AC-3

Access Enforcement

Access Control

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

High PriorityAI-Relevant Control

Purpose

Enforce access control policies to ensure users can only access resources they are authorized to use.

AI Relevance

Essential for controlling access to AI models, APIs, training data, and inference results. Prevents unauthorized access to sensitive AI resources.

Implementation Guidance

Implement role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC) systems with centralized policy management.

Assessment

Test access control enforcement, verify policy compliance, audit access decisions, and validate authorization mechanisms.

Requirements

  • 1Enforce access control policies for all users and processes
  • 2Enforce access control policies for all information system resources
  • 3Enforce access control policies for all information system services
  • 4Enforce access control policies for all information system functions
  • 5Enforce access control policies for all information system data
  • 6Enforce access control policies for all information system applications
  • 7Enforce access control policies for all information system networks
  • 8Enforce access control policies for all information system devices
  • 9Enforce access control policies for all information system facilities

Related Controls

AC-2: Account ManagementAC-4: AC-4AC-6: Least PrivilegeIA-2: Identification and Authentication (Organizational Users)

References

NIST SP 800-53 Rev 5NIST Zero Trust Architecture

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →