About Policies (Nov 2017)
A policy extends the functionality of an API and enforces certain capabilities such as security. A policy can control access and traffic without modification to the API implementation. Custom policies can provide other capabilities, such as encrypting and logging.
Policies applied to APIs in the latest release of API Manager are the same as those in the earlier release with a few exceptions.
Classloader isolation exists between the application, the runtime and the connectors, and policies. To fulfill the isolation requirement, policies are self-contained and packaged to include libraries needed for execution, similar to an application.
Policies are non-blocking. You can order all policies except CORS which takes precedence over others.