- The paper introduces a two-phase synthesis framework that separates authorization intent extraction from LLM-driven policy generation, ensuring robust semantic alignment.
- It achieves 100% convergence on CedarBench by integrating human-in-the-loop review with SMT-backed verification and actionable repair signals.
- Experimental results demonstrate that AutoCedar outperforms direct LLM synthesis, effectively closing semantic gaps and enhancing traceability in policy formation.
AutoCedar: An Agentic Framework for Verifier-Guided Access Control Policy Synthesis
Motivation and Problem Statement
Access control remains a persistent source of misconfiguration and vulnerability within software systems. While LLMs have accelerated the transformation of natural-language requirements into executable artifacts, the inherent ambiguity and incompleteness of NL requirements, particularly for authorization logic, render direct translation approaches both risky and frequently incorrect. Traditional LLM-driven synthesis yields policies that may be syntactically valid yet are semantically misaligned with intended security properties, with no intrinsic correctness feedback mechanism. This pipeline flaw is further exacerbated by the fact that most business logic errors in authorization manifest as global semantic misalignments, escaping detection in both code and test-based review.
AutoCedar addresses these limitations through a rigorous, verifier-guided synthesis loop that structurally separates the construction of authorization intent (as a semantic boundary over a fixed schema) from the stochastic search for policy code using LLMs. The framework centers human-in-the-loop (HITL) review of small, auditable "intent atoms"—elementary behavioral claims—ensuring that the final synthesized artifact aligns with the formally reviewed specification rather than ad-hoc NL prose.
System Architecture and Methodology
AutoCedar operationalizes its synthesis workflow in two discrete phases. First, it decomposes NL access-control requirements into reviewed intent atoms, which are then consolidated into a formal Cedar schema Σ and a boundary plan Πencapsulating floors (permitted behaviors), ceilings (forbidden behaviors), and liveness slices (mandated non-empty workflows). Each atom undergoes mechanical validation and human approval, resulting in a fixed semantic target before any candidate code is synthesized.
Second, an LLM is tasked with proposing candidate policy bundles, which are deterministically checked by a verifier against Π. Failures induce targeted repair signals—specific, structured instructions to the LLM (tighten, loosen, or expand the policy)—derived from symbolic counterexamples and policy comparison in the Cedar/symcc SMT-backed toolchain. This repair abstraction is mediated by a "signal layer" that translates raw verifier counterexamples into actionable, target-preserving repair packets, propagating precise feedback to the LLM while strongly separating boundary maintenance from the stochastic search process.
(Figure 1)
Figure 1: Error profile of validation-passing policies on CedarBench, highlighting modes of failure for direct LLM synthesis versus verifier-guided AutoCedar.
The semantic target is preserved as a durable audit log containing intent atoms, approved schema definitions, boundary plans, and evidence traces, providing lineage for each synthesized clause and ensuring traceability through policy evolution and maintenance.
Experimental Results
A comprehensive empirical assessment is performed over CedarBench, a 221-scenario benchmark explicitly designed to measure global semantic alignment between synthesized policies and reviewed intent boundaries. Additional external evaluations include three natural-language requirements corpora (iTrust, CyberChair, IBM Course Management) reconstructed into deployable, reviewable Cedar artifacts.
Synthesis Effectiveness
AutoCedar successfully synthesizes correct policies across all 221 CedarBench tasks, achieving a 100% convergence rate for both GPT-5.5 low and Haiku 4.5 LLM configurations. GPT-5.5 achieves lower median repair iterations and token usage, while Haiku 4.5 converges more cheaply in wall-clock time, demonstrating that the verifier-guided search loop generalizes across model scales without overreliance on frontier LLMs.
Signal Layer Ablation
Ablation experiments underscore the necessity of the signal layer translating verifier evidence to actionable LLM feedback. Schema-only or atomic one-shot approaches yield high rates of residual property violations even when converging on a candidate. Only the full signal stack ensures a zero-loss solution across all scenarios, closing policy gaps that are otherwise irreparable by direct model prompting or undirected verifier feedback.
Correctness and Domain Coverage
In formal property checking, AutoCedar achieves 100% correctness across every property atom and authorization decision, outperforming direct LLM synthesis by a wide margin—GPT-5.5, even with schema guidance, fails to fully satisfy property constraints on ~20% of cases. Error analysis (see Figure 1) reveals systematic failures by baseline LLM approaches due either to excess permission (ceiling violations) or restrictive policies that eliminate necessary workflows (floor/liveness violations).
(Figure 2)
Figure 2: Fully-correct rate across CedarBench's domains, emphasizing AutoCedar's consistent domain-agnostic alignment with all property specifications.
Domain-specific breakdown (Figure 2) attests to domain-agnostic alignment: AutoCedar maintains full property satisfaction across both synthetic and real-world domains (e.g., tags, streaming, document clouds), where baseline LLM-generated policies degrade markedly.
External Corpora and Human Alignment
On extracted real-world NL requirements, AutoCedar translates incomplete, loosely structured access-control fragments into globally correct, verified policy stores, matching 100% of semantic authorization test cases. Human preference studies further validate artifact quality, with ~84% of blinded reviewers selecting AutoCedar's artifacts as better aligned with access-control intent.
Theoretical Contributions and Implications
AutoCedar formalizes policy synthesis as a "synthesis sandwich": candidate policies must, relative to the fixed request universe RΣ​, contain all floor requests (required behaviors), be contained within all ceiling policies (not exceed forbidden behaviors), and retain support on liveness slices (nontrivial workflows), as characterized in Theorem 1.
This approach generalizes and extends the classical CEGIS paradigm to the code security domain, handling non-monotonicity and stochasticity in the LLM search space through a decisive, target-preserving signal contract. The explicit boundary formalization and auditability of the reviewed target promote robust, evolvable policy engineering, shifting verification leverage to the authoring stage rather than post-deployment vulnerability detection.
Practically, AutoCedar offers a tractable, scalable methodology for aligning LLM-generated security policy artifacts with auditable, formally reviewed organizational intent. It abstracts the cumbersome low-level details of SMT-witness-guided repair into actionable, human-centered HITL workflows, augmenting both correctness and maintainability in access-control pipelines.
Future Directions
The separation of intention construction from code search, along with the formalization of verifier-to-model contracts, points to broader applicability in program synthesis, compliance engineering, and formal autoformalization domains. Potential areas of future development include:
- Semantics-aware model training or finetuning using the signal-layer protocol for deeper integration of symbolic evidence.
- Scaling the intent-review protocol to large, collaborative organizational settings, possibly leveraging provenance-aware collaborative review tooling.
- Generalization from Cedar policy synthesis to other security policy or compliance domains (e.g., privacy, data sharing, audit logging).
- Enhanced sampling and feedback strategies in the repair loop for further improvement in convergence speed and robustness against model non-determinism.
Conclusion
AutoCedar advances the state of access-control policy synthesis by structurally fixing intent boundaries prior to LLM-driven code search and rigorously enforcing semantic fidelity through SMT-backed symbolic verification. The framework's signal-layer abstraction is critical, mediating the flow of verification evidence to the LLM while sharply isolating reviewed target semantics from stochastic policy proposals. Experimental results across policy benchmarks and real-world corpora demonstrate that only verifier-guided synthesis, embodied in AutoCedar, reliably closes the gap between NL access-control requirements and executable, organizationally-correct security policies.