The goal of this IAM stack was not to create an authentication and authorization stack, but there seemed to be the need for protecting resources, API's and have coarse and fine grained authorization within the applications.
So therefore, each entitlement that is assigned to a identity, can grant access to resources.
The application works with a opaque token that can be inspected via the 'tokeninfo' endpoint.
the policy conditions : extra conditions that are applicable on the policy
The reason these policies appear is because they are configured on the entitlement.
This way, by creating new custom entitlements and assign existing or new rules to them, a policy context can be customized.
Note : policy conditions is the functionality where one can define rules to match certain values of the authentication context against the body of the requested entity
e.g : organisation administrators can only update their organisation