For whatever reason, NIP-26 didn't catch on last year. Clients weren't implementing it. This prompted Pablo to build nsecBunker, which is honestly very close to all of this discussion. He never added policies, but I'm assuming if he did, you'd be able to setup this advanced workflows for revocation and expiration.