mechanism by which tool-level policies inherit from server-level policies, which in turn inherit from global policies, with more specific policies taking priority over broader ones.
WHY IT MATTERS
Policy inheritance solves the tension between broad governance and specific exceptions. Without inheritance, you would need to define complete, self-contained policies for every tool on every server — thousands of rules that are mostly identical. With inheritance, you define defaults at the broadest level and only write specific rules where behaviour needs to differ.
The inheritance model follows the principle of least surprise: more specific rules override more general ones. A global policy that logs all tool calls is overridden by a server-level policy that denies all tools on the production database, which is in turn overridden by a tool-level policy that allows read_query with specific conditions. Each level refines the previous one.
This hierarchy maps directly to organisational structure. Global policies are owned by the security team. Server-level policies might be owned by the team responsible for that integration. Tool-level policies might be defined by the developers building a specific agent. Each layer has appropriate scope and authority, and the inheritance model ensures they compose correctly.
HOW POLICYLAYER USES THIS
Intercept evaluates policies in a three-level hierarchy: global, server, tool. For each tool call, Intercept checks tool-level rules first, then server-level defaults, then global rules. The first match at any level produces the final decision. This means a tool-level allow can override a server-level deny (but not a global deny). The inheritance chain is deterministic and logged in the decision log, so you can always trace why a particular decision was made.