Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Policy-Aware Generative AI for Safe, Auditable Data Access Governance

Shames Al Mandalawi, Muzakkiruddin Ahmed Mohammed, Hendrika Maclean, Mert Can Cakmak, John R. Talburt

TL;DR

The paper tackles the challenge of data access governance in enterprises by introducing a policy-aware controller that uses a large language reasoning system to interpret requests against organization policies and metadata (not raw data). It implements a six-stage reasoning flow with hard policy gates and a deny-by-default stance, producing outputs of APPROVE, DENY, or CONDITIONAL along with a machine-readable rationale and cited controls. Evaluated on 14 cases across seven scenario families with a privacy-preserving setup, the approach yields high decision accuracy (EDM up to 92.9%), perfect recall on must-deny cases, and complete compliance coverage, with median latency under one minute. The work demonstrates that policy-constrained LLM reasoning, coupled with explicit gates and auditability, can deliver safe, auditable, and scalable data access governance suitable for enterprise deployment.

Abstract

Enterprises need access decisions that satisfy least privilege, comply with regulations, and remain auditable. We present a policy aware controller that uses a large language model (LLM) to interpret natural language requests against written policies and metadata, not raw data. The system, implemented with Google Gemini~2.0 Flash, executes a six-stage reasoning framework (context interpretation, user validation, data classification, business purpose test, compliance mapping, and risk synthesis) with early hard policy gates and deny by default. It returns APPROVE, DENY, CONDITIONAL together with cited controls and a machine readable rationale. We evaluate on fourteen canonical cases across seven scenario families using a privacy preserving benchmark. Results show Exact Decision Match improving from 10/14 to 13/14 (92.9\%) after applying policy gates, DENY recall rising to 1.00, False Approval Rate on must-deny families dropping to 0, and Functional Appropriateness and Compliance Adherence at 14/14. Expert ratings of rationale quality are high, and median latency is under one minute. These findings indicate that policy constrained LLM reasoning, combined with explicit gates and audit trails, can translate human readable policies into safe, compliant, and traceable machine decisions.

Policy-Aware Generative AI for Safe, Auditable Data Access Governance

TL;DR

The paper tackles the challenge of data access governance in enterprises by introducing a policy-aware controller that uses a large language reasoning system to interpret requests against organization policies and metadata (not raw data). It implements a six-stage reasoning flow with hard policy gates and a deny-by-default stance, producing outputs of APPROVE, DENY, or CONDITIONAL along with a machine-readable rationale and cited controls. Evaluated on 14 cases across seven scenario families with a privacy-preserving setup, the approach yields high decision accuracy (EDM up to 92.9%), perfect recall on must-deny cases, and complete compliance coverage, with median latency under one minute. The work demonstrates that policy-constrained LLM reasoning, coupled with explicit gates and auditability, can deliver safe, auditable, and scalable data access governance suitable for enterprise deployment.

Abstract

Enterprises need access decisions that satisfy least privilege, comply with regulations, and remain auditable. We present a policy aware controller that uses a large language model (LLM) to interpret natural language requests against written policies and metadata, not raw data. The system, implemented with Google Gemini~2.0 Flash, executes a six-stage reasoning framework (context interpretation, user validation, data classification, business purpose test, compliance mapping, and risk synthesis) with early hard policy gates and deny by default. It returns APPROVE, DENY, CONDITIONAL together with cited controls and a machine readable rationale. We evaluate on fourteen canonical cases across seven scenario families using a privacy preserving benchmark. Results show Exact Decision Match improving from 10/14 to 13/14 (92.9\%) after applying policy gates, DENY recall rising to 1.00, False Approval Rate on must-deny families dropping to 0, and Functional Appropriateness and Compliance Adherence at 14/14. Expert ratings of rationale quality are high, and median latency is under one minute. These findings indicate that policy constrained LLM reasoning, combined with explicit gates and audit trails, can translate human readable policies into safe, compliant, and traceable machine decisions.

Paper Structure

This paper contains 18 sections, 4 equations, 1 figure, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Literature Review
  3. Methodology
  4. Research Design
  5. System Under Test
  6. Policy Aware Reasoning Framework
  7. Running Example
  8. Protocol and Metrics
  9. Reliability, Safety, and Reproducibility
  10. System Implementation
  11. Platform Architecture
  12. AI Integration
  13. Resilience and Fallbacks
  14. User Interface
  15. Security, Privacy, and Audit
  16. ...and 3 more sections

Figures (1)

  • Figure 1: System architecture of the AI powered data governance platform.