Papers
Topics
Authors
Recent
Search
2000 character limit reached

AutoCedar: An Agentic Framework for Verifier-Guided Access Control Policy Synthesis

Published 4 Jul 2026 in cs.SE, cs.AI, and cs.CR | (2607.03656v1)

Abstract: LLMs are increasingly used to turn natural-language requirements into code. In access control, that shortcut is dangerous: a generated policy can compile and read correctly while granting access that no one approved. The difficulty is not only writing policy code. It is fixing what the requirements mean before code is written, and then checking that the final policy actually satisfies that intent. We present AutoCedar, a verifier-guided system that first turns natural-language access-control requirements into a reviewed, checkable target, and then synthesizes Cedar policies against that target. AutoCedar decomposes schema and policy authoring into small intent atoms: reviewable claims about vocabulary and behavior. Once those atoms pass mechanical validation and human intent review, the model proposes a candidate policy, the verifier checks it against the approved target, and each failure is turned into a repair signal that tells the model whether to broaden, narrow, or restructure the policy without changing the target. Because the model's work is split into small problems, each grounded in reviewed intent and backed by verifier feedback, end-to-end policy authoring becomes tractable. AutoCedar converges on all 221 tasks of CedarBench, our benchmark of authorization tasks paired with executable semantic boundaries. Across three requirements-corpus case studies covering healthcare, education, and conference management, AutoCedar converts noisy prose and extracted access-control fragments into reviewed schemas, formal checks, and a globally verified Cedar policy store for each scenario.

Summary

  • The paper introduces a two-phase synthesis framework that separates authorization intent extraction from LLM-driven policy generation, ensuring robust semantic alignment.
  • It achieves 100% convergence on CedarBench by integrating human-in-the-loop review with SMT-backed verification and actionable repair signals.
  • Experimental results demonstrate that AutoCedar outperforms direct LLM synthesis, effectively closing semantic gaps and enhancing traceability in policy formation.

AutoCedar: An Agentic Framework for Verifier-Guided Access Control Policy Synthesis

Motivation and Problem Statement

Access control remains a persistent source of misconfiguration and vulnerability within software systems. While LLMs have accelerated the transformation of natural-language requirements into executable artifacts, the inherent ambiguity and incompleteness of NL requirements, particularly for authorization logic, render direct translation approaches both risky and frequently incorrect. Traditional LLM-driven synthesis yields policies that may be syntactically valid yet are semantically misaligned with intended security properties, with no intrinsic correctness feedback mechanism. This pipeline flaw is further exacerbated by the fact that most business logic errors in authorization manifest as global semantic misalignments, escaping detection in both code and test-based review.

AutoCedar addresses these limitations through a rigorous, verifier-guided synthesis loop that structurally separates the construction of authorization intent (as a semantic boundary over a fixed schema) from the stochastic search for policy code using LLMs. The framework centers human-in-the-loop (HITL) review of small, auditable "intent atoms"—elementary behavioral claims—ensuring that the final synthesized artifact aligns with the formally reviewed specification rather than ad-hoc NL prose.

System Architecture and Methodology

AutoCedar operationalizes its synthesis workflow in two discrete phases. First, it decomposes NL access-control requirements into reviewed intent atoms, which are then consolidated into a formal Cedar schema Σ\Sigma and a boundary plan Π\Pi encapsulating floors (permitted behaviors), ceilings (forbidden behaviors), and liveness slices (mandated non-empty workflows). Each atom undergoes mechanical validation and human approval, resulting in a fixed semantic target before any candidate code is synthesized.

Second, an LLM is tasked with proposing candidate policy bundles, which are deterministically checked by a verifier against Π\Pi. Failures induce targeted repair signals—specific, structured instructions to the LLM (tighten, loosen, or expand the policy)—derived from symbolic counterexamples and policy comparison in the Cedar/symcc SMT-backed toolchain. This repair abstraction is mediated by a "signal layer" that translates raw verifier counterexamples into actionable, target-preserving repair packets, propagating precise feedback to the LLM while strongly separating boundary maintenance from the stochastic search process.

(Figure 1)

Figure 1: Error profile of validation-passing policies on CedarBench, highlighting modes of failure for direct LLM synthesis versus verifier-guided AutoCedar.

The semantic target is preserved as a durable audit log containing intent atoms, approved schema definitions, boundary plans, and evidence traces, providing lineage for each synthesized clause and ensuring traceability through policy evolution and maintenance.

