← Back to stories Close-up of HTML code lines highlighting web development concepts and techniques.
Photo by Pixabay on Pexels
ArXiv 2026-03-18

Prose2Policy (P2P): an LLM pipeline that turns natural-language access policies into executable Rego

Prose2Policy (P2P) is a new LLM-based pipeline that translates natural-language access control policies (NLACPs) into executable Rego code for the Open Policy Agent (OPA). The work appears as an arXiv preprint (arXiv:2603.15799v1) and is available at https://arxiv.org/abs/2603.15799. The key claim: P2P offers a practical, end-to-end route from prose to enforceable policy, potentially reducing the friction that stops human-written rules from becoming machine-enforced controls.

What P2P does

Reportedly, P2P is modular and performs policy detection, component extraction, schema validation, linting, compilation and automatic test generation before emitting Rego — OPA’s policy language used widely in cloud-native stacks. For readers unfamiliar with the ecosystem: Open Policy Agent is an open-source policy engine used by Kubernetes, service meshes and cloud platforms to make runtime authorization decisions; Rego is its declarative query language. By combining language models with schema checks and test synthesis, P2P aims to catch common translation errors that pure-generation approaches often miss.

Why it matters — and what could go wrong

This is useful for enterprises and platform operators who struggle to codify human rules into machine-enforceable policies. Lowering the technical barrier could speed compliance, reduce developer workload and improve consistency across environments. But can LLMs be trusted with security-critical rules? Not without safeguards. The preprint emphasizes verification steps; nevertheless, hallucination and subtle semantic drift remain real risks, so human review and automated validation are likely to stay mandatory.

As governments tighten AI governance and firms navigate export controls and data-use restrictions, tools that automate policy translation are geopolitically and operationally relevant. They could help organizations demonstrate compliance faster — or, if misused, propagate misconfigurations at scale. It has been reported that the authors position P2P as a practical engineering step rather than a finished product; expect follow-up work and open-source experimentation before broad production adoption.

AIResearchPolicy
View original source →