chapter seventeen

17 AI in policy practice

 

This chapter covers

  • Why AI systems must not act as authorization decision-makers
  • How AI assists policy authoring and design without becoming authoritative
  • Using AI in runtime analysis to compare design-time intent with observed behavior
  • Enforcing authorization before retrieval in RAG systems
  • How architecture enables accountability and governance in AI-enabled systems

As AI systems become part of daily life, they play a bigger and bigger role in key decisions. These include what data is displayed, what actions are allowed, and who is accountable if something goes wrong. As a result, many teams are tempted to delegate authorization decisions to AI. That idea seems reasonable, but it’s usually a mistake.

Authorization exists to enforce the intent behind access decisions. It relies on determinism, explainability, auditability, and predictable failure modes. AI systems excel at many tasks, such as interpretation, synthesis, and exploration. When these strengths are applied appropriately, AI can significantly enhance the design, understanding, testing, and governance of policies without becoming the component responsible for access determination.

17.1 AI is not your policy engine

17.2 Policy authoring and analysis with AI

17.2.1 Explaining existing behavior

17.2.2 Exploring alternative expressions of intent

17.2.3 Using concrete requests to ground analysis

17.2.4 Human judgment remains central

17.3 What AI can tell you about your authorization policies

17.3.1 Seeing what policies really do

17.3.2 Identifying gaps and edge cases

17.3.3 Asking better questions

17.3.4 From observation to accountability

17.4 Authorization before retrieval: making RAG safe by construction

17.4.1 A quick review of how RAG works

17.4.2 Retrieval is the enforcement boundary

17.4.3 From architectural principle to concrete flow

17.4.4 Safe by construction, not safe by instruction

17.5 From architecture to accountability: how AI helps policy become practice

17.5.1 Accountability starts with observable decisions

17.5.2 Turning reports into responsibility

17.5.3 Closing the feedback loop

17.5.4 Why architecture makes accountability possible

17.5.5 Policy as practice

17.6 Summary