Experimental Results

A comprehensive empirical assessment is performed over CedarBench, a 221-scenario benchmark explicitly designed to measure global semantic alignment between synthesized policies and reviewed intent boundaries. Additional external evaluations include three natural-language requirements corpora (iTrust, CyberChair, IBM Course Management) reconstructed into deployable, reviewable Cedar artifacts.

Synthesis Effectiveness

AutoCedar successfully synthesizes correct policies across all 221 CedarBench tasks, achieving a 100% convergence rate for both GPT-5.5 low and Haiku 4.5 LLM configurations. GPT-5.5 achieves lower median repair iterations and token usage, while Haiku 4.5 converges more cheaply in wall-clock time, demonstrating that the verifier-guided search loop generalizes across model scales without overreliance on frontier LLMs.

Signal Layer Ablation

Ablation experiments underscore the necessity of the signal layer translating verifier evidence to actionable LLM feedback. Schema-only or atomic one-shot approaches yield high rates of residual property violations even when converging on a candidate. Only the full signal stack ensures a zero-loss solution across all scenarios, closing policy gaps that are otherwise irreparable by direct model prompting or undirected verifier feedback.

Correctness and Domain Coverage

In formal property checking, AutoCedar achieves 100% correctness across every property atom and authorization decision, outperforming direct LLM synthesis by a wide margin—GPT-5.5, even with schema guidance, fails to fully satisfy property constraints on ~20% of cases. Error analysis (see Figure 1) reveals systematic failures by baseline LLM approaches due either to excess permission (ceiling violations) or restrictive policies that eliminate necessary workflows (floor/liveness violations).

(Figure 2)

Figure 2: Fully-correct rate across CedarBench's domains, emphasizing AutoCedar's consistent domain-agnostic alignment with all property specifications.

Domain-specific breakdown (Figure 2) attests to domain-agnostic alignment: AutoCedar maintains full property satisfaction across both synthetic and real-world domains (e.g., tags, streaming, document clouds), where baseline LLM-generated policies degrade markedly.

External Corpora and Human Alignment

On extracted real-world NL requirements, AutoCedar translates incomplete, loosely structured access-control fragments into globally correct, verified policy stores, matching 100% of semantic authorization test cases. Human preference studies further validate artifact quality, with ~84% of blinded reviewers selecting AutoCedar's artifacts as better aligned with access-control intent.

Theoretical Contributions and Implications

AutoCedar formalizes policy synthesis as a "synthesis sandwich": candidate policies must, relative to the fixed request universe RΣR_\Sigma, contain all floor requests (required behaviors), be contained within all ceiling policies (not exceed forbidden behaviors), and retain support on liveness slices (nontrivial workflows), as characterized in Theorem 1.

This approach generalizes and extends the classical CEGIS paradigm to the code security domain, handling non-monotonicity and stochasticity in the LLM search space through a decisive, target-preserving signal contract. The explicit boundary formalization and auditability of the reviewed target promote robust, evolvable policy engineering, shifting verification leverage to the authoring stage rather than post-deployment vulnerability detection.

Practically, AutoCedar offers a tractable, scalable methodology for aligning LLM-generated security policy artifacts with auditable, formally reviewed organizational intent. It abstracts the cumbersome low-level details of SMT-witness-guided repair into actionable, human-centered HITL workflows, augmenting both correctness and maintainability in access-control pipelines.

Future Directions

The separation of intention construction from code search, along with the formalization of verifier-to-model contracts, points to broader applicability in program synthesis, compliance engineering, and formal autoformalization domains. Potential areas of future development include:

  • Semantics-aware model training or finetuning using the signal-layer protocol for deeper integration of symbolic evidence.
  • Scaling the intent-review protocol to large, collaborative organizational settings, possibly leveraging provenance-aware collaborative review tooling.
  • Generalization from Cedar policy synthesis to other security policy or compliance domains (e.g., privacy, data sharing, audit logging).
  • Enhanced sampling and feedback strategies in the repair loop for further improvement in convergence speed and robustness against model non-determinism.

Conclusion

AutoCedar advances the state of access-control policy synthesis by structurally fixing intent boundaries prior to LLM-driven code search and rigorously enforcing semantic fidelity through SMT-backed symbolic verification. The framework's signal-layer abstraction is critical, mediating the flow of verification evidence to the LLM while sharply isolating reviewed target semantics from stochastic policy proposals. Experimental results across policy benchmarks and real-world corpora demonstrate that only verifier-guided synthesis, embodied in AutoCedar, reliably closes the gap between NL access-control requirements and executable, organizationally-correct security policies.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.