Table of Contents
Fetching ...

"I Apologize For Not Understanding Your Policy": Exploring the Specification and Evaluation of User-Managed Access Control Policies by AI Virtual Assistants

Jennifer Mondragon, Carlos Rubio-Medrano, Gael Cruz, Dvijesh Shastri

TL;DR

The paper investigates whether current publicly available virtual assistants can correctly interpret and enforce User-Managed Access Control Policies (U-MAPs) across Smart Home, Smart Car, and Electronic Health Records domains. Using an exploratory design, it compares four VAs (ChatGPT, Gemini, Copilot, Deepseek) across multiple U-MAP encodings (informal, semi-formal, and rule-based variants) and two interactive contexts to assess effectiveness, consistency, perception, reasoning, and usability. Findings show substantial variation by VA and format, with reasoning and inference proving challenging, but structured formats and extended interaction generally improve performance. The study concludes with concrete recommendations—adding reasoning capabilities, enriching pre-training in security domains, and enabling safer real-time adaptability—and outlines future work toward ABAC and custom VAs tailored to U-MAP management.

Abstract

The rapid evolution of Artificial Intelligence (AI)-based Virtual Assistants (VAs) e.g., Google Gemini, ChatGPT, Microsoft Copilot, and High-Flyer Deepseek has turned them into convenient interfaces for managing emerging technologies such as Smart Homes, Smart Cars, Electronic Health Records, by means of explicit commands,e.g., prompts, which can be even launched via voice, thus providing a very convenient interface for end-users. However, the proper specification and evaluation of User-Managed Access Control Policies (U-MAPs), the rules issued and managed by end-users to govern access to sensitive data and device functionality - within these VAs presents significant challenges, since such a process is crucial for preventing security vulnerabilities and privacy leaks without impacting user experience. This study provides an initial exploratory investigation on whether current publicly-available VAs can manage U-MAPs effectively across differing scenarios. By conducting unstructured to structured tests, we evaluated the comprehension of such VAs, revealing a lack of understanding in varying U-MAP approaches. Our research not only identifies key limitations, but offers valuable insights into how VAs can be further improved to manage complex authorization rules and adapt to dynamic changes.

"I Apologize For Not Understanding Your Policy": Exploring the Specification and Evaluation of User-Managed Access Control Policies by AI Virtual Assistants

TL;DR

The paper investigates whether current publicly available virtual assistants can correctly interpret and enforce User-Managed Access Control Policies (U-MAPs) across Smart Home, Smart Car, and Electronic Health Records domains. Using an exploratory design, it compares four VAs (ChatGPT, Gemini, Copilot, Deepseek) across multiple U-MAP encodings (informal, semi-formal, and rule-based variants) and two interactive contexts to assess effectiveness, consistency, perception, reasoning, and usability. Findings show substantial variation by VA and format, with reasoning and inference proving challenging, but structured formats and extended interaction generally improve performance. The study concludes with concrete recommendations—adding reasoning capabilities, enriching pre-training in security domains, and enabling safer real-time adaptability—and outlines future work toward ABAC and custom VAs tailored to U-MAP management.

Abstract

The rapid evolution of Artificial Intelligence (AI)-based Virtual Assistants (VAs) e.g., Google Gemini, ChatGPT, Microsoft Copilot, and High-Flyer Deepseek has turned them into convenient interfaces for managing emerging technologies such as Smart Homes, Smart Cars, Electronic Health Records, by means of explicit commands,e.g., prompts, which can be even launched via voice, thus providing a very convenient interface for end-users. However, the proper specification and evaluation of User-Managed Access Control Policies (U-MAPs), the rules issued and managed by end-users to govern access to sensitive data and device functionality - within these VAs presents significant challenges, since such a process is crucial for preventing security vulnerabilities and privacy leaks without impacting user experience. This study provides an initial exploratory investigation on whether current publicly-available VAs can manage U-MAPs effectively across differing scenarios. By conducting unstructured to structured tests, we evaluated the comprehension of such VAs, revealing a lack of understanding in varying U-MAP approaches. Our research not only identifies key limitations, but offers valuable insights into how VAs can be further improved to manage complex authorization rules and adapt to dynamic changes.
Paper Structure (43 sections, 3 figures, 5 tables)

This paper contains 43 sections, 3 figures, 5 tables.

Figures (3)

  • Figure 1: Contextual and Non-Contextual Approach Steps for VA Interaction Described in Sec. \ref{['subsect-methodology-contextual']} and Sec. \ref{['subsect-methodology-non-contextual']}.
  • Figure 2: Overall Session Accuracy for Specific Domains (Smart Home, Smart Car, Electronic Health Records) - With and Without Context.
  • Figure 3: Overall Session Accuracy, Pre-Modified Session Accuracy, & Post-Modified Session Accuracy for All Scenarios(Smart Home, Smart Car, Electronic Health Records) - With and Without Context.