Data Access Policy

Data access policies don't exist — whoever needs access to the TMS or WMS database just asks the IT manager, who grants 'admin' rights because it's faster than figuring out what the person actually needs. Customer data, carrier rates, and financial information are all equally accessible to anyone with system access.

None — AI cannot enforce least-privilege access, detect unauthorized data exposure, or audit compliance because no access policies exist to implement or monitor.

Data access policies exist as general guidelines in an HR document — 'employees should only access policy data needed for their job' and 'customer information is confidential.' But these policies don't specify which roles get access to which data categories, what 'customer information' includes (PII? shipment history? payment terms?), or how access should be granted. When onboarding a new dispatcher, IT guesses what access they need based on what the last dispatcher was granted.

AI could flag obvious violations (warehouse worker accessing payroll data) but cannot enforce systematic access control because policies are too vague to translate into permission rules.

Data access policies are documented in a matrix — each role (dispatcher, warehouse supervisor, customer service, finance) lists which data categories they can access and whether they have read-only or edit rights. Customer PII requires customer service role or manager approval. Carrier rate data is restricted to procurement and senior operations. But the policy document is separate from the systems — IT manually configures permissions based on reading the policy, and there's no automatic verification that system permissions match policy requirements.

AI can audit system permissions against documented policies in batch reviews but cannot enforce policies in real-time or prevent policy drift because the policies aren't connected to access control systems.

Data access policies are formalized in the IAM system as role-based access control (RBAC) rules — each role inherits permissions from its policy definition, new users receive access based on their assigned roles, and policy updates apply immediately to all role members. The logistics manager can query 'who has access to carrier rate data?' and receive a definitive answer from the IAM system. Exceptions (temporary elevated access for audits, cross-training situations) are documented but manually approved outside the policy framework.

AI can enforce standard access policies consistently across all systems and detect unauthorized access attempts. Cannot handle context-dependent access decisions (access to shipment data only for shipments in the user's assigned region, time-limited access during on-call rotations) because policies are role-based, not attribute-based.

Data access policies are attribute-based semantic rules — a dispatcher can view shipment data where (shipment.assignedRegion = user.homeRegion AND data.classificationLevel <= user.clearanceLevel) OR user.currentShift = 'on-call.' Customer PII visibility requires (user.role = 'CustomerService' AND customer.assignedRep = user.employeeId) OR (user.managerLevel >= 2). Policies express business logic formally, and the IAM system evaluates them in real-time for every data access request.

AI can enforce sophisticated, context-aware access policies that adapt to business relationships, organizational structure, data sensitivity, and operational context. Fully autonomous policy enforcement for all documented access scenarios is possible.

Data access policies are self-evolving governance frameworks — AI monitors access patterns, detects when users repeatedly request exception access for legitimate reasons, and proposes policy updates to accommodate emergent access needs. When a new data type appears (electric vehicle charging station usage data), the system infers appropriate access policies from data classification, related data access rules, and organizational structure. Policies continuously refine based on usage patterns, security incidents, and business context changes.

Fully autonomous access governance. AI maintains data access policies that balance security, compliance, and operational needs without constant manual policy authoring.

Ceiling of the CMC framework for this dimension.