Axiomatics today added a generative artificial intelligence (AI) capability to its attribute-based access control (ABAC) solution that makes it possible to use natural language to write policies in a few minutes rather than spending days or weeks manually implementing policies as code.

Mark Cassetta, chief product officer for Axiomatics, said the company’s Policy Companion tool, scheduled to be available in the first half of 2024, will increase adoption of ABAC as an alternative to role-based access control (RBAC) that, while easier to implement, are not as secure.

ABAC provides access based on a set of approved characteristics that enable access to objects such as data, network devices and other IT resources based on a set of defined security policies. The reason that ABAC has not been more widely adopted is because it takes significant time and effort to write those policies—for example, using the ALFA programming language that Axiomatics developed.

Policy Companion takes advantage of generative AI to make it significantly easier to implement a more fine-grained approach to implementing access controls at runtime within the context of a zero-trust IT environment using a natural language interface, said Cassetta. The goal is to make it simpler for organizations to programmatically embed access controls within a larger DevSecOps workflow, he added.

One of the most immediate benefits of generative AI has been to make it simpler for cybersecurity teams to create policies that align with various mandates and regulations. Axiomatics is now taking that capability a step further by adding a tool that can both create policies and the code needed to implement them.

Axiomatics is still determining which large language models (LLMs) it will employ to enable Policy Companion to write code, but the overall goal is to provide a level of abstraction that eliminates the need for domain-specific programming expertise to implement access control policies.

It’s not clear how many organizations might embrace ABAC as an alternative to RBAC, but many cybersecurity teams have been struggling for years to consistently implement either approach. Natural language interfaces should significantly reduce access control complexity by essentially making it possible to describe the required authorization policy and then have the code to implement it automatically generated.

In theory, that approach to programmatically created access controls will reduce dependencies on passwords that cybercriminals have become very adept at stealing via various types of phishing attacks.

As more organizations embrace zero-trust IT principles, the way access is provided to IT resources is fundamentally about to change. That may take some time to achieve, but as regulations become more stringent, organizations will soon discover the penalties associated with allowing passwords to be stolen are only going to increase. The expectation among auditors is that organizations will be implementing alternative approaches to access controls that are fundamentally more secure.

In the meantime, cybersecurity teams need to make sure whatever method being employed to programmatically manage access aligns with all the other processes being used to manage IT in the hope that one day soon, they can concentrate more on creating and updating policies versus spending time trying to make sure they are correctly being implemented.