"I Apologize For Not Understanding Your Policy": Exploring the Evaluation of User-Managed Access Control Policies by AI Virtual Assistants

The rapid evolution of Artificial Intelligence (AI)-based Virtual Assistants (VAs), e.g., Google Gemini, ChatGPT, Microsoft Copilot, and High-Flyer Deepseek, has turned them into convenient interfaces for managing emerging technologies such as Smart Homes, Smart Cars, and Electronic Health Records. By leveraging explicit commands, e.g., prompts, which can be even launched via voice, VAs provide a very natural interface for end-users. However, the proper specification and evaluation of User-Managed Access Control Policies (U-MAPs), the rules issued and managed by end-users to govern access to sensitive data and device functionality within these VAs, presents significant challenges as this process is crucial for preventing security vulnerabilities and privacy leaks without impacting user experience. This work-in-progress study provides an initial exploratory investigation on whether current publicly-available VAs can manage U-MAPs effectively across differing scenarios. By conducting unstructured to structured tests, we evaluated the comprehension of such VAs, revealing a lack of understanding in varying U-MAP approaches. Our research not only identifies key limitations, but offers valuable insights into how VAs can be further improved to manage complex authorization rules and adapt to dynamic changes.

---

Source: Semantic Scholar - Proceedings of the 2025 Workshop on Human-Centered AI Privacy and Security (1 citations) PDF: N/A Original Link: https://www.semanticscholar.org/paper/cd73827c56e8c237cb17745e65b21cbc4c3527f7