Purpose-based access control governs data by the purpose of its use, permitting or denying access based on why it is being accessed, rather than solely on the identity or role of the requester.
What is purpose-based access control?
AI makes purpose central: the same person may be allowed to see a record for one task but not another. Purpose-based controls map directly to GDPR's purpose-limitation principle and let one AI system serve multiple legitimate purposes without over-granting access.