diff --git a/resource_customizations/microgateway.airlock.com/_/health.lua b/resource_customizations/microgateway.airlock.com/_/health.lua
new file mode 100644
index 0000000000000..df614f9d2145b
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/health.lua
@@ -0,0 +1,49 @@
+local hs = { status = "Progressing", message = "Waiting for " .. (obj.kind or "Policy")  .. " status"}
+
+local function is_policy_kind(kind)
+  return kind ~= nil and string.match(kind, "Policy$") ~= nil
+end
+
+if not is_policy_kind(obj.kind) then
+  return { status = "Healthy", message = obj.kind .. " is healthy" }
+end
+
+if obj.status ~= nil and obj.status.ancestors ~= nil then
+  if obj.metadata.generation ~= nil then
+    for i, ancestor in ipairs(obj.status.ancestors) do
+      for _, condition in ipairs(ancestor.conditions) do
+        if condition.observedGeneration ~= nil then
+          if condition.observedGeneration ~= obj.metadata.generation then
+              hs.message = "Waiting for Ancestor " .. (ancestor.ancestorRef.name or "") .. " to update " .. (obj.kind or "Policy")  .. " status"
+             return hs
+          end
+        end
+      end
+    end
+  end
+
+  for i, ancestor in ipairs(obj.status.ancestors) do
+    for j, condition in ipairs(ancestor.conditions) do
+      if condition.type == "Accepted" then
+        if condition.status ~= "True" then
+          hs.status = "Degraded"
+          hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. condition.message
+          return hs
+        else
+          hs.status = "Healthy"
+          hs.message = (obj.kind or "Policy")  .. " is healthy"
+        end
+      end
+
+      if condition.type == "ResolvedRefs" then
+        if condition.status ~= "True" then
+          hs.status = "Degraded"
+          hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. condition.message
+          return hs
+        end
+      end
+    end
+  end
+end
+
+return hs
diff --git a/resource_customizations/microgateway.airlock.com/_/health_test.yaml b/resource_customizations/microgateway.airlock.com/_/health_test.yaml
new file mode 100644
index 0000000000000..d498851a7ba97
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/health_test.yaml
@@ -0,0 +1,28 @@
+tests:
+- healthStatus:
+    status: Healthy
+    message: "AccessControlPolicy is healthy"
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Degraded
+    message: "Ancestor example-gateway: ContentSecurityPolicy is conflicting with other policies for this ancestor: [example-contentsecuritypolicy]"
+  inputPath: testdata/degraded_conflicting.yaml
+- healthStatus:
+    status: Degraded
+    message: >-
+      Ancestor example-gateway: Resolving CustomResponsePolicy failed:
+      Missing referenced CustomResponse 'example'
+      WARNING: traffic to referenced target(s) will be rejected.
+  inputPath: testdata/degraded_resolved_refs.yaml
+- healthStatus:
+    status: Progressing
+    message: "Waiting for EnvoyExtensionPolicy status"
+  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Progressing
+    message: "Waiting for Ancestor example-gateway to update ICAPPolicy status"
+  inputPath: testdata/progressing_observed_generation.yaml
+- healthStatus:
+    status: Healthy
+    message: "DenyRules is healthy"
+  inputPath: testdata/unknown.yaml
diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml
new file mode 100644
index 0000000000000..1201ca9d5c0b1
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml
@@ -0,0 +1,25 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: ContentSecurityPolicy
+metadata:
+  name: example-contentsecuritypolicy-2
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T14:21:38Z'
+      message: >-
+        ContentSecurityPolicy is conflicting with other policies for this ancestor: [example-contentsecuritypolicy]
+      observedGeneration: 3
+      reason: Conflicted
+      status: 'False'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller
diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml
new file mode 100644
index 0000000000000..1cab9d48e26d5
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml
@@ -0,0 +1,27 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: CustomResponsePolicy
+metadata:
+  name: example-customresponsepolicy
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: >-
+        Resolving CustomResponsePolicy failed:
+        Missing referenced CustomResponse 'example'
+        WARNING: traffic to referenced target(s) will be rejected.
+      observedGeneration: 3
+      reason: Invalid
+      status: 'False'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller
diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml
new file mode 100644
index 0000000000000..258c16910f0ed
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml
@@ -0,0 +1,25 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: AccessControlPolicy
+metadata:
+  name: example-accesscontrolpolicy
+  namespace: default
+  generation: 3
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: AccessControlPolicy is accepted
+      observedGeneration: 3
+      reason: Accepted
+      status: 'True'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller
diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml
new file mode 100644
index 0000000000000..9e60e52719d8b
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml
@@ -0,0 +1,18 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: EnvoyExtensionPolicy
+metadata:
+  name: example-envoyextensionpolicy
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions: []
+    controllerName: example.com/gatewayclass-controller
diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml
new file mode 100644
index 0000000000000..850d6797802b2
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml
@@ -0,0 +1,25 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: ICAPPolicy
+metadata:
+  name: example-icappolicy
+  namespace: default
+  generation: 3
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: ICAPPolicy is accepted
+      observedGeneration: 1
+      reason: Accepted
+      status: 'True'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller
diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml
new file mode 100644
index 0000000000000..5e0bced44a949
--- /dev/null
+++ b/resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml
@@ -0,0 +1,18 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+  name: example-denyrules
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions: []
+    controllerName: example.com/gatewayclass-controller
diff --git a/util/lua/lua_test.go b/util/lua/lua_test.go
index fdc3e36921112..ef2968ec458e1 100644
--- a/util/lua/lua_test.go
+++ b/util/lua/lua_test.go
@@ -1127,6 +1127,7 @@ func Test_getHealthScriptPaths(t *testing.T) {
 		"_.crossplane.io/_",
 		"_.upbound.io/_",
 		"grafana-org-operator.kubitus-project.gitlab.io/_",
+		"microgateway.airlock.com/_",
 		"operator.victoriametrics.com/_",
 	}, paths)
 }