Abstract

Modern organizations make data-access decisions through complex information systems, while the privacy commitments that constrain those decisions are documented separately in privacy notices, internal policies, and compliance guidelines. This separation creates a governance gap: a runtime access decision may be technically permitted by the organization’s access-control policy yet difficult to justify against its stated privacy commitments. For compliance, audit, and IT governance functions, the central question is no longer only who can access what, but also why this access is justified, under which privacy commitment, and who can explain it? This research proposes Privacy-Aware Access Governance as an organizational capability for aligning runtime access decisions with documented privacy commitments. The proposed framework would represent privacy primitives, including purpose, consent, obligation, and retention, as governance-relevant attributes within attribute-based access control, and use graph-based traceability to connect runtime access decisions, the rules that authorized them, and the privacy commitments that constrain them. Organizations could then ask end-to-end questions such as: Which rule authorized this access? Which privacy commitment constrains this data use? Does the access exceed the stated purpose or consent boundary? Realizing this capability requires integrating three pieces that have so far been studied in isolation: graph-based representation and analysis of access policies, LLM-assisted translation of natural-language policies into machine-enforceable rules, and LLM-assisted analysis of natural-language privacy policies (Yang et al., 2024, 2025a, 2025b). Several open questions motivate the desire for AMCIS audience feedback: How should privacy-aware access governance be evaluated from the perspective of compliance, auditability, and decision quality? What level of traceability do privacy officers and auditors need to trust LLM-assisted policy analysis? How should organizations divide responsibility between automated extraction and human review when access-control rules are derived from natural-language policies?

Share

COinS