A step-up authentication policy is essentially a sub-policy that executes in the context of a per-request policy, and can request a client computing device to perform additional authentication actions before allowing access to the protected resource. The intention is to allow the policy fine grained control of resources that are considered particularly sensitive and that require an additional authentication factor and/or require additional auditing controls.
Unfortunately, the previously existing problem with trying to provide this fine grained control is that a classification/categorization agent in the policy may generate a large fan out and could potentially cause a very large policy to be represented in a tree-based policy representation (e.g. Visual Policy Editor (VPE)). This is because even if the sub-policy is essentially the same for each classification that requires step-up authentication, successful authentication against one classification (like a Facebook chat) does not indicate successful classification against a different classification (like a job search).
The obvious way to deal with that is to copy the sub-policy, creating a different instance of it manually for each classification that needs identical sub-policy evaluation. This creates two problems. One is that the manual work of duplicating each sub-policy instance and placing them on the correct branch is cumbersome. Two is that the size of the policy may become too large to effectively view and edit, and thus becomes difficult to manage effectively.