Policy-Aware Generative AI for Safe, Auditable Data Access Governance

TL;DR

This paper introduces a policy-aware AI controller that uses large language models to interpret natural language data access requests, ensuring compliance, safety, and auditability through a structured reasoning framework and policy gates.

Contribution

It presents a novel LLM-based system with a six-stage reasoning process that enforces policies and provides transparent, auditable decisions for enterprise data access.

Findings

Decision accuracy improved to 92.9% with policy gates

Deny recall reached 100% on must-deny cases

Median decision latency under one minute

Abstract

Enterprises need access decisions that satisfy least privilege, comply with regulations, and remain auditable. We present a policy aware controller that uses a large language model (LLM) to interpret natural language requests against written policies and metadata, not raw data. The system, implemented with Google Gemini~2.0 Flash, executes a six-stage reasoning framework (context interpretation, user validation, data classification, business purpose test, compliance mapping, and risk synthesis) with early hard policy gates and deny by default. It returns APPROVE, DENY, CONDITIONAL together with cited controls and a machine readable rationale. We evaluate on fourteen canonical cases across seven scenario families using a privacy preserving benchmark. Results show Exact Decision Match improving from 10/14 to 13/14 (92.9\%) after applying policy gates, DENY recall rising to 1.00, False Approval Rate on must-deny families dropping to 0, and Functional Appropriateness and Compliance Adherence at 14/14. Expert ratings of rationale quality are high, and median latency is under one minute. These findings indicate that policy constrained LLM reasoning, combined with explicit gates and audit trails, can translate human readable policies into safe, compliant, and traceable machine decisions.