The rapid evolution of Artificial Intelligence (AI)-based Virtual Assistants (VAs) e.g., Google Gemini, ChatGPT, Microsoft Copilot, and High-Flyer Deepseek has turned them into convenient interfaces for managing emerging technologies such as Smart Homes, Smart Cars, Electronic Health Records, by means of explicit commands,e.g., prompts, which can be even launched via voice, thus providing a very convenient interface for end-users. However, the proper specification and evaluation of User-Managed Access Control Policies (U-MAPs), the rules issued and managed by end-users to govern access to sensitive data and device functionality - within these VAs presents significant challenges, since such a process is crucial for preventing security vulnerabilities and privacy leaks without impacting user experience. This study provides an initial exploratory investigation on whether current publicly-available VAs can manage U-MAPs effectively across differing scenarios. By conducting unstructured to structured tests, we evaluated the comprehension of such VAs, revealing a lack of understanding in varying U-MAP approaches. Our research not only identifies key limitations, but offers valuable insights into how VAs can be further improved to manage complex authorization rules and adapt to dynamic changes.

翻译：基于人工智能的虚拟助手（如Google Gemini、ChatGPT、Microsoft Copilot及High-Flyer Deepseek）的快速发展，使其成为管理智能家居、智能汽车、电子健康记录等新兴技术的便捷接口。用户可通过显式指令（如提示词）甚至语音启动这些功能，从而为终端用户提供了极大便利。然而，在这些虚拟助手中正确规范与评估用户管理访问控制策略——即由终端用户制定并管理、用于控制敏感数据与设备功能访问权限的规则体系——仍面临重大挑战。该过程对在不影响用户体验的前提下防范安全漏洞与隐私泄露至关重要。本研究通过非结构化到结构化的测试方法，对当前公开可用的虚拟助手在不同场景下管理用户访问控制策略的有效性进行了初步探索性调查。评估结果显示，现有虚拟助手对多样化用户访问控制策略的理解存在明显不足。本研究不仅揭示了关键局限性，更为虚拟助手如何改进复杂授权规则的管理能力及动态适应性提供了重要见解